6ca6e8
commit c288e032ae107c48679ef3c46fb84af6de0a6baf
6ca6e8
Author: Florian Weimer <fweimer@redhat.com>
6ca6e8
Date:   Tue Aug 30 10:02:49 2022 +0200
6ca6e8
6ca6e8
    resolv: Add internal __ns_name_length_uncompressed function
6ca6e8
    
6ca6e8
    This function is useful for checking that the question name is
6ca6e8
    uncompressed (as it should be).
6ca6e8
    
6ca6e8
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
6ca6e8
    (cherry picked from commit 78b1a4f0e49064e5dfb686c7cd87bd4df2640b29)
6ca6e8
6ca6e8
diff --git a/include/arpa/nameser.h b/include/arpa/nameser.h
6ca6e8
index bb1dede187cf1500..6e4808f00d60caf9 100644
6ca6e8
--- a/include/arpa/nameser.h
6ca6e8
+++ b/include/arpa/nameser.h
6ca6e8
@@ -95,5 +95,13 @@ libc_hidden_proto (__ns_name_unpack)
6ca6e8
 extern __typeof (ns_samename) __libc_ns_samename;
6ca6e8
 libc_hidden_proto (__libc_ns_samename)
6ca6e8
 
6ca6e8
+/* Packet parser helper functions.  */
6ca6e8
+
6ca6e8
+/* Verify that P points to an uncompressed domain name in wire format.
6ca6e8
+   On success, return the length of the encoded name, including the
6ca6e8
+   terminating null byte.  On failure, return -1 and set errno.  EOM
6ca6e8
+   must point one past the last byte in the packet.  */
6ca6e8
+int __ns_name_length_uncompressed (const unsigned char *p,
6ca6e8
+				   const unsigned char *eom) attribute_hidden;
6ca6e8
 # endif /* !_ISOMAC */
6ca6e8
 #endif
6ca6e8
diff --git a/resolv/Makefile b/resolv/Makefile
6ca6e8
index 0b4fa30716af3b8a..308f18622a04965a 100644
6ca6e8
--- a/resolv/Makefile
6ca6e8
+++ b/resolv/Makefile
6ca6e8
@@ -40,6 +40,7 @@ routines := \
6ca6e8
   inet_pton \
6ca6e8
   ns_makecanon \
6ca6e8
   ns_name_compress \
6ca6e8
+  ns_name_length_uncompressed \
6ca6e8
   ns_name_ntop \
6ca6e8
   ns_name_pack \
6ca6e8
   ns_name_pton \
6ca6e8
@@ -112,6 +113,10 @@ tests-static += tst-resolv-txnid-collision
6ca6e8
 tests-internal += tst-ns_samebinaryname
6ca6e8
 tests-static += tst-ns_samebinaryname
6ca6e8
 
6ca6e8
+# Likewise for __ns_name_length_uncompressed.
6ca6e8
+tests-internal += tst-ns_name_length_uncompressed
6ca6e8
+tests-static += tst-ns_name_length_uncompressed
6ca6e8
+
6ca6e8
 # These tests need libdl.
6ca6e8
 ifeq (yes,$(build-shared))
6ca6e8
 tests += \
6ca6e8
diff --git a/resolv/ns_name_length_uncompressed.c b/resolv/ns_name_length_uncompressed.c
6ca6e8
new file mode 100644
6ca6e8
index 0000000000000000..51296b47efbf1849
6ca6e8
--- /dev/null
6ca6e8
+++ b/resolv/ns_name_length_uncompressed.c
6ca6e8
@@ -0,0 +1,72 @@
6ca6e8
+/* Skip over an uncompressed name in wire format.
6ca6e8
+   Copyright (C) 2022 Free Software Foundation, Inc.
6ca6e8
+   This file is part of the GNU C Library.
6ca6e8
+
6ca6e8
+   The GNU C Library is free software; you can redistribute it and/or
6ca6e8
+   modify it under the terms of the GNU Lesser General Public
6ca6e8
+   License as published by the Free Software Foundation; either
6ca6e8
+   version 2.1 of the License, or (at your option) any later version.
6ca6e8
+
6ca6e8
+   The GNU C Library is distributed in the hope that it will be useful,
6ca6e8
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
6ca6e8
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
6ca6e8
+   Lesser General Public License for more details.
6ca6e8
+
6ca6e8
+   You should have received a copy of the GNU Lesser General Public
6ca6e8
+   License along with the GNU C Library; if not, see
6ca6e8
+   <https://www.gnu.org/licenses/>.  */
6ca6e8
+
6ca6e8
+#include <arpa/nameser.h>
6ca6e8
+#include <errno.h>
6ca6e8
+#include <stdbool.h>
6ca6e8
+
6ca6e8
+int
6ca6e8
+__ns_name_length_uncompressed (const unsigned char *p,
6ca6e8
+                                const unsigned char *eom)
6ca6e8
+{
6ca6e8
+  const unsigned char *start = p;
6ca6e8
+
6ca6e8
+  while (true)
6ca6e8
+    {
6ca6e8
+      if (p == eom)
6ca6e8
+        {
6ca6e8
+          /* Truncated packet: no room for label length.  */
6ca6e8
+          __set_errno (EMSGSIZE);
6ca6e8
+          return -1;
6ca6e8
+        }
6ca6e8
+
6ca6e8
+      unsigned char b = *p;
6ca6e8
+      ++p;
6ca6e8
+      if (b == 0)
6ca6e8
+        {
6ca6e8
+          /* Root label.  */
6ca6e8
+          size_t length = p - start;
6ca6e8
+          if (length > NS_MAXCDNAME)
6ca6e8
+            {
6ca6e8
+              /* Domain name too long.  */
6ca6e8
+              __set_errno (EMSGSIZE);
6ca6e8
+              return -1;
6ca6e8
+            }
6ca6e8
+          return length;
6ca6e8
+        }
6ca6e8
+
6ca6e8
+      if (b <= 63)
6ca6e8
+        {
6ca6e8
+          /* Regular label.  */
6ca6e8
+          if (b <= eom - p)
6ca6e8
+            p += b;
6ca6e8
+          else
6ca6e8
+            {
6ca6e8
+              /* Truncated packet: label incomplete.  */
6ca6e8
+              __set_errno (EMSGSIZE);
6ca6e8
+              return -1;
6ca6e8
+            }
6ca6e8
+        }
6ca6e8
+      else
6ca6e8
+        {
6ca6e8
+          /* Compression reference or corrupted label length.  */
6ca6e8
+          __set_errno (EMSGSIZE);
6ca6e8
+          return -1;
6ca6e8
+        }
6ca6e8
+    }
6ca6e8
+}
6ca6e8
diff --git a/resolv/tst-ns_name_length_uncompressed.c b/resolv/tst-ns_name_length_uncompressed.c
6ca6e8
new file mode 100644
6ca6e8
index 0000000000000000..c4a2904db75d1221
6ca6e8
--- /dev/null
6ca6e8
+++ b/resolv/tst-ns_name_length_uncompressed.c
6ca6e8
@@ -0,0 +1,135 @@
6ca6e8
+/* Test __ns_name_length_uncompressed.
6ca6e8
+   Copyright (C) 2022 Free Software Foundation, Inc.
6ca6e8
+   This file is part of the GNU C Library.
6ca6e8
+
6ca6e8
+   The GNU C Library is free software; you can redistribute it and/or
6ca6e8
+   modify it under the terms of the GNU Lesser General Public
6ca6e8
+   License as published by the Free Software Foundation; either
6ca6e8
+   version 2.1 of the License, or (at your option) any later version.
6ca6e8
+
6ca6e8
+   The GNU C Library is distributed in the hope that it will be useful,
6ca6e8
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
6ca6e8
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
6ca6e8
+   Lesser General Public License for more details.
6ca6e8
+
6ca6e8
+   You should have received a copy of the GNU Lesser General Public
6ca6e8
+   License along with the GNU C Library; if not, see
6ca6e8
+   <https://www.gnu.org/licenses/>.  */
6ca6e8
+
6ca6e8
+#include <arpa/nameser.h>
6ca6e8
+#include <array_length.h>
6ca6e8
+#include <errno.h>
6ca6e8
+#include <stdio.h>
6ca6e8
+#include <support/check.h>
6ca6e8
+#include <support/next_to_fault.h>
6ca6e8
+
6ca6e8
+/* Reference implementation based on other building blocks.  */
6ca6e8
+static int
6ca6e8
+reference_length (const unsigned char *p, const unsigned char *eom)
6ca6e8
+{
6ca6e8
+  unsigned char buf[NS_MAXCDNAME];
6ca6e8
+  int n = __ns_name_unpack (p, eom, p, buf, sizeof (buf));
6ca6e8
+  if (n < 0)
6ca6e8
+    return n;
6ca6e8
+  const unsigned char *q = buf;
6ca6e8
+  if (__ns_name_skip (&q, array_end (buf)) < 0)
6ca6e8
+    return -1;
6ca6e8
+  if (q - buf != n)
6ca6e8
+    /* Compressed name.  */
6ca6e8
+    return -1;
6ca6e8
+  return n;
6ca6e8
+}
6ca6e8
+
6ca6e8
+static int
6ca6e8
+do_test (void)
6ca6e8
+{
6ca6e8
+  {
6ca6e8
+    unsigned char buf[] = { 3, 'w', 'w', 'w', 0, 0, 0 };
6ca6e8
+    TEST_COMPARE (reference_length (buf, array_end (buf)), sizeof (buf) - 2);
6ca6e8
+    TEST_COMPARE (__ns_name_length_uncompressed (buf, array_end (buf)),
6ca6e8
+                  sizeof (buf) - 2);
6ca6e8
+    TEST_COMPARE (reference_length (array_end (buf) - 1, array_end (buf)), 1);
6ca6e8
+    TEST_COMPARE (__ns_name_length_uncompressed (array_end (buf) - 1,
6ca6e8
+                                                 array_end (buf)), 1);
6ca6e8
+    buf[4]  = 0xc0;             /* Forward compression reference.  */
6ca6e8
+    buf[5]  = 0x06;
6ca6e8
+    TEST_COMPARE (reference_length (buf, array_end (buf)), -1);
6ca6e8
+    TEST_COMPARE (__ns_name_length_uncompressed (buf, array_end (buf)), -1);
6ca6e8
+  }
6ca6e8
+
6ca6e8
+  struct support_next_to_fault ntf = support_next_to_fault_allocate (300);
6ca6e8
+
6ca6e8
+  /* Buffer region with all possible bytes at start and end.  */
6ca6e8
+  for (int length = 1; length <= 300; ++length)
6ca6e8
+    {
6ca6e8
+      unsigned char *end = (unsigned char *) ntf.buffer + ntf.length;
6ca6e8
+      unsigned char *start = end - length;
6ca6e8
+      memset (start, 'X', length);
6ca6e8
+      for (int first = 0; first <= 255; ++first)
6ca6e8
+        {
6ca6e8
+          *start = first;
6ca6e8
+          for (int last = 0; last <= 255; ++last)
6ca6e8
+            {
6ca6e8
+              start[length - 1] = last;
6ca6e8
+              TEST_COMPARE (reference_length (start, end),
6ca6e8
+                            __ns_name_length_uncompressed (start, end));
6ca6e8
+            }
6ca6e8
+        }
6ca6e8
+    }
6ca6e8
+
6ca6e8
+  /* Poor man's fuzz testing: patch two bytes.   */
6ca6e8
+  {
6ca6e8
+    unsigned char ref[] =
6ca6e8
+      {
6ca6e8
+        7, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 3, 'n', 'e', 't', 0, 0, 0
6ca6e8
+      };
6ca6e8
+    TEST_COMPARE (reference_length (ref, array_end (ref)), 13);
6ca6e8
+    TEST_COMPARE (__ns_name_length_uncompressed (ref, array_end (ref)), 13);
6ca6e8
+
6ca6e8
+    int good = 0;
6ca6e8
+    int bad = 0;
6ca6e8
+    for (int length = 1; length <= sizeof (ref); ++length)
6ca6e8
+      {
6ca6e8
+        unsigned char *end = (unsigned char *) ntf.buffer + ntf.length;
6ca6e8
+        unsigned char *start = end - length;
6ca6e8
+        memcpy (start, ref, length);
6ca6e8
+
6ca6e8
+        for (int patch1_pos = 0; patch1_pos < length; ++patch1_pos)
6ca6e8
+          {
6ca6e8
+            for (int patch1_value = 0; patch1_value <= 255; ++patch1_value)
6ca6e8
+              {
6ca6e8
+                start[patch1_pos] = patch1_value;
6ca6e8
+                for (int patch2_pos = 0; patch2_pos < length; ++patch2_pos)
6ca6e8
+                  {
6ca6e8
+                    for (int patch2_value = 0; patch2_value <= 255;
6ca6e8
+                         ++patch2_value)
6ca6e8
+                      {
6ca6e8
+                        start[patch2_pos] = patch2_value;
6ca6e8
+                        int expected = reference_length (start, end);
6ca6e8
+                        errno = EINVAL;
6ca6e8
+                        int actual
6ca6e8
+                          =  __ns_name_length_uncompressed (start, end);
6ca6e8
+                        if (actual > 0)
6ca6e8
+                          ++good;
6ca6e8
+                        else
6ca6e8
+                          {
6ca6e8
+                            TEST_COMPARE (errno, EMSGSIZE);
6ca6e8
+                            ++bad;
6ca6e8
+                          }
6ca6e8
+                        TEST_COMPARE (expected, actual);
6ca6e8
+                      }
6ca6e8
+                    start[patch2_pos] = ref[patch2_pos];
6ca6e8
+                  }
6ca6e8
+              }
6ca6e8
+            start[patch1_pos] = ref[patch1_pos];
6ca6e8
+          }
6ca6e8
+      }
6ca6e8
+    printf ("info: patched inputs with success: %d\n", good);
6ca6e8
+    printf ("info: patched inputs with failure: %d\n", bad);
6ca6e8
+  }
6ca6e8
+
6ca6e8
+  support_next_to_fault_free (&ntf;;
6ca6e8
+  return 0;
6ca6e8
+}
6ca6e8
+
6ca6e8
+#include <support/test-driver.c>