[ldns-users] qualifying a dns packet before processing

Edward Fjellskål edwardfjellskaal at gmail.com
Sun Mar 18 12:33:43 UTC 2012 

On 03/18/2012 12:27 PM, Willem Toorop wrote:
> Hi Edward,
> 
> I agree ldns_wire2pkt shouldn't be able to crash like this. Even when
> the input data would be garbage (provided playload_length doesn't exceed
> the memory for the data of course). Can you reproduce the error? Could
> you file a bug report here:
> 
> 	https://www.nlnetlabs.nl/bugs-script/enter_bug.cgi?product=ldns
> 
> Thanks!
> 
> -- Willem

Hi Willem,

I have located the session (and packet) I have in my test pcap
that crashes ldns_wire2pkt. It is actually a pop3 (port 110) traffic.

I noticed this as I forgot to put a proper BPF on my libpcap,
but I would not want anyone to craft such a package :)

Its also TCP over IPv4.

Do I need to add an bugzilla account to report a bug ?
And will the bug be public ? Regarding reproducing and
stacksmashing other libldns apps :)

I tested with printing out the calculated length of the payload
vs the payload length that tcpdump reports, both are 1308.

For processing DNS over TCP, I do like this:

status = ldns_wire2pkt(&decoded_dns,payload + 2, payloadlength - 2);

(Correct me if thats way off :)

As from what I can read, the first two bytes tells us something
about how much data to expect, and are not in the normal DNS header.

I can probably send the one packet that causes this off list (pcap).

E


> 
> Op 18-03-12 10:07, Edward Fjellskål schreef:
>> Hi again list :)
>>
>> So, I parse dns packets, and today I use ldns_wire2pkt to determine
>> if I should go on or not, like:
>>
>> -----8<-----
>> status = ldns_wire2pkt(&decoded_dns,payload, payload_length);
>>
>> if (status != LDNS_STATUS_OK) {
>>     debug_log("[D] ldns_wire2pkt status = %d\n", status);
>>     return;
>> }
>> -----8<-----
>>
>> But some packets processed give me:
>>
>> *** stack smashing detected ***
>> ======= Backtrace: =========
>> /lib/tls/i686/cmov/libc.so.6(__fortify_fail+0x50)[0x2622d0]
>> /lib/tls/i686/cmov/libc.so.6(+0xe227a)[0x26227a]
>> /usr/lib/libldns.so.1(+0x37204)[0xf16204]
>> /usr/lib/libldns.so.1(ldns_wire2dname+0x253)[0xef5b23]
>> /usr/lib/libldns.so.1(ldns_wire2rr+0x49)[0xef5db9]
>> /usr/lib/libldns.so.1(ldns_wire2pkt+0x239)[0xef6119]
>>
>>
>> Are there any other good way to do pre-qualifying of incoming data,
>> so it might make popping my stack a bit harder with lib ldns ?
>>
>> great lib btw :)
>>
>> E
>> _______________________________________________
>> ldns-users mailing list
>> ldns-users at open.nlnetlabs.nl
>> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list