From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 15 Jan 2010 11:29:27 +0000 (+1300)
Subject: Handle DNS header-only packets as invalid.
X-Git-Tag: SQUID_3_2_0_1~461
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fd7b53a4205ffa4967cfa8be69304fc1e252c433;p=thirdparty%2Fsquid.git

Handle DNS header-only packets as invalid.
---

diff --git a/lib/rfc1035.c b/lib/rfc1035.c
index 2fb034e164..fb5635d21c 100644
--- a/lib/rfc1035.c
+++ b/lib/rfc1035.c
@@ -287,7 +287,10 @@ rfc1035NameUnpack(const char *buf, size_t sz, unsigned int *off, unsigned short
     size_t len;
     assert(ns > 0);
     do {
-        assert((*off) < sz);
+        if ((*off) >= sz) {
+            RFC1035_UNPACK_DEBUG;
+            return 1;
+        }
         c = *(buf + (*off));
         if (c > 191) {
             /* blasted compression */
diff --git a/lib/tests/testRFC1035.cc b/lib/tests/testRFC1035.cc
index 1f56bae478..73c6766e74 100644
--- a/lib/tests/testRFC1035.cc
+++ b/lib/tests/testRFC1035.cc
@@ -110,3 +110,28 @@ void testRFC1035::testBugPacketEndingOnCompressionPtr()
     CPPUNIT_ASSERT(msg != NULL);
     rfc1035MessageDestroy(&msg);
 }
+
+void testRFC1035::testBugPacketHeadersOnly()
+{
+    /* Setup a buffer with the known-to-fail headers-only packet */
+    const char *buf = "\xab\xcd\x81\x80\x00\x01\x00\x05\x00\x04\x00\x04";
+    size_t len = 12;
+    rfc1035_message *msg = NULL;
+    int res = 0;
+    unsigned int off = 0;
+
+    /* Test the HeaderUnpack function results */
+    msg = new rfc1035_message;
+    res = rfc1035HeaderUnpack(buf, len, &off, msg);
+    CPPUNIT_ASSERT(0 == res);
+    /* cleanup */
+    delete msg;
+    msg = NULL;
+
+    /* Test the MessageUnpack function itself */
+    res = rfc1035MessageUnpack(buf, len, &msg);
+
+    CPPUNIT_ASSERT_EQUAL((const char *)"The DNS reply message is corrupt or could not be safely parsed.", rfc1035_error_message);
+    CPPUNIT_ASSERT(res < 0);
+    CPPUNIT_ASSERT(msg == NULL);
+}
diff --git a/lib/tests/testRFC1035.h b/lib/tests/testRFC1035.h
index b994c9a78b..e67ea08572 100644
--- a/lib/tests/testRFC1035.h
+++ b/lib/tests/testRFC1035.h
@@ -13,6 +13,7 @@ class testRFC1035 : public CPPUNIT_NS::TestFixture
     CPPUNIT_TEST( testHeaderUnpack );
     CPPUNIT_TEST( testParseAPacket );
 
+    CPPUNIT_TEST( testBugPacketHeadersOnly );
     CPPUNIT_TEST( testBugPacketEndingOnCompressionPtr );
     CPPUNIT_TEST_SUITE_END();
 
@@ -24,6 +25,7 @@ protected:
 
     // bugs.
     void testBugPacketEndingOnCompressionPtr();
+    void testBugPacketHeadersOnly();
 };
 
 #endif /* SQUID_SRC_TEST_IPADDRESS_H */