dns: bad label size interpreted as decompression pointer (#466)

Co-authored-by: Bill Willcox <billwcorp@gmail.com>
2026-01-23 02:35:57 +01:00 · 2022-02-20 18:18:00 -05:00
parent 54e4e4b0f4
commit c302e659d7
2 changed files with 52 additions and 1 deletions
--- a/src/dns.cpp
+++ b/src/dns.cpp
@@ -342,7 +342,7 @@ uint32_t DNS::compose_name(const uint8_t* ptr, char* out_ptr) const {
            throw dns_decompression_pointer_loops();
        }
        // It's an offset
-        if ((*ptr & 0xc0)) {
+        if (((*ptr & 0xc0) == 0xc0)) {
            if (TINS_UNLIKELY(ptr + sizeof(uint16_t) > end)) {
                throw malformed_packet();
            }
--- a/tests/src/dns_test.cpp
+++ b/tests/src/dns_test.cpp
@@ -551,3 +551,54 @@ TEST_F(DNSTest, SOARecordSerialize) {
    EXPECT_EQ(0x8ad71928U, r2.expire());
    EXPECT_EQ(0x1ad92871U, r2.minimum_ttl());
 }
 TEST_F(DNSTest, BadLabelSize) {
    const uint8_t header[] = {
                       0x45, 0xbc,    // ID
                       0x81, 0x80,    // response, recursion desired, recursion available, no error
                       0x00, 0x01,    // QDCOUNT
                       0x00, 0x00,    // ANCOUNT
                       0x00, 0x00,    // NSCOUNT
                       0x00, 0x00     // ARCOUNT
    };
    size_t payload_sz{sizeof(header)};
    uint8_t payload[512];
    // copy header
    std::copy(header, 
              header + payload_sz, 
              payload);
    // add bad length
    const size_t bad_label_len{0x80};
    payload[payload_sz++] = bad_label_len; 
    // fill label for incorrect length and terminate
    std::fill(payload + payload_sz,
              payload + payload_sz + bad_label_len, 
              'a');
    payload_sz += bad_label_len;
    payload[payload_sz++] = 0x0;
    // add type and class
    const uint8_t type_class[] = {
        0x00, 0x01,
        0x00, 0x01
    };
    std::copy(type_class, 
              type_class + sizeof(type_class), 
              payload + payload_sz);
    payload_sz += sizeof(type_class);
    // SUCCEED moves from dns_decompression_pointer_out_of_bounds to malformed_packet after fix
    const DNS packet(payload, payload_sz);
    EXPECT_EQ(packet.questions_count(), 1);
    try {
        const auto queries{packet.queries()};
        FAIL();
    } catch (dns_decompression_pointer_out_of_bounds& oob) {
        FAIL();
    } catch (malformed_packet& mp) {
        SUCCEED();
    }
 }