bool fr_dns_packet_ok(uint8_t const *packet, size_t packet_len, bool query, fr_dns_decode_fail_t *reason)
{
-#if 0
uint8_t const *p, *end;
- int count, expected;
-#endif
+ int qdcount, count, expected;
if (packet_len <= DNS_HDR_LEN) {
DECODE_FAIL(MIN_LENGTH_PACKET);
return false;
}
+ qdcount = fr_net_to_uint16(packet + 4);
+
if (query) {
/*
* There should be at least one query, and no replies in the query!
*/
- if (fr_net_to_uint16(packet + 4) == 0) {
+ if (!qdcount) {
DECODE_FAIL(NO_QUESTIONS);
return false;
}
*/
}
-#if 0
expected = fr_net_to_uint16(packet + 4) + fr_net_to_uint16(packet + 6) + fr_net_to_uint16(packet + 8) + fr_net_to_uint16(packet + 10);
count = 0;
p = packet + DNS_HDR_LEN;
end = packet + packet_len;
+ /*
+ * Check for wildly fake packets, by making rough
+ * estimations. This way we don't actually have to walk
+ * the packet.
+ */
+ if (p + (qdcount * 5) > end) {
+ DECODE_FAIL(TOO_MANY_RRS);
+ return false;
+ }
+ p += (qdcount * 5);
+
+ if ((p + ((expected - qdcount) * (1 + 8 + 2))) > end) {
+ DECODE_FAIL(TOO_MANY_RRS);
+ return false;
+ }
+
+ /*
+ * The counts are at least vaguely OK, let's walk over the whole packet.
+ */
+ p = packet + DNS_HDR_LEN;
+
/*
* Check that lengths of RRs match.
*/
while (p < end) {
- uint16_t len;
+ uint16_t len = 0;
+ uint8_t const *start = p;
+
/*
- * @todo - get DNS label, followed by 2 octets of
- * type, 2 of class, 4 of TTL. Then check the RR.
+ * Simple DNS label decoder
*/
+ while (p < end) {
+ /*
+ * 0x00 is "end of label"
+ */
+ if (!*p) {
+ p++;
+ break;
+ }
+
+ /*
+ * 2 octets of 14-bit pointer, which must
+ * be at least somewhat sane.
+ */
+ if (*p >= 0xc0) {
+ size_t offset;
+
+ if ((p + 2) >= end) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ offset = p[1];
+ offset += ((*p & ~0xc0) << 8);
+
+ /*
+ * Can't point to the header.
+ */
+ if (offset < 12) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ /*
+ * Can't point to the current label.
+ */
+ if ((packet + offset) >= start) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ /*
+ * A compressed pointer is the end of the current label.
+ */
+ p += 2;
+ break;
+ }
+
+ /*
+ * 0b10 and 0b10 are forbidden
+ */
+ if (*p > 63) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ /*
+ * It must be a length byte, which doesn't cause overflow.
+ */
+ if ((p + *p + 1) >= end) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ /*
+ * Total length of labels can't be too high.
+ */
+ len += *p;
+ if (len >= 256) {
+ DECODE_FAIL(INVALID_RR_LABEL);
+ return false;
+ }
+
+ /*
+ * Go to the next label.
+ */
+ p += *p + 1;
+ }
+
+ if (qdcount) {
+ /*
+ * qtype + qclass
+ */
+ if ((p + 4) > end) {
+ DECODE_FAIL(MISSING_RR_HEADER);
+ return false;
+ }
+
+ p += 4;
+ qdcount--;
+ goto next;
+ }
+ /*
+ * type + class + TTL
+ */
+ if ((p + 8) > end) {
+ DECODE_FAIL(MISSING_RR_HEADER);
+ return false;
+ }
+ p += 8;
+
+ /*
+ * rr_len
+ */
if ((p + 2) >= end) {
- DECODE_FAIL(MISSING_RRLEN);
+ DECODE_FAIL(MISSING_RR_LEN);
return false;
}
}
p+= len;
+
+next:
count++;
if (count > expected) {
DECODE_FAIL(TOO_FEW_RRS);
return false;
}
-#endif
DECODE_FAIL(NONE);
return true;
{ L("no 'questions' in query packet"), DECODE_FAIL_NO_QUESTIONS },
{ L("unexprected answers in query packet"), DECODE_FAIL_ANSWERS_IN_QUESTION },
{ L("unexpected NS records in query packet"), DECODE_FAIL_NS_IN_QUESTION },
- { L("missing resource record length field"), DECODE_FAIL_MISSING_RRLEN },
+ { L("invalid label for resource record"), DECODE_FAIL_INVALID_RR_LABEL },
+ { L("missing resource record header"), DECODE_FAIL_MISSING_RR_HEADER },
+ { L("missing resource record length field"), DECODE_FAIL_MISSING_RR_LEN },
{ L("resource record length overflows the packet"), DECODE_FAIL_RR_OVERFLOWS_PACKET },
{ L("more resource records than indicated in header"), DECODE_FAIL_TOO_MANY_RRS },
{ L("fewer resource records than indicated in header"), DECODE_FAIL_TOO_FEW_RRS },
DECODE_FAIL_NO_QUESTIONS,
DECODE_FAIL_ANSWERS_IN_QUESTION,
DECODE_FAIL_NS_IN_QUESTION,
- DECODE_FAIL_MISSING_RRLEN,
+ DECODE_FAIL_INVALID_RR_LABEL,
+ DECODE_FAIL_MISSING_RR_HEADER,
+ DECODE_FAIL_MISSING_RR_LEN,
DECODE_FAIL_RR_OVERFLOWS_PACKET,
DECODE_FAIL_TOO_MANY_RRS,
DECODE_FAIL_TOO_FEW_RRS,
proto-dictionary dns
# 0x6000 questions
-decode-proto 44 81 9a 97 00 00 00 00 60 00 00 00 00 00 01 00 2d 00 00 dc dc 23
-match Failed decoding NS - ns structure at count 1/24576 overflows the packet
+decode-proto 44 81 9a 97 00 00 00 00 60 00 00 00 00 00 01 00 2d 00 00 dc dc 23
+match DNS packet malformed - missing resource record length field
-# 256 bytes of data
+#
decode-proto 44 81 9a 97 00 00 00 00 00 01 00 00 01 00 00 00 2d 00 00 dc dc 23
-match packet = { id = 17537, query = response, opcode = 3, authoritative = no, truncated-response = yes, recursion-desired = no, recursion-available = yes, reserved = no, authentic-data = no, checking-disabled = yes, rcode = yx-rr-set, qdcount = 0, ancount = 0, nscount = 1, arcount = 0 }, raw.ns = 0x010000002d0000dcdc23
+match DNS packet malformed - missing resource record header
decode-proto 20 20 20 20 20 20 20 20 20 20 20 20 ff
match DNS packet malformed - unexpected NS records in query packet
match DNS packet malformed - no 'questions' in query packet
decode-proto 2020 A020 0000 2020 2020 2020 012d 0000 0c20 2020 2020 2000 2520 2020 2020 ff20 2020 2020 2020 ff20 2020 2020 2020 20202020 2020 2020 2020 2020 20ff 2020 c00d
-match Failed decoding RRs - rr structure at count 2/8224 overflows the packet
+match DNS packet malformed - invalid label for resource record
count
match 12
projects / thirdparty / freeradius-server.git / commitdiff
