git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 9 Sep 2024 12:20:48 +0000 (14:20 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 9 Sep 2024 13:09:35 +0000 (15:09 +0200)
commit	d77e211b81c0189755fe90f2409739929e349f62
tree	bf5209212fd86ab103f328b07ba15243fbe066a4	tree
parent	eb1538c876c9f049aca06c07eeb46135f21e04bd	commit \| diff

dnsdist: Fix handling of proxy protocol payload outside of TLS for DoT

After reading the proxy protocol payload from the I/O buffer
we were clearing the buffer but failed to properly reset the
position, leading to an exception when trying to read the DNS
payload after processing the TLS handshake:

```
Got an exception while handling (reading) TCP query from 127.0.0.1:59426: Calling tryRead() with a too small buffer (2) for a read of 18446744073709551566 bytes starting at 52
```

The huge value comes from the fact that the position (52 here)
is larger than the size of the buffer (2 at this point to read
the size of the incoming DNS payload), leading to an unsigned
underflow. The code is properly detecting that the value makes
no sense in this context, but the connection is then dropped
because we cannot recover.

It turns out we had a end-to-end test for the "proxy protocol
outside of TLS" case but only over incoming DoH, and the DoH
case avoids this specific issue because the buffer is always
properly resized, and the position updated.

(cherry picked from commit 4931fb28f7bc6e8905d3298003dead7c32f4d090)

pdns/dnsdist-tcp.cc		diff \| blob \| blame \| history
pdns/dnsdistdist/dnsdist-nghttp2-in.cc		diff \| blob \| blame \| history
regression-tests.dnsdist/test_ProxyProtocol.py		diff \| blob \| blame \| history