network: Restrict the valid charset of DNR names

Not all possible DNS names will survive serialization. Restrict the set
of valid dns names to LDH encoded names.

Fixes: 25c33e350042 (network: parse RFC9463 DHCPv4 DNR option, 2024-01-16)
Fixes: a07e83cc58f6 (network: Parse RFC9463 DHCPv6 DNR option, 2024-01-17)
Fixes: 0c90d1d2f243 (ndisc: Parse RFC9463 encrypted DNS (DNR) option, 2024-01-19)

diff --git a/src/libsystemd-network/ndisc-option.c b/src/libsystemd-network/ndisc-option.c
index 1071d98b19077a29a624a6199c0506055536cbca..d784ffb3ff06d7e4734c45d063d9081bcb2fc88d 100644 (file)
--- a/src/libsystemd-network/ndisc-option.c
+++ b/src/libsystemd-network/ndisc-option.c
@@ -1358,6 +1358,11 @@ static int ndisc_option_parse_encrypted_dns(Set **options, size_t offset, size_t
         r = ndisc_get_dns_name(opt + off, ilen, &res.auth_name);
         if (r < 0)
                 return r;
+        r = dns_name_is_valid_ldh(res.auth_name);
+        if (r < 0)
+                return r;
+        if (!r)
+                return -EBADMSG;
         if (dns_name_is_root(res.auth_name))
                 return -EBADMSG;
         off += ilen;

diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c
index 6b2d8106451da1cbd82a5c143b7d3ceb008d07da..fc891a0b045b2208d64a60d8be758f0f379a16c8 100644 (file)
--- a/src/libsystemd-network/sd-dhcp-lease.c
+++ b/src/libsystemd-network/sd-dhcp-lease.c
@@ -628,6 +628,11 @@ static int lease_parse_dnr(const uint8_t *option, size_t len, sd_dns_resolver **
                 r = lease_parse_dns_name(option + offset, ilen, &res.auth_name);
                 if (r < 0)
                         return r;
+                r = dns_name_is_valid_ldh(res.auth_name);
+                if (r < 0)
+                        return r;
+                if (!r)
+                        return -EBADMSG;
                 if (dns_name_is_root(res.auth_name))
                         return -EBADMSG;
                 offset += ilen;

diff --git a/src/libsystemd-network/sd-dhcp6-lease.c b/src/libsystemd-network/sd-dhcp6-lease.c
index bc054c42b2275b8baf5d67c9c61fa56394359efe..2ff1e87a2e461ca2b3dfdeb671c3b60df8a255d4 100644 (file)
--- a/src/libsystemd-network/sd-dhcp6-lease.c
+++ b/src/libsystemd-network/sd-dhcp6-lease.c
@@ -8,6 +8,7 @@
 #include "alloc-util.h"
 #include "dhcp6-internal.h"
 #include "dhcp6-lease-internal.h"
+#include "dns-domain.h"
 #include "network-common.h"
 #include "sort-util.h"
 #include "strv.h"
@@ -465,6 +466,11 @@ static int dhcp6_lease_add_dnr(sd_dhcp6_lease *lease, const uint8_t *optval, siz
         r = dhcp6_option_parse_domainname(optval + offset, ilen, &res.auth_name);
         if (r < 0)
                 return r;
+        r = dns_name_is_valid_ldh(res.auth_name);
+        if (r < 0)
+                return r;
+        if (!r)
+                return -EBADMSG;
         offset += ilen;
 
         /* RFC9463 § 3.1.6: adn only mode */