BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow

Since commit 9d8dbbc ("MINOR: dns: Maximum DNS udp payload set to 8192") it's
possible to specify a packet size, but passing too large a size or a negative
size is not detected and results in memset() being performed over a 2GB+ area
upon receipt of the first DNS response, causing runtime crashes.

We now check that the size is not smaller than the smallest packet which is
the DNS header size (12 bytes).

No backport is needed.

diff --git a/include/types/dns.h b/include/types/dns.h
index c7338c79243d04b2c7b50a7a9bde9468f8cad6e6..06e014c0898dd33c724d0322295afd4fe4bcd9b9 100644 (file)
--- a/include/types/dns.h
+++ b/include/types/dns.h
@@ -82,7 +82,7 @@
 #define SRV_MAX_PREF_NET 5
 
 /* DNS header size */
-#define DNS_HEADER_SIZE                sizeof(struct dns_header)
+#define DNS_HEADER_SIZE                ((int)sizeof(struct dns_header))
 
 /* DNS resolution pool size, per resolvers section */
 #define DNS_DEFAULT_RESOLUTION_POOL_SIZE       64

diff --git a/src/cfgparse.c b/src/cfgparse.c
index e69a4ab78b8da4edc1c38e5df0129d27fcdcbb31..850160f6ec4552c86b43aaf01e893bca24a2bd05 100644 (file)
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2304,9 +2304,9 @@ int cfg_parse_resolvers(const char *file, int linenum, char **args, int kwm)
                }
 
                i = atoi(args[1]);
-               if (i > DNS_MAX_UDP_MESSAGE) {
-                       Alert("parsing [%s:%d] : '%s' size %d exceeds maximum allowed size %d.\n",
-                               file, linenum, args[0], i, DNS_MAX_UDP_MESSAGE);
+               if (i < DNS_HEADER_SIZE || i > DNS_MAX_UDP_MESSAGE) {
+                       Alert("parsing [%s:%d] : '%s' must be between %d and %d inclusive (was %s).\n",
+                             file, linenum, args[0], DNS_HEADER_SIZE, DNS_MAX_UDP_MESSAGE, args[1]);
                        err_code |= ERR_ALERT | ERR_FATAL;
                        goto out;
                }