Skip to content

Issue 57700 in oss-fuzz: bind9:dns_master_load_fuzzer: Abrt in dns_name_countlabels

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=57700

DNS_NAME_MAXLABELS is too short. It should be 128 (127 length 1 labels + root label == 255). This was defined and used in c6bf5149 (2023-02-24) and not back ported so only BIND 9.19.11 is affected.

While I haven't found a path from wire yet that can trigger this I'm sure there must be one based on the nature of the bug.

(lldb) 
warning: libdns-9.19.12-dev.dylib was compiled with optimization - stepping may behave oddly; variables may not be available.
frame #4: 0x00000001002f8d20 libdns-9.19.12-dev.dylib`dns_name_countlabels(name=0x0000000101dd0c30) at name.c:664:2 [opt]
   661 	
   662 		REQUIRE(VALID_NAME(name));
   663 	
-> 664 		ENSURE(name->labels <= DNS_NAME_MAXLABELS);
   665 	
   666 		return (name->labels);
   667 	}
(lldb) print *name
(const dns_name_t) $0 = {
  magic = 1145983854
  ndata = 0x0000000101dd0d40 "\U00000001m\U000000010\U000000011\U000000010\U000000011\U000000011\U000000010\U000000011\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000011\U000000010\U000000011\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000010\U000000011\U000000010\U000000011\U000000010\U000000011\U000000010\U000000010\U000000011\U000000010\U000000010"
  length = 255
  labels = 128
  attributes = {
    absolute = true
    readonly = false
    dynamic = false
    dynoffsets = false
    nocompress = false
    cache = false
    answer = false
    ncache = false
    chaining = false
    chase = false
    wildcard = false
    prerequisite = false
    update = false
    hasupdaterec = false
  }
  offsets = 0x0000000101dd0c80 ""
  buffer = 0x0000000101dd0d00
  link = {
    prev = 0xffffffffffffffff
    next = 0xffffffffffffffff
  }
  list = {
    head = NULL
    tail = NULL
  }
}
(lldb)
Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information