mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-23 06:41:32 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow

Browse Source 
Since commit 9d8dbbc ("MINOR: dns: Maximum DNS udp payload set to 8192") it's
possible to specify a packet size, but passing too large a size or a negative
size is not detected and results in memset() being performed over a 2GB+ area
upon receipt of the first DNS response, causing runtime crashes.

We now check that the size is not smaller than the smallest packet which is
the DNS header size (12 bytes).

No backport is needed.
This commit is contained in:
Willy Tarreau 2017-08-22 12:01:26 +02:00
parent f5f71304b0
commit 0c219be3df
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/types/dns.h
View File

@ -82,7 +82,7 @@
#define SRV_MAX_PREF_NET 5 #define SRV_MAX_PREF_NET 5
/* DNS header size */ /* DNS header size */
#define DNS_HEADER_SIZE sizeof(struct dns_header) #define DNS_HEADER_SIZE ((int)sizeof(struct dns_header))
/* DNS resolution pool size, per resolvers section */ /* DNS resolution pool size, per resolvers section */
#define DNS_DEFAULT_RESOLUTION_POOL_SIZE 64 #define DNS_DEFAULT_RESOLUTION_POOL_SIZE 64

6
src/cfgparse.c
View File

@ -2304,9 +2304,9 @@ int cfg_parse_resolvers(const char *file, int linenum, char **args, int kwm)
} }
i = atoi(args[1]); i = atoi(args[1]);
if (i > DNS_MAX_UDP_MESSAGE) { if (i < DNS_HEADER_SIZE || i > DNS_MAX_UDP_MESSAGE) {
Alert("parsing [%s:%d] : '%s' size %d exceeds maximum allowed size %d.\n", Alert("parsing [%s:%d] : '%s' must be between %d and %d inclusive (was %s).\n",
file, linenum, args[0], i, DNS_MAX_UDP_MESSAGE); file, linenum, args[0], DNS_HEADER_SIZE, DNS_MAX_UDP_MESSAGE, args[1]);
err_code |= ERR_ALERT | ERR_FATAL; err_code |= ERR_ALERT | ERR_FATAL;
goto out; goto out;
} }