diff options
| author | Daniel Wagner <wagi@monom.org> | 2022-01-25 10:00:24 +0100 |
|---|---|---|
| committer | Daniel Wagner <wagi@monom.org> | 2022-01-25 10:09:43 +0100 |
| commit | e5a313736e13c90d19085e953a26256a198e4950 (patch) | |
| tree | 2b0b393a8b523efe0f9936e97fd34cdd529bd9e3 | |
| parent | f65b6c233dd9f91723ea6993dca59fcf303d001b (diff) | |
| download | connman-e5a313736e13c90d19085e953a26256a198e4950.tar.gz | |
dnsproxy: Validate input data before using them
dnsproxy is not validating various input data. Add a bunch of checks.
Fixes: CVE-2022-23097
Fixes: CVE-2022-23096
| -rw-r--r-- | src/dnsproxy.c | 31 |
1 files changed, 26 insertions, 5 deletions
diff --git a/src/dnsproxy.c b/src/dnsproxy.c index cdfafbc2..c027bcb9 100644 --- a/src/dnsproxy.c +++ b/src/dnsproxy.c @@ -1951,6 +1951,12 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, if (offset < 0) return offset; + if (reply_len < 0) + return -EINVAL; + if (reply_len < offset + 1) + return -EINVAL; + if ((size_t)reply_len < sizeof(struct domain_hdr)) + return -EINVAL; hdr = (void *)(reply + offset); dns_id = reply[offset] | reply[offset + 1] << 8; @@ -1986,23 +1992,31 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, */ if (req->append_domain && ntohs(hdr->qdcount) == 1) { uint16_t domain_len = 0; - uint16_t header_len; + uint16_t header_len, payload_len; uint16_t dns_type, dns_class; uint8_t host_len, dns_type_pos; char uncompressed[NS_MAXDNAME], *uptr; char *ptr, *eom = (char *)reply + reply_len; + char *domain; /* * ptr points to the first char of the hostname. * ->hostname.domain.net */ header_len = offset + sizeof(struct domain_hdr); + if (reply_len < header_len) + return -EINVAL; + payload_len = reply_len - header_len; + ptr = (char *)reply + header_len; host_len = *ptr; + domain = ptr + 1 + host_len; + if (domain > eom) + return -EINVAL; + if (host_len > 0) - domain_len = strnlen(ptr + 1 + host_len, - reply_len - header_len); + domain_len = strnlen(domain, eom - domain); /* * If the query type is anything other than A or AAAA, @@ -2011,6 +2025,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, */ dns_type_pos = host_len + 1 + domain_len + 1; + if (ptr + (dns_type_pos + 3) > eom) + return -EINVAL; dns_type = ptr[dns_type_pos] << 8 | ptr[dns_type_pos + 1]; dns_class = ptr[dns_type_pos + 2] << 8 | @@ -2040,6 +2056,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, int new_len, fixed_len; char *answers; + if (len > payload_len) + return -EINVAL; /* * First copy host (without domain name) into * tmp buffer. @@ -2054,6 +2072,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, * Copy type and class fields of the question. */ ptr += len + domain_len + 1; + if (ptr + NS_QFIXEDSZ > eom) + return -EINVAL; memcpy(uptr, ptr, NS_QFIXEDSZ); /* @@ -2063,6 +2083,8 @@ static int forward_dns_reply(unsigned char *reply, int reply_len, int protocol, uptr += NS_QFIXEDSZ; answers = uptr; fixed_len = answers - uncompressed; + if (ptr + offset > eom) + return -EINVAL; /* * We then uncompress the result to buffer @@ -2257,8 +2279,7 @@ static gboolean udp_server_event(GIOChannel *channel, GIOCondition condition, len = recv(sk, buf, sizeof(buf), 0); - if (len >= 12) - forward_dns_reply(buf, len, IPPROTO_UDP, data); + forward_dns_reply(buf, len, IPPROTO_UDP, data); return TRUE; } |