Skip to content
GitLab
Closed
Issue created by Evan Hunt@eachDeveloper

possible crash in dns_rdata_tostruct()

In dns_message_parse(), there are a number of exceptions to the usual rules if the message has opcode UDPATE; things that would ordinarily be rejected with FORMERR are passed through. In particular, it's legal for records in the PREREQUISITE or UPDATE sections to have an rdata length of zero.

As a result, it's possible to parse a message off the wire, then call dns_rdata_tostruct() on it, and hit an assertion failure, because several of the tostruct implementations REQUIRE a minimum length.

I encountered this when I ran nsupdate using the server from digdelv/ans7, which returns spurious UPDATE responses.

> update add x.example.com 300 in a 1.2.3.4
do_next_command()
evaluate_update()
update_addordelete()
> send
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  49326
;; flags: qr rd; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
;; ZONE SECTION:
;x.example.com.	IN	SOA

;; UPDATE SECTION:
x.example.com. 0	ANY	SOA	

Found zone name: x.example.com
rdata/generic/soa_6.c:309: REQUIRE(rdata->length != 0) failed, back trace
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x5721c)[0x7ffff7f4921c]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(isc_assertion_failed+0x35)[0x7ffff7f49123]
/home/each/isc/bind9/lib/dns/.libs/libdns-9.17.13.so(+0x120b7a)[0x7ffff7d23b7a]
/home/each/isc/bind9/lib/dns/.libs/libdns-9.17.13.so(dns_rdata_tostruct+0x222)[0x7ffff7d87812]
/home/each/isc/bind9/bin/nsupdate/.libs/nsupdate(+0xd22c)[0x55555556122c]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x9bc73)[0x7ffff7f8dc73]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(isc_task_run+0x1c)[0x7ffff7f8dea7]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2f234)[0x7ffff7f21234]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2f4dc)[0x7ffff7f214dc]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2ffe2)[0x7ffff7f21fe2]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2f075)[0x7ffff7f21075]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2f0f8)[0x7ffff7f210f8]
/lib/x86_64-linux-gnu/libuv.so.1(+0xfe08)[0x7ffff7837e08]
/lib/x86_64-linux-gnu/libuv.so.1(uv__io_poll+0x360)[0x7ffff7848ae0]
/lib/x86_64-linux-gnu/libuv.so.1(uv_run+0x11c)[0x7ffff78387ac]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(+0x2ec7c)[0x7ffff7f20c7c]
/home/each/isc/bind9/lib/isc/.libs/libisc-9.17.13.so(isc__trampoline_run+0xd8)[0x7ffff7f9696a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x9609)[0x7ffff7a54609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7ffff797b293]

I don't know whether this error is exposed in named, but we need to make sure.

I suspect the right thing to do is go through the tostruct implementations and if there's a REQUIRE about the rdata length, we should change it to return ISC_R_UNEXPECTEDEND instead.

Edited by Evan Hunt