|
|
6ca6e8 |
commit c288e032ae107c48679ef3c46fb84af6de0a6baf
|
|
|
6ca6e8 |
Author: Florian Weimer <fweimer@redhat.com>
|
|
|
6ca6e8 |
Date: Tue Aug 30 10:02:49 2022 +0200
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
resolv: Add internal __ns_name_length_uncompressed function
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
This function is useful for checking that the question name is
|
|
|
6ca6e8 |
uncompressed (as it should be).
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
|
6ca6e8 |
(cherry picked from commit 78b1a4f0e49064e5dfb686c7cd87bd4df2640b29)
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
diff --git a/include/arpa/nameser.h b/include/arpa/nameser.h
|
|
|
6ca6e8 |
index bb1dede187cf1500..6e4808f00d60caf9 100644
|
|
|
6ca6e8 |
--- a/include/arpa/nameser.h
|
|
|
6ca6e8 |
+++ b/include/arpa/nameser.h
|
|
|
6ca6e8 |
@@ -95,5 +95,13 @@ libc_hidden_proto (__ns_name_unpack)
|
|
|
6ca6e8 |
extern __typeof (ns_samename) __libc_ns_samename;
|
|
|
6ca6e8 |
libc_hidden_proto (__libc_ns_samename)
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
+/* Packet parser helper functions. */
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+/* Verify that P points to an uncompressed domain name in wire format.
|
|
|
6ca6e8 |
+ On success, return the length of the encoded name, including the
|
|
|
6ca6e8 |
+ terminating null byte. On failure, return -1 and set errno. EOM
|
|
|
6ca6e8 |
+ must point one past the last byte in the packet. */
|
|
|
6ca6e8 |
+int __ns_name_length_uncompressed (const unsigned char *p,
|
|
|
6ca6e8 |
+ const unsigned char *eom) attribute_hidden;
|
|
|
6ca6e8 |
# endif /* !_ISOMAC */
|
|
|
6ca6e8 |
#endif
|
|
|
6ca6e8 |
diff --git a/resolv/Makefile b/resolv/Makefile
|
|
|
6ca6e8 |
index 0b4fa30716af3b8a..308f18622a04965a 100644
|
|
|
6ca6e8 |
--- a/resolv/Makefile
|
|
|
6ca6e8 |
+++ b/resolv/Makefile
|
|
|
6ca6e8 |
@@ -40,6 +40,7 @@ routines := \
|
|
|
6ca6e8 |
inet_pton \
|
|
|
6ca6e8 |
ns_makecanon \
|
|
|
6ca6e8 |
ns_name_compress \
|
|
|
6ca6e8 |
+ ns_name_length_uncompressed \
|
|
|
6ca6e8 |
ns_name_ntop \
|
|
|
6ca6e8 |
ns_name_pack \
|
|
|
6ca6e8 |
ns_name_pton \
|
|
|
6ca6e8 |
@@ -112,6 +113,10 @@ tests-static += tst-resolv-txnid-collision
|
|
|
6ca6e8 |
tests-internal += tst-ns_samebinaryname
|
|
|
6ca6e8 |
tests-static += tst-ns_samebinaryname
|
|
|
6ca6e8 |
|
|
|
6ca6e8 |
+# Likewise for __ns_name_length_uncompressed.
|
|
|
6ca6e8 |
+tests-internal += tst-ns_name_length_uncompressed
|
|
|
6ca6e8 |
+tests-static += tst-ns_name_length_uncompressed
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
# These tests need libdl.
|
|
|
6ca6e8 |
ifeq (yes,$(build-shared))
|
|
|
6ca6e8 |
tests += \
|
|
|
6ca6e8 |
diff --git a/resolv/ns_name_length_uncompressed.c b/resolv/ns_name_length_uncompressed.c
|
|
|
6ca6e8 |
new file mode 100644
|
|
|
6ca6e8 |
index 0000000000000000..51296b47efbf1849
|
|
|
6ca6e8 |
--- /dev/null
|
|
|
6ca6e8 |
+++ b/resolv/ns_name_length_uncompressed.c
|
|
|
6ca6e8 |
@@ -0,0 +1,72 @@
|
|
|
6ca6e8 |
+/* Skip over an uncompressed name in wire format.
|
|
|
6ca6e8 |
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
|
|
6ca6e8 |
+ This file is part of the GNU C Library.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
6ca6e8 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
6ca6e8 |
+ License as published by the Free Software Foundation; either
|
|
|
6ca6e8 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
6ca6e8 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
6ca6e8 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
6ca6e8 |
+ Lesser General Public License for more details.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
6ca6e8 |
+ License along with the GNU C Library; if not, see
|
|
|
6ca6e8 |
+ <https://www.gnu.org/licenses/>. */
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+#include <arpa/nameser.h>
|
|
|
6ca6e8 |
+#include <errno.h>
|
|
|
6ca6e8 |
+#include <stdbool.h>
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+int
|
|
|
6ca6e8 |
+__ns_name_length_uncompressed (const unsigned char *p,
|
|
|
6ca6e8 |
+ const unsigned char *eom)
|
|
|
6ca6e8 |
+{
|
|
|
6ca6e8 |
+ const unsigned char *start = p;
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ while (true)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ if (p == eom)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Truncated packet: no room for label length. */
|
|
|
6ca6e8 |
+ __set_errno (EMSGSIZE);
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ unsigned char b = *p;
|
|
|
6ca6e8 |
+ ++p;
|
|
|
6ca6e8 |
+ if (b == 0)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Root label. */
|
|
|
6ca6e8 |
+ size_t length = p - start;
|
|
|
6ca6e8 |
+ if (length > NS_MAXCDNAME)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Domain name too long. */
|
|
|
6ca6e8 |
+ __set_errno (EMSGSIZE);
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ return length;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ if (b <= 63)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Regular label. */
|
|
|
6ca6e8 |
+ if (b <= eom - p)
|
|
|
6ca6e8 |
+ p += b;
|
|
|
6ca6e8 |
+ else
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Truncated packet: label incomplete. */
|
|
|
6ca6e8 |
+ __set_errno (EMSGSIZE);
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ else
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ /* Compression reference or corrupted label length. */
|
|
|
6ca6e8 |
+ __set_errno (EMSGSIZE);
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+}
|
|
|
6ca6e8 |
diff --git a/resolv/tst-ns_name_length_uncompressed.c b/resolv/tst-ns_name_length_uncompressed.c
|
|
|
6ca6e8 |
new file mode 100644
|
|
|
6ca6e8 |
index 0000000000000000..c4a2904db75d1221
|
|
|
6ca6e8 |
--- /dev/null
|
|
|
6ca6e8 |
+++ b/resolv/tst-ns_name_length_uncompressed.c
|
|
|
6ca6e8 |
@@ -0,0 +1,135 @@
|
|
|
6ca6e8 |
+/* Test __ns_name_length_uncompressed.
|
|
|
6ca6e8 |
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
|
|
6ca6e8 |
+ This file is part of the GNU C Library.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
6ca6e8 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
6ca6e8 |
+ License as published by the Free Software Foundation; either
|
|
|
6ca6e8 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
6ca6e8 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
6ca6e8 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
6ca6e8 |
+ Lesser General Public License for more details.
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
6ca6e8 |
+ License along with the GNU C Library; if not, see
|
|
|
6ca6e8 |
+ <https://www.gnu.org/licenses/>. */
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+#include <arpa/nameser.h>
|
|
|
6ca6e8 |
+#include <array_length.h>
|
|
|
6ca6e8 |
+#include <errno.h>
|
|
|
6ca6e8 |
+#include <stdio.h>
|
|
|
6ca6e8 |
+#include <support/check.h>
|
|
|
6ca6e8 |
+#include <support/next_to_fault.h>
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+/* Reference implementation based on other building blocks. */
|
|
|
6ca6e8 |
+static int
|
|
|
6ca6e8 |
+reference_length (const unsigned char *p, const unsigned char *eom)
|
|
|
6ca6e8 |
+{
|
|
|
6ca6e8 |
+ unsigned char buf[NS_MAXCDNAME];
|
|
|
6ca6e8 |
+ int n = __ns_name_unpack (p, eom, p, buf, sizeof (buf));
|
|
|
6ca6e8 |
+ if (n < 0)
|
|
|
6ca6e8 |
+ return n;
|
|
|
6ca6e8 |
+ const unsigned char *q = buf;
|
|
|
6ca6e8 |
+ if (__ns_name_skip (&q, array_end (buf)) < 0)
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ if (q - buf != n)
|
|
|
6ca6e8 |
+ /* Compressed name. */
|
|
|
6ca6e8 |
+ return -1;
|
|
|
6ca6e8 |
+ return n;
|
|
|
6ca6e8 |
+}
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+static int
|
|
|
6ca6e8 |
+do_test (void)
|
|
|
6ca6e8 |
+{
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ unsigned char buf[] = { 3, 'w', 'w', 'w', 0, 0, 0 };
|
|
|
6ca6e8 |
+ TEST_COMPARE (reference_length (buf, array_end (buf)), sizeof (buf) - 2);
|
|
|
6ca6e8 |
+ TEST_COMPARE (__ns_name_length_uncompressed (buf, array_end (buf)),
|
|
|
6ca6e8 |
+ sizeof (buf) - 2);
|
|
|
6ca6e8 |
+ TEST_COMPARE (reference_length (array_end (buf) - 1, array_end (buf)), 1);
|
|
|
6ca6e8 |
+ TEST_COMPARE (__ns_name_length_uncompressed (array_end (buf) - 1,
|
|
|
6ca6e8 |
+ array_end (buf)), 1);
|
|
|
6ca6e8 |
+ buf[4] = 0xc0; /* Forward compression reference. */
|
|
|
6ca6e8 |
+ buf[5] = 0x06;
|
|
|
6ca6e8 |
+ TEST_COMPARE (reference_length (buf, array_end (buf)), -1);
|
|
|
6ca6e8 |
+ TEST_COMPARE (__ns_name_length_uncompressed (buf, array_end (buf)), -1);
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ struct support_next_to_fault ntf = support_next_to_fault_allocate (300);
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ /* Buffer region with all possible bytes at start and end. */
|
|
|
6ca6e8 |
+ for (int length = 1; length <= 300; ++length)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ unsigned char *end = (unsigned char *) ntf.buffer + ntf.length;
|
|
|
6ca6e8 |
+ unsigned char *start = end - length;
|
|
|
6ca6e8 |
+ memset (start, 'X', length);
|
|
|
6ca6e8 |
+ for (int first = 0; first <= 255; ++first)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ *start = first;
|
|
|
6ca6e8 |
+ for (int last = 0; last <= 255; ++last)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ start[length - 1] = last;
|
|
|
6ca6e8 |
+ TEST_COMPARE (reference_length (start, end),
|
|
|
6ca6e8 |
+ __ns_name_length_uncompressed (start, end));
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ /* Poor man's fuzz testing: patch two bytes. */
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ unsigned char ref[] =
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ 7, 'e', 'x', 'a', 'm', 'p', 'l', 'e', 3, 'n', 'e', 't', 0, 0, 0
|
|
|
6ca6e8 |
+ };
|
|
|
6ca6e8 |
+ TEST_COMPARE (reference_length (ref, array_end (ref)), 13);
|
|
|
6ca6e8 |
+ TEST_COMPARE (__ns_name_length_uncompressed (ref, array_end (ref)), 13);
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ int good = 0;
|
|
|
6ca6e8 |
+ int bad = 0;
|
|
|
6ca6e8 |
+ for (int length = 1; length <= sizeof (ref); ++length)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ unsigned char *end = (unsigned char *) ntf.buffer + ntf.length;
|
|
|
6ca6e8 |
+ unsigned char *start = end - length;
|
|
|
6ca6e8 |
+ memcpy (start, ref, length);
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ for (int patch1_pos = 0; patch1_pos < length; ++patch1_pos)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ for (int patch1_value = 0; patch1_value <= 255; ++patch1_value)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ start[patch1_pos] = patch1_value;
|
|
|
6ca6e8 |
+ for (int patch2_pos = 0; patch2_pos < length; ++patch2_pos)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ for (int patch2_value = 0; patch2_value <= 255;
|
|
|
6ca6e8 |
+ ++patch2_value)
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ start[patch2_pos] = patch2_value;
|
|
|
6ca6e8 |
+ int expected = reference_length (start, end);
|
|
|
6ca6e8 |
+ errno = EINVAL;
|
|
|
6ca6e8 |
+ int actual
|
|
|
6ca6e8 |
+ = __ns_name_length_uncompressed (start, end);
|
|
|
6ca6e8 |
+ if (actual > 0)
|
|
|
6ca6e8 |
+ ++good;
|
|
|
6ca6e8 |
+ else
|
|
|
6ca6e8 |
+ {
|
|
|
6ca6e8 |
+ TEST_COMPARE (errno, EMSGSIZE);
|
|
|
6ca6e8 |
+ ++bad;
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ TEST_COMPARE (expected, actual);
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ start[patch2_pos] = ref[patch2_pos];
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ start[patch1_pos] = ref[patch1_pos];
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+ printf ("info: patched inputs with success: %d\n", good);
|
|
|
6ca6e8 |
+ printf ("info: patched inputs with failure: %d\n", bad);
|
|
|
6ca6e8 |
+ }
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+ support_next_to_fault_free (&ntf;;
|
|
|
6ca6e8 |
+ return 0;
|
|
|
6ca6e8 |
+}
|
|
|
6ca6e8 |
+
|
|
|
6ca6e8 |
+#include <support/test-driver.c>
|