1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-13 23:21:08 +03:00

resolved: packet - fail on invalid zero-length data

Most blobs (keys, signatures, ...) should have a specific size given by
the relevant algorithm. However, as we don't use/verify the algorithms
yet, let's just ensure that we don't read out zero-length data in cases
where this does not make sense.

The only exceptions, where zero-length data is allowed are in the NSEC3
salt field, and the generic data (which we don't know anything about,
so  better not make any assumptions).
This commit is contained in:
Tom Gundersen 2015-07-23 12:57:58 +02:00
parent 20330324e3
commit f1d178cce1

View File

@ -1513,6 +1513,13 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
if (r < 0) if (r < 0)
goto fail; goto fail;
if (rr->ds.digest_size <= 0) {
/* the accepted size depends on the algorithm, but for now
just ensure that the value is greater than zero */
r = -EBADMSG;
goto fail;
}
break; break;
case DNS_TYPE_SSHFP: case DNS_TYPE_SSHFP:
r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL); r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL);
@ -1526,6 +1533,14 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
r = dns_packet_read_memdup(p, rdlength - 2, r = dns_packet_read_memdup(p, rdlength - 2,
&rr->sshfp.key, &rr->sshfp.key_size, &rr->sshfp.key, &rr->sshfp.key_size,
NULL); NULL);
if (rr->sshfp.key_size <= 0) {
/* the accepted size depends on the algorithm, but for now
just ensure that the value is greater than zero */
r = -EBADMSG;
goto fail;
}
break; break;
case DNS_TYPE_DNSKEY: { case DNS_TYPE_DNSKEY: {
@ -1557,6 +1572,14 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
r = dns_packet_read_memdup(p, rdlength - 4, r = dns_packet_read_memdup(p, rdlength - 4,
&rr->dnskey.key, &rr->dnskey.key_size, &rr->dnskey.key, &rr->dnskey.key_size,
NULL); NULL);
if (rr->dnskey.key_size <= 0) {
/* the accepted size depends on the algorithm, but for now
just ensure that the value is greater than zero */
r = -EBADMSG;
goto fail;
}
break; break;
} }
@ -1596,6 +1619,14 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
r = dns_packet_read_memdup(p, offset + rdlength - p->rindex, r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
&rr->rrsig.signature, &rr->rrsig.signature_size, &rr->rrsig.signature, &rr->rrsig.signature_size,
NULL); NULL);
if (rr->rrsig.signature_size <= 0) {
/* the accepted size depends on the algorithm, but for now
just ensure that the value is greater than zero */
r = -EBADMSG;
goto fail;
}
break; break;
case DNS_TYPE_NSEC: case DNS_TYPE_NSEC:
@ -1626,6 +1657,7 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
if (r < 0) if (r < 0)
goto fail; goto fail;
/* this may be zero */
r = dns_packet_read_uint8(p, &size, NULL); r = dns_packet_read_uint8(p, &size, NULL);
if (r < 0) if (r < 0)
goto fail; goto fail;
@ -1638,6 +1670,11 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
if (r < 0) if (r < 0)
goto fail; goto fail;
if (size <= 0) {
r = -EBADMSG;
goto fail;
}
r = dns_packet_read_memdup(p, size, &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size, NULL); r = dns_packet_read_memdup(p, size, &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size, NULL);
if (r < 0) if (r < 0)
goto fail; goto fail;