Fix CVE-2017-13704, which resulted in a crash on a large DNS query.

A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV.

Fix CVE-2017-13704, which resulted in a crash on a large DNS query.
A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV.
63437ffb · Simon Kelley · 69a815aa · 63437ffb · 63437ffb · 63437ffb
Commit 63437ffb authored Sep 06, 2017 by Simon Kelley
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 10 deletions

CHANGELOG CHANGELOG +7 -0

src/auth.c src/auth.c +0 -5

src/forward.c src/forward.c +8 -0

src/rfc1035.c src/rfc1035.c +0 -5

No files found.
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,13 @@ version 2.78
 	--strict-order active. Thanks to Hans Dedecker
 	for the patch
+	Fix regression in 2.77, ironically added as a security
+	improvement, which resulted in a crash when a DNS
+	query exceeded 512 bytes (or the EDNS0 packet size,
+	if different.) Thanks to Christian Kujau, Arne Woerner
+	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
+	chasing this one down.  CVE-2017-13704 applies.
 version 2.77
 	Generate an error when configured with a CNAME loop,

--- a/src/auth.c
+++ b/src/auth.c
@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  struct cname *a, *candidate;
  unsigned int wclen;
-  /* Clear buffer beyond request to avoid risk of
-     information disclosure. */
-  memset(((char *)header) + qlen, 0, 
-	 (limit - ((char *)header)) - qlen);
  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
    return 0;

--- a/src/forward.c
+++ b/src/forward.c
@@ -1188,6 +1188,10 @@ void receive_query(struct listener *listen, time_t now)
      (msg.msg_flags & MSG_TRUNC) ||
      (header->hb3 & HB3_QR))
    return;
+  /* Clear buffer beyond request to avoid risk of
+     information disclosure. */
+  memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
  source_addr.sa.sa_family = listen->family;
@@ -1688,6 +1692,10 @@ unsigned char *tcp_request(int confd, time_t now,
      if (size < (int)sizeof(struct dns_header))
 	continue;
+      /* Clear buffer beyond request to avoid risk of
+	 information disclosure. */
+      memset(payload + size, 0, 65536 - size);
      query_count++;

--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  struct mx_srv_record *rec;
  size_t len;
-  /* Clear buffer beyond request to avoid risk of
-     information disclosure. */
-  memset(((char *)header) + qlen, 0, 
-	 (limit - ((char *)header)) - qlen);
  if (ntohs(header->ancount) != 0 ||
      ntohs(header->nscount) != 0 ||
      ntohs(header->qdcount) == 0 ||