git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 18 Apr 2024 08:49:10 +0000 (10:49 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 25 Apr 2024 08:18:15 +0000 (10:18 +0200)
commit	edf08f53a3a2149260110ba11be29364ffc5be66
tree	568fd1f8ddac7d1971f811adb2bad3d67f3baa4b	tree
parent	e516471d49e9035fee683a4b8bc963684c4e3122	commit \| diff

dnsdist: Fix a crash in incoming DoH with nghttp2

This fixes an issue in the code dealing with incoming DNS over HTTPS
queries with the nghttp2 provider. In some rare cases, if the incoming
query is forwarded to the backend over TCP and the response comes back
immediately (the `read()` call done just after the `write()` call sending
the query must succeed and yield a complete response), the processing
of the response might end up calling `IncomingHTTP2Connection::readHTTPData()`
down the line, via the `nghttp2` callbacks, while we were already
inside this function. This does not actually work because
`nghttp2_session_mem_recv` is not reentrant, so the internal state of
the `nghttp2_session` object might become inconsistent and trigger
an assertion, for example:
```
nghttp2_session.c:6854: nghttp2_session_mem_recv2: Assertion `iframe->state == NGHTTP2_IB_IGN_ALL' failed.
```

This results in a call to `abort()` and very unlikely to be exploitable,
because there is no memory corruption occurring. It would also be quite
difficult for an attacker to trigger the conditions leading to this event
remotely.

Reported by Daniel Stirnimann from Switch and Stephane Bortzmeyer, many thanks to them.

(cherry picked from commit a4d82c53f714211462ae4da2e16fb13dec51ba05)

pdns/dnsdistdist/dnsdist-nghttp2-in.cc		diff \| blob \| blame \| history
pdns/dnsdistdist/dnsdist-nghttp2-in.hh		diff \| blob \| blame \| history