From: Philippe Antoine <pantoine@oisf.net>
Date: Wed, 2 Oct 2024 12:30:15 +0000 (+0200)
Subject: dns/probe: adds check for 0 records and big size
X-Git-Tag: suricata-8.0.0-beta1~633
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9b40446bea4cf74faaa159fddf0b8502f11619c1;p=thirdparty%2Fsuricata.git

dns/probe: adds check for 0 records and big size

Ticket: 7279

Make dns probing function stricter to avoid matching on non-DNS
on port 53 and later returning a app-layer error.
---

diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs
index ce67e577df..11ebfb1a4c 100644
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@@ -770,19 +770,24 @@ impl DNSState {
 const DNS_HEADER_SIZE: usize = 12;
 
 fn probe_header_validity(header: &DNSHeader, rlen: usize) -> (bool, bool, bool) {
-    let min_msg_size = 2
-        * (header.additional_rr as usize
-            + header.answer_rr as usize
-            + header.authority_rr as usize
-            + header.questions as usize)
-        + DNS_HEADER_SIZE;
+    let nb_records = header.additional_rr as usize
+        + header.answer_rr as usize
+        + header.authority_rr as usize
+        + header.questions as usize;
 
+    let min_msg_size = 2 * nb_records;
     if min_msg_size > rlen {
         // Not enough data for records defined in the header, or
         // impossibly large.
         return (false, false, false);
     }
 
+    if nb_records == 0 && rlen > DNS_HEADER_SIZE {
+        // zero fields, data size should be just DNS_HEADER_SIZE
+        // happens when DNS server returns format error
+        return (false, false, false);
+    }
+
     let is_request = header.flags & 0x8000 == 0;
     return (true, is_request, false);
 }