moparisthebest
/
curl
mirror of https://github.com/moparisthebest/curl
1
0
Fork 0
Code Issues Releases Wiki Activity

doh: improced both encoding and decoding 

Improved estimation of expected_len and updated related comments;
increased strictness of QNAME-encoding, adding error detection for empty
labels and names longer than the overall limit; avoided treating DNAME
as unexpected;

updated unit test 1655 with more thorough set of proofs and tests

Closes #4598
This commit is contained in:
Niall 2019-11-14 19:21:09 +00:00 committed by Daniel Stenberg
parent 7627a2dd9d
commit b6a53fff6c
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
3 changed files with 147 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
lib/doh.c
View File

@ -86,12 +86,36 @@ UNITTEST DOHcode doh_encode(const char *host,
unsigned char *orig = dnsp; unsigned char *orig = dnsp;
const char *hostp = host; const char *hostp = host;
/* The expected output length does not depend on the number of dots within /* The expected output length is 16 bytes more than the length of
* the host name. It will always be two more than the length of the host * the QNAME-encoding of the host name.
* name, one for the size and one trailing null. In case there are dots, *
* each dot adds one size but removes the need to store the dot, net zero. * A valid DNS name may not contain a zero-length label, except at
* the end. For this reason, a name beginning with a dot, or
* containing a sequence of two or more consecutive dots, is invalid
* and cannot be encoded as a QNAME.
*
* If the host name ends with a trailing dot, the corresponding
* QNAME-encoding is one byte longer than the host name. If (as is
* also valid) the hostname is shortened by the omission of the
* trailing dot, then its QNAME-encoding will be two bytes longer
* than the host name.
*
* Each [ label, dot ] pair is encoded as [ length, label ],
* preserving overall length. A final [ label ] without a dot is
* also encoded as [ length, label ], increasing overall length
* by one. The encoding is completed by appending a zero byte,
* representing the zero-length root label, again increasing
* the overall length by one.
*/ */
const size_t expected_len = 12 + ( 1 + hostlen + 1) + 4;
size_t expected_len;
DEBUGASSERT(hostlen);
expected_len = 12 + 1 + hostlen + 4;
if(host[hostlen-1]!='.')
expected_len++;
if(expected_len > (256 + 16)) /* RFCs 1034, 1035 */
return DOH_DNS_NAME_TOO_LONG;
if(len < expected_len) if(len < expected_len)
return DOH_TOO_SMALL_BUFFER; return DOH_TOO_SMALL_BUFFER;
@ -109,31 +133,30 @@ UNITTEST DOHcode doh_encode(const char *host,
*dnsp++ = '\0'; *dnsp++ = '\0';
*dnsp++ = '\0'; /* ARCOUNT */ *dnsp++ = '\0'; /* ARCOUNT */
/* store a QNAME */ /* encode each label and store it in the QNAME */
do { while(*hostp) {
char *dot = strchr(hostp, '.');
size_t labellen; size_t labellen;
bool found = false; char *dot = strchr(hostp, '.');
if(dot) { if(dot)
found = true;
labellen = dot - hostp; labellen = dot - hostp;
}
else else
labellen = strlen(hostp); labellen = strlen(hostp);
if(labellen > 63) { if((labellen > 63) || (!labellen)) {
/* too long label, error out */ /* label is too long or too short, error out */
*olen = 0; *olen = 0;
return DOH_DNS_BAD_LABEL; return DOH_DNS_BAD_LABEL;
} }
/* label is non-empty, process it */
*dnsp++ = (unsigned char)labellen; *dnsp++ = (unsigned char)labellen;
memcpy(dnsp, hostp, labellen); memcpy(dnsp, hostp, labellen);
dnsp += labellen; dnsp += labellen;
hostp += labellen + 1; hostp += labellen;
if(!found) { /* advance past dot, but only if there is one */
*dnsp++ = 0; /* terminating zero */ if(dot)
break; hostp++;
} } /* next label */
} while(1);
*dnsp++ = 0; /* append zero-length label for root */
/* There are assigned TYPE codes beyond 255: use range [1..65535] */ /* There are assigned TYPE codes beyond 255: use range [1..65535] */
*dnsp++ = (unsigned char)(255 & (dnstype>>8)); /* upper 8 bit TYPE */ *dnsp++ = (unsigned char)(255 & (dnstype>>8)); /* upper 8 bit TYPE */
@ -144,8 +167,8 @@ UNITTEST DOHcode doh_encode(const char *host,
*olen = dnsp - orig; *olen = dnsp - orig;
/* verify that our assumption of length is valid, since /* verify that our estimation of length is valid, since
* this has lead to buffer overflows in this function */ * this has led to buffer overflows in this function */
DEBUGASSERT(*olen == expected_len); DEBUGASSERT(*olen == expected_len);
return DOH_OK; return DOH_OK;
} }
@ -586,6 +609,9 @@ static DOHcode rdata(unsigned char *doh,
if(rc) if(rc)
return rc; return rc;
break; break;
case DNS_TYPE_DNAME:
/* explicit for clarity; just skip; rely on synthesized CNAME */
break;
default: default:
/* unsupported type, just skip it */ /* unsupported type, just skip it */
break; break;
@ -647,8 +673,10 @@ UNITTEST DOHcode doh_decode(unsigned char *doh,
return DOH_DNS_OUT_OF_RANGE; return DOH_DNS_OUT_OF_RANGE;
type = get16bit(doh, index); type = get16bit(doh, index);
if((type != DNS_TYPE_CNAME) && (type != dnstype)) if((type != DNS_TYPE_CNAME) /* may be synthesized from DNAME */
/* Not the same type as was asked for nor CNAME */ && (type != DNS_TYPE_DNAME) /* if present, accept and ignore */
&& (type != dnstype))
/* Not the same type as was asked for nor CNAME nor DNAME */
return DOH_DNS_UNEXPECTED_TYPE; return DOH_DNS_UNEXPECTED_TYPE;
index += 2; index += 2;

6
lib/doh.h
View File

@ -55,14 +55,16 @@ typedef enum {
DOH_DNS_UNEXPECTED_TYPE, /* 9 */ DOH_DNS_UNEXPECTED_TYPE, /* 9 */
DOH_DNS_UNEXPECTED_CLASS, /* 10 */ DOH_DNS_UNEXPECTED_CLASS, /* 10 */
DOH_NO_CONTENT, /* 11 */ DOH_NO_CONTENT, /* 11 */
DOH_DNS_BAD_ID /* 12 */ DOH_DNS_BAD_ID, /* 12 */
DOH_DNS_NAME_TOO_LONG /* 13 */
} DOHcode; } DOHcode;
typedef enum { typedef enum {
DNS_TYPE_A = 1, DNS_TYPE_A = 1,
DNS_TYPE_NS = 2, DNS_TYPE_NS = 2,
DNS_TYPE_CNAME = 5, DNS_TYPE_CNAME = 5,
DNS_TYPE_AAAA = 28 DNS_TYPE_AAAA = 28,
DNS_TYPE_DNAME = 39 /* RFC6672 */
} DNStype; } DNStype;
#define DOH_MAX_ADDR 24 #define DOH_MAX_ADDR 24

118
tests/unit/unit1655.c
View File

@ -36,43 +36,99 @@ static void unit_stop(void)
UNITTEST_START UNITTEST_START
/* introduce a scope and prove the corner case with write overflow, /*
* so we can prove this test would detect it and that it is properly fixed * Prove detection of write overflow using a short buffer and a name
* of maximal valid length.
*
* Prove detection of other invalid input.
*/ */
do { do {
const char *bad = "this.is.a.hostname.where.each.individual.part.is.within." const char *max =
"the.sixtythree.character.limit.but.still.long.enough.to." /* ..|....1.........2.........3.........4.........5.........6... */
"trigger.the.the.buffer.overflow......it.is.chosen.to.be." /* 3456789012345678901234567890123456789012345678901234567890123 */
"of.a.length.such.that.it.causes.a.two.byte.buffer......." "this.is.a.maximum-length.hostname." /* 34: 34 */
"overwrite.....making.it.longer.causes.doh.encode.to....." "with-no-label-of-greater-length-than-the-sixty-three-characters."
".return.early.so.dont.change.its.length.xxxx.xxxxxxxxxxx" /* 64: 98 */
"..xxxxxx.....xx..........xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" "specified.in.the.RFCs." /* 22: 120 */
"xxxxxxxxxxxxxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxx..x......xxxx" "and.with.a.QNAME.encoding.whose.length.is.exactly." /* 50: 170 */
"xxxx..xxxxxxxxxxxxxxxxxxx.x...xxxx.x.x.x...xxxxx"; "the.maximum.length.allowed." /* 27: 197 */
"that.is.two-hundred.and.fifty-six." /* 34: 231 */
"including.the.last.null." /* 24: 255 */
"";
const char *toolong =
/* ..|....1.........2.........3.........4.........5.........6... */
/* 3456789012345678901234567890123456789012345678901234567890123 */
"here.is.a.hostname.which.is.just.barely.too.long." /* 49: 49 */
"to.be.encoded.as.a.QNAME.of.the.maximum.allowed.length."
/* 55: 104 */
"which.is.256.including.a.final.zero-length.label." /* 49: 153 */
"representing.the.root.node.so.that.a.name.with." /* 47: 200 */
"a.trailing.dot.may.have.up.to." /* 30: 230 */
"255.characters.never.more." /* 26: 256 */
"";
const char *emptylabel =
"this.is.an.otherwise-valid.hostname."
".with.an.empty.label.";
const char *outsizelabel =
"this.is.an.otherwise-valid.hostname."
"with-a-label-of-greater-length-than-the-sixty-three-characters-"
"specified.in.the.RFCs.";
struct test {
const char *name;
const DOHcode expected_result;
};
/* plays the role of struct dnsprobe in urldata.h */ /* plays the role of struct dnsprobe in urldata.h */
struct demo { struct demo {
unsigned char dohbuffer[512]; unsigned char dohbuffer[255 + 16]; /* deliberately short buffer */
unsigned char canary1; unsigned char canary1;
unsigned char canary2; unsigned char canary2;
unsigned char canary3; unsigned char canary3;
}; };
size_t olen = 100000; const struct test playlist[4] = {
struct demo victim; { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */
DOHcode d; { emptylabel, DOH_DNS_BAD_LABEL }, /* also */
victim.canary1 = 87; /* magic numbers, arbritrarily picked */ { outsizelabel, DOH_DNS_BAD_LABEL }, /* also */
victim.canary2 = 35; { max, DOH_OK } /* expect buffer overwrite */
victim.canary3 = 41; };
d = doh_encode(bad, DNS_TYPE_A, victim.dohbuffer,
sizeof(victim.dohbuffer), &olen); for(int i = 0; i < (int)(sizeof(playlist)/sizeof(*playlist)); i++) {
fail_unless(victim.canary1 == 87, "one byte buffer overwrite has happened"); const char *name = playlist[i].name;
fail_unless(victim.canary2 == 35, "two byte buffer overwrite has happened"); size_t olen = 100000;
fail_unless(victim.canary3 == 41, struct demo victim;
"three byte buffer overwrite has happened"); DOHcode d;
if(d == DOH_OK) {
fail_unless(olen <= sizeof(victim.dohbuffer), "wrote outside bounds"); victim.canary1 = 87; /* magic numbers, arbritrarily picked */
fail_unless(olen > strlen(bad), "unrealistic low size"); victim.canary2 = 35;
victim.canary3 = 41;
d = doh_encode(name, DNS_TYPE_A, victim.dohbuffer,
sizeof(struct demo), /* allow room for overflow */
&olen);
fail_unless(d == playlist[i].expected_result,
"result returned was not as expected");
if(d == playlist[i].expected_result) {
if(name == max) {
fail_if(victim.canary1 == 87,
"demo one-byte buffer overwrite did not happen");
}
else {
fail_unless(victim.canary1 == 87,
"one-byte buffer overwrite has happened");
}
fail_unless(victim.canary2 == 35,
"two-byte buffer overwrite has happened");
fail_unless(victim.canary3 == 41,
"three-byte buffer overwrite has happened");
}
else {
if(d == DOH_OK) {
fail_unless(olen <= sizeof(victim.dohbuffer), "wrote outside bounds");
fail_unless(olen > strlen(name), "unrealistic low size");
}
}
} }
} while(0); } while(0);
@ -84,6 +140,7 @@ do {
const size_t magic1 = 9765; const size_t magic1 = 9765;
size_t olen1 = magic1; size_t olen1 = magic1;
const char *sunshine1 = "a.com"; const char *sunshine1 = "a.com";
const char *dotshine1 = "a.com.";
const char *sunshine2 = "aa.com"; const char *sunshine2 = "aa.com";
size_t olen2; size_t olen2;
DOHcode ret2; DOHcode ret2;
@ -94,6 +151,13 @@ do {
fail_if(olen1 == magic1, "olen has not been assigned properly"); fail_if(olen1 == magic1, "olen has not been assigned properly");
fail_unless(olen1 > strlen(sunshine1), "bad out length"); fail_unless(olen1 > strlen(sunshine1), "bad out length");
/* with a trailing dot, the response should have the same length */
olen2 = magic1;
ret2 = doh_encode(dotshine1, dnstype, buffer, buflen, &olen2);
fail_unless(ret2 == DOH_OK, "dotshine case should pass fine");
fail_if(olen2 == magic1, "olen has not been assigned properly");
fail_unless(olen1 == olen2, "olen should not grow for a trailing dot");
/* add one letter, the response should be one longer */ /* add one letter, the response should be one longer */
olen2 = magic1; olen2 = magic1;
ret2 = doh_encode(sunshine2, dnstype, buffer, buflen, &olen2); ret2 = doh_encode(sunshine2, dnstype, buffer, buflen, &olen2);