summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPaul Dreik <github@pauldreik.se>2019-09-14 03:16:09 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-15 23:25:24 +0200
commitb7666027296a4f89a8ce6b22af335e8aee7a7782 (patch)
treee75c54442cdb8ed02be13d2a8d4dd7de16f90e2b
parent5eb75d418657a734bfbe02e5aef69cc5fe28ebc6 (diff)
downloadcurl-b7666027296a4f89a8ce6b22af335e8aee7a7782.tar.gz
doh: fix (harmless) buffer overrun
Added unit test case 1655 to verify. Close #4352 the code correctly finds the flaws in the old code, if one temporarily restores doh.c to the old version.
-rw-r--r--lib/doh.c17
-rw-r--r--tests/data/Makefile.inc2
-rw-r--r--tests/data/test165526
-rw-r--r--tests/unit/CMakeLists.txt1
-rw-r--r--tests/unit/Makefile.inc6
-rw-r--r--tests/unit/README6
-rw-r--r--tests/unit/unit1655.c110
7 files changed, 163 insertions, 5 deletions
diff --git a/lib/doh.c b/lib/doh.c
index 6d1f3303b..e84c9b0ad 100644
--- a/lib/doh.c
+++ b/lib/doh.c
@@ -74,17 +74,26 @@ static const char *doh_strerror(DOHcode code)
#define UNITTEST static
#endif
+/* @unittest 1655
+ */
UNITTEST DOHcode doh_encode(const char *host,
DNStype dnstype,
unsigned char *dnsp, /* buffer */
size_t len, /* buffer size */
size_t *olen) /* output length */
{
- size_t hostlen = strlen(host);
+ const size_t hostlen = strlen(host);
unsigned char *orig = dnsp;
const char *hostp = host;
- if(len < (12 + hostlen + 4))
+ /* The expected output length does not depend on the number of dots within
+ * the host name. It will always be two more than the length of the host
+ * name, one for the size and one trailing null. In case there are dots,
+ * each dot adds one size but removes the need to store the dot, net zero.
+ */
+ const size_t expected_len = 12 + ( 1 + hostlen + 1) + 4;
+
+ if(len < expected_len)
return DOH_TOO_SMALL_BUFFER;
*dnsp++ = 0; /* 16 bit id */
@@ -132,6 +141,10 @@ UNITTEST DOHcode doh_encode(const char *host,
*dnsp++ = DNS_CLASS_IN; /* IN - "the Internet" */
*olen = dnsp - orig;
+
+ /* verify that our assumption of length is valid, since
+ * this has lead to buffer overflows in this function */
+ DEBUGASSERT(*olen == expected_len);
return DOH_OK;
}
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 3733bd6b9..a3ce5a965 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -183,7 +183,7 @@ test1590 test1591 test1592 test1593 test1594 \
test1600 test1601 test1602 test1603 test1604 test1605 test1606 test1607 \
test1608 test1609 test1620 test1621 \
\
-test1650 test1651 test1652 test1653 test1654 \
+test1650 test1651 test1652 test1653 test1654 test1655 \
\
test1700 test1701 test1702 \
\
diff --git a/tests/data/test1655 b/tests/data/test1655
new file mode 100644
index 000000000..0c10bedf4
--- /dev/null
+++ b/tests/data/test1655
@@ -0,0 +1,26 @@
+<testcase>
+<info>
+<keywords>
+unittest
+doh
+</keywords>
+</info>
+
+#
+# Client-side
+<client>
+<server>
+none
+</server>
+<features>
+unittest
+</features>
+ <name>
+unit test for doh_encode
+ </name>
+<tool>
+unit1655
+</tool>
+</client>
+
+</testcase>
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
index 4b0cec4a8..bc0699231 100644
--- a/tests/unit/CMakeLists.txt
+++ b/tests/unit/CMakeLists.txt
@@ -22,6 +22,7 @@ set(UT_SRC
# Broken link on Linux
# unit1604.c
unit1620.c
+ unit1655.c
)
set(UT_COMMON_FILES ../libtest/first.c ../libtest/test.h curlcheck.h)
diff --git a/tests/unit/Makefile.inc b/tests/unit/Makefile.inc
index f3cba1c2a..45278ba81 100644
--- a/tests/unit/Makefile.inc
+++ b/tests/unit/Makefile.inc
@@ -11,7 +11,7 @@ UNITPROGS = unit1300 unit1301 unit1302 unit1303 unit1304 unit1305 unit1307 \
unit1399 \
unit1600 unit1601 unit1602 unit1603 unit1604 unit1605 unit1606 unit1607 \
unit1608 unit1609 unit1620 unit1621 \
- unit1650 unit1651 unit1652 unit1653 unit1654
+ unit1650 unit1651 unit1652 unit1653 unit1654 unit1655
unit1300_SOURCES = unit1300.c $(UNITFILES)
unit1300_CPPFLAGS = $(AM_CPPFLAGS)
@@ -118,3 +118,7 @@ unit1653_CPPFLAGS = $(AM_CPPFLAGS)
unit1654_SOURCES = unit1654.c $(UNITFILES)
unit1654_CPPFLAGS = $(AM_CPPFLAGS)
+
+unit1655_SOURCES = unit1655.c $(UNITFILES)
+unit1655_CPPFLAGS = $(AM_CPPFLAGS)
+
diff --git a/tests/unit/README b/tests/unit/README
index b8a513b3b..060b670c6 100644
--- a/tests/unit/README
+++ b/tests/unit/README
@@ -35,6 +35,9 @@ We put tests that focus on an area or a specific function into a single C
source file. The source file should be named 'unitNNNN.c' where NNNN is a
number that starts with 1300 and you can pick the next free number.
+Add your test to tests/unit/Makefile.inc (if it is a unit test).
+Add your test data to tests/data/Makefile.inc
+
You also need a separate file called tests/data/testNNNN (using the same
number) that describes your test case. See the test1300 file for inspiration
and the tests/FILEFORMAT documentation.
@@ -46,9 +49,10 @@ For the actual C file, here's a very simple example:
#include "a libcurl header.h" /* from the lib dir */
-static void unit_setup( void )
+static CURLcode unit_setup( void )
{
/* whatever you want done first */
+ return CURLE_OK;
}
static void unit_stop( void )
diff --git a/tests/unit/unit1655.c b/tests/unit/unit1655.c
new file mode 100644
index 000000000..60f43d7d6
--- /dev/null
+++ b/tests/unit/unit1655.c
@@ -0,0 +1,110 @@
+/***************************************************************************
+ * _ _ ____ _
+ * Project ___| | | | _ \| |
+ * / __| | | | |_) | |
+ * | (__| |_| | _ <| |___
+ * \___|\___/|_| \_\_____|
+ *
+ * Copyright (C) 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
+ *
+ * This software is licensed as described in the file COPYING, which
+ * you should have received as part of this distribution. The terms
+ * are also available at https://curl.haxx.se/docs/copyright.html.
+ *
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+ * copies of the Software, and permit persons to whom the Software is
+ * furnished to do so, under the terms of the COPYING file.
+ *
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+ * KIND, either express or implied.
+ *
+ ***************************************************************************/
+#include "curlcheck.h"
+
+#include "doh.h" /* from the lib dir */
+
+static CURLcode unit_setup(void)
+{
+ /* whatever you want done first */
+ return CURLE_OK;
+}
+
+static void unit_stop(void)
+{
+ /* done before shutting down and exiting */
+}
+
+UNITTEST_START
+
+/* introduce a scope and prove the corner case with write overflow,
+ * so we can prove this test would detect it and that it is properly fixed
+ */
+do {
+const char *bad = "this.is.a.hostname.where.each.individual.part.is.within."
+ "the.sixtythree.character.limit.but.still.long.enough.to."
+ "trigger.the.the.buffer.overflow......it.is.chosen.to.be."
+ "of.a.length.such.that.it.causes.a.two.byte.buffer......."
+ "overwrite.....making.it.longer.causes.doh.encode.to....."
+ ".return.early.so.dont.change.its.length.xxxx.xxxxxxxxxxx"
+ "..xxxxxx.....xx..........xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+ "xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxx..x......xxxx"
+ "xxxx..xxxxxxxxxxxxxxxxxxx.x...xxxx.x.x.x...xxxxx";
+
+/* plays the role of struct dnsprobe in urldata.h */
+struct demo {
+ unsigned char dohbuffer[512];
+ unsigned char canary1;
+ unsigned char canary2;
+ unsigned char canary3;
+};
+
+size_t olen = 100000;
+struct demo victim;
+victim.canary1 = 87; /* magic numbers, arbritrarily picked */
+victim.canary2 = 35;
+victim.canary3 = 41;
+DOHcode d = doh_encode(bad, DNS_TYPE_A, victim.dohbuffer,
+ sizeof(victim.dohbuffer), &olen);
+fail_unless(victim.canary1 == 87, "one byte buffer overwrite has happened");
+fail_unless(victim.canary2 == 35, "two byte buffer overwrite has happened");
+fail_unless(victim.canary3 == 41, "three byte buffer overwrite has happened");
+if(d == DOH_OK)
+{
+ fail_unless(olen <= sizeof(victim.dohbuffer), "wrote outside bounds");
+ fail_unless(olen > strlen(bad), "unrealistic low size");
+}
+} while(0);
+
+/* run normal cases and try to trigger buffer length related errors */
+do {
+DNStype dnstype = DNS_TYPE_A;
+unsigned char buffer[128];
+const size_t buflen = sizeof(buffer);
+const size_t magic1 = 9765;
+size_t olen1 = magic1;
+const char *sunshine1 = "a.com";
+const char *sunshine2 = "aa.com";
+
+DOHcode ret = doh_encode(sunshine1, dnstype, buffer, buflen, &olen1);
+fail_unless(ret == DOH_OK, "sunshine case 1 should pass fine");
+fail_if(olen1 == magic1, "olen has not been assigned properly");
+fail_unless(olen1 > strlen(sunshine1), "bad out length");
+
+/* add one letter, the response should be one longer */
+size_t olen2 = magic1;
+DOHcode ret2 = doh_encode(sunshine2, dnstype, buffer, buflen, &olen2);
+fail_unless(ret2 == DOH_OK, "sunshine case 2 should pass fine");
+fail_if(olen2 == magic1, "olen has not been assigned properly");
+fail_unless(olen1 + 1 == olen2, "olen should grow with the hostname");
+
+/* pass a short buffer, should fail */
+size_t olen;
+ret = doh_encode(sunshine1, dnstype, buffer, olen1 - 1, &olen);
+fail_if(ret == DOH_OK, "short buffer should have been noticed");
+
+/* pass a minimum buffer, should succeed */
+ret = doh_encode(sunshine1, dnstype, buffer, olen1, &olen);
+fail_unless(ret == DOH_OK, "minimal length buffer should be long enough");
+fail_unless(olen == olen1, "bad buffer length");
+} while(0);
+UNITTEST_STOP