From a25f532ce7d8270fc9474c91fe6c2dd289e1c77d Mon Sep 17 00:00:00 2001 From: Victor Julien Date: Fri, 18 Apr 2014 20:25:22 +0200 Subject: [PATCH] dns: improve response name parsing Improve parsing of names with multiple pointers following each other. --- src/app-layer-dns-common.c | 8 ++++- src/app-layer-dns-udp.c | 70 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 1 deletion(-) diff --git a/src/app-layer-dns-common.c b/src/app-layer-dns-common.c index c1555b54b6..0814634b08 100644 --- a/src/app-layer-dns-common.c +++ b/src/app-layer-dns-common.c @@ -587,7 +587,8 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui } while (length != 0) { - if (length & 0xc0) { + int cnt = 0; + while (length & 0xc0) { uint16_t offset = ((length & 0x3f) << 8) + *(qdata+1); qdata = (const uint8_t *)input + offset; @@ -598,6 +599,11 @@ static uint16_t DNSResponseGetNameByOffset(const uint8_t * const input, const ui length = *qdata; SCLogDebug("qry length %u", length); + + if (cnt++ == 100) { + SCLogDebug("too many pointer iterations, loop?"); + goto bad_data; + } } qdata++; diff --git a/src/app-layer-dns-udp.c b/src/app-layer-dns-udp.c index 1d293c32b9..a56cfa37c2 100644 --- a/src/app-layer-dns-udp.c +++ b/src/app-layer-dns-udp.c @@ -459,7 +459,77 @@ end: return (result); } +static int DNSUDPParserTest02 (void) { + int result = 0; + uint8_t buf[] = { + 0x6D,0x08,0x84,0x80,0x00,0x01,0x00,0x08,0x00,0x00,0x00,0x01,0x03,0x57,0x57,0x57, + 0x04,0x54,0x54,0x54,0x54,0x03,0x56,0x56,0x56,0x03,0x63,0x6F,0x6D,0x02,0x79,0x79, + 0x00,0x00,0x01,0x00,0x01,0xC0,0x0C,0x00,0x05,0x00,0x01,0x00,0x00,0x0E,0x10,0x00, + 0x02,0xC0,0x0C,0xC0,0x31,0x00,0x05,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x02,0xC0, + 0x31,0xC0,0x3F,0x00,0x05,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x02,0xC0,0x3F,0xC0, + 0x4D,0x00,0x05,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x02,0xC0,0x4D,0xC0,0x5B,0x00, + 0x05,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x02,0xC0,0x5B,0xC0,0x69,0x00,0x05,0x00, + 0x01,0x00,0x00,0x0E,0x10,0x00,0x02,0xC0,0x69,0xC0,0x77,0x00,0x05,0x00,0x01,0x00, + 0x00,0x0E,0x10,0x00,0x02,0xC0,0x77,0xC0,0x85,0x00,0x05,0x00,0x01,0x00,0x00,0x0E, + 0x10,0x00,0x02,0xC0,0x85,0x00,0x00,0x29,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00, + }; + size_t buflen = sizeof(buf); + Flow *f = NULL; + + f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53); + if (f == NULL) + goto end; + f->proto = IPPROTO_UDP; + f->alproto = ALPROTO_DNS; + f->alstate = DNSStateAlloc(); + + int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL); + if (r != 1) + goto end; + + result = 1; +end: + UTHFreeFlow(f); + return (result); +} + +static int DNSUDPParserTest03 (void) { + int result = 0; + uint8_t buf[] = { + 0x6F,0xB4,0x84,0x80,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x03,0x03,0x57,0x57,0x77, + 0x0B,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x56,0x03,0x55,0x55,0x55, + 0x02,0x79,0x79,0x00,0x00,0x01,0x00,0x01,0xC0,0x0C,0x00,0x05,0x00,0x01,0x00,0x00, + 0x0E,0x10,0x00,0x02,0xC0,0x10,0xC0,0x34,0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10, + 0x00,0x04,0xC3,0xEA,0x04,0x19,0xC0,0x34,0x00,0x02,0x00,0x01,0x00,0x00,0x0E,0x10, + 0x00,0x0A,0x03,0x6E,0x73,0x31,0x03,0x61,0x67,0x62,0xC0,0x20,0xC0,0x46,0x00,0x02, + 0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x06,0x03,0x6E,0x73,0x32,0xC0,0x56,0xC0,0x52, + 0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x04,0x0A,0xC0,0x68, + 0x00,0x01,0x00,0x01,0x00,0x00,0x0E,0x10,0x00,0x04,0xC3,0xEA,0x05,0x14,0x00,0x00, + 0x29,0x05,0x00,0x00,0x00,0x00,0x00,0x00,0x00 + }; + size_t buflen = sizeof(buf); + Flow *f = NULL; + + f = UTHBuildFlow(AF_INET, "1.2.3.4", "1.2.3.5", 1024, 53); + if (f == NULL) + goto end; + f->proto = IPPROTO_UDP; + f->alproto = ALPROTO_DNS; + f->alstate = DNSStateAlloc(); + + int r = DNSUDPResponseParse(f, f->alstate, NULL, buf, buflen, NULL); + if (r != 1) + goto end; + + result = 1; +end: + UTHFreeFlow(f); + return (result); +} + void DNSUDPParserRegisterTests(void) { UtRegisterTest("DNSUDPParserTest01", DNSUDPParserTest01, 1); + UtRegisterTest("DNSUDPParserTest02", DNSUDPParserTest02, 1); + UtRegisterTest("DNSUDPParserTest03", DNSUDPParserTest03, 1); } #endif -- 2.47.2