Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

DNS resolver hardening (insp20 branch) #1

merged 4 commits into from Mar 21, 2012


None yet
2 participants

kaniini commented Mar 21, 2012

these commits harden the DNS resolver to fix the CERT bug.

new changes:

  • don't explicitly trust rr.rdlength
  • validate lengths on decompression (using same behaviour as charybdis)
  • check A/AAAA replies too, as they could be exploited using similar technique

kaniini added some commits Mar 20, 2012

dns: iterators which are integer should always be unsigned, else an i…
…nteger underflow is possible.

Signed-off-by: William Pitcock <nenolod@dereferenced.org>
dns: reject messages with lengths larger than DNSHeader with prejudice
This also includes when decompressing name entries.
dns: more hardening
- don't trust rr.rdlength
- don't accept replies we know are impossible for AAAA/A records
- don't try to process record types we do not know about specifically
  (this behaviour just leads to disaster)

blitmap pushed a commit that referenced this pull request Mar 21, 2012

Merge pull request #1 from nenolod/insp20
DNS resolver hardening (insp20 branch)

@blitmap blitmap merged commit fe7dbd2 into inspircd:insp20 Mar 21, 2012

Adam- added a commit to Adam-/inspircd that referenced this pull request Aug 25, 2013

Adam- added a commit to Adam-/inspircd that referenced this pull request Jul 24, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment