git.ipfire.org Git - thirdparty/pdns.git/commit

author	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 18 Apr 2024 08:49:10 +0000 (10:49 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Thu, 25 Apr 2024 08:07:00 +0000 (10:07 +0200)
commit	a4d82c53f714211462ae4da2e16fb13dec51ba05
tree	fd0dc6a9222376f09cf5eb12d1434d6798138b1d	tree
parent	a6efcf40c710a12fc38ad4dec406257579c0df40	commit \| diff

dnsdist: Fix a crash in incoming DoH with nghttp2

This fixes an issue in the code dealing with incoming DNS over HTTPS
queries with the nghttp2 provider. In some rare cases, if the incoming
query is forwarded to the backend over TCP and the response comes back
immediately (the `read()` call done just after the `write()` call sending
the query must succeed and yield a complete response), the processing
of the response might end up calling `IncomingHTTP2Connection::readHTTPData()`
down the line, via the `nghttp2` callbacks, while we were already
inside this function. This does not actually work because
`nghttp2_session_mem_recv` is not reentrant, so the internal state of
the `nghttp2_session` object might become inconsistent and trigger
an assertion, for example:
```
nghttp2_session.c:6854: nghttp2_session_mem_recv2: Assertion `iframe->state == NGHTTP2_IB_IGN_ALL' failed.
```

This results in a call to `abort()` and very unlikely to be exploitable,
because there is no memory corruption occurring. It would also be quite
difficult for an attacker to trigger the conditions leading to this event
remotely.

Reported by Daniel Stirnimann from Switch and Stephane Bortzmeyer, many thanks to them.

pdns/dnsdistdist/dnsdist-nghttp2-in.cc		diff \| blob \| blame \| history
pdns/dnsdistdist/dnsdist-nghttp2-in.hh		diff \| blob \| blame \| history