[Unbound-users] [hannah at schlund.de: Bug#567976: libunbound-dev: libunbound crashes when trying to resolve syntactically invalid domain names]

Jaap Akkerhuis jaap at NLnetLabs.nl
Tue Feb 2 09:25:09 UTC 2010 

    FYI: a bug report from a user.  i have not been able to reproduce the
    issues.

Typical case of Garbage in Garbage out. Labels have a max of 63
bytes. The application should check that before before further
processing.  Examples:

bartok.nlnetlabs.nl:~ > unbound-host aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
[1265101891] libunbound[91074:0] fatal error: util/data/dname.c:267: dname_query_hash: assertion lablen <= LDNS_MAX_LABELLEN failed
bartok.nlnetlabs.nl:~ > drill !$
drill aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
error: Label length overflow
;; No packet received
bartok.nlnetlabs.nl:~ > dig !$
dig aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
dig: convert UTF-8 textname to IDN encoding: label length reduced to 0 or exceeded 63 bytes

Apparently libunbound does catch this on some occasions but raising
an assertion smells like an overkill. That opens the door for DOS
attacks when the application doesn't check on LDNS_MAX_LABELLEN.
Raising and returning an error (EGREG) and silently truncating on
LDNS_MAX_LABELLEN for those applications which don't bother to check
return values might be a better option.

	jaap

    
    ----- Forwarded message from Hannah Schroeter <hannah at schlund.de> -----
    
    Date: Mon, 01 Feb 2010 16:44:13 +0100
    From: Hannah Schroeter <hannah at schlund.de>
    To: Debian Bug Tracking System <submit at bugs.debian.org>
    Subject: Bug#567976: libunbound-dev: libunbound crashes when trying to reso
   lve syntactically
    	invalid domain names
    X-Mailer: reportbug 4.10.2
    Message-ID: <20100201154413.7394.40602.reportbug at c3po.ue.schlund.de>
    
    Package: libunbound-dev
    Version: 1.0.2-1+lenny1
    Severity: important
    
    
    This is in fact a bug with two facets:
    
    1. If I try to resolve a domain such as
       aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com
       (That's *64* times the letter a)
       using ub_resolve_async, libunbound crashes (Segmentation fault in the
       asynchronous resolver thread). This does *not* occur with the
       synchronous API ub_resolve.
       This particular issue seems to be fixed in the more current
       version of libunbound such as that shipped with Debian unstable.
       Maybe it might be warranted to backport a bugfix.
    
    2. If I try to resolve a domain such as
       aa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
       (That's 64 times the letter a in the *last* label of the domain name!),
       libunbound crashes with *both* the asynchronous API ub_resolve_async,
       *and* the synchronous API ub_resolve. So one can reproduce *this*
       problem with unbound-host, too! This issue probably stems from a differe
   nt
       source than issue 1, namely a missing validation in the underlying
       ldns code. I believe this issue is *not* fixed even in the current
       ldns subversion trunk, as checked now (2010-02-01 16:17 +0100).
    
    3. Another issue that's in upstream code is: *If* the upstream library
       checks for syntax correctly (or rather semi-correctly, that is in
       unbound 1.4.1, as included in Debian unstable, which fixed issue 1),
       the caller can't distinguish that error from other errors because
       the error codes aren't exposed in the unbound library interface.
       So the caller can't decide whether the issue was a temporary problem,
       like for example being short of memory, or a permanent problem like
       wrong domain syntax.
    
    -- System Information:
    Debian Release: squeeze/sid
      APT prefers unstable
      APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'ex
   perimental')
    Architecture: amd64 (x86_64)
    
    Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores)
    Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
    Shell: /bin/sh linked to /bin/bash
    
    Versions of packages libunbound-dev depends on:
    ii  libunbound0               1.0.2-1+lenny1 library implementing DNS resol
   utio
    
    libunbound-dev recommends no packages.
    
    libunbound-dev suggests no packages.
    
    -- no debconf information
    
    
    
    ----- End forwarded message -----
    
    -- 
    Robert Edmonds
    edmonds at debian.org
    _______________________________________________
    Unbound-users mailing list
    Unbound-users at unbound.net
    http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

More information about the Unbound-users mailing list