[tor-bugs] #1181 [Tor Relay]: evdns_server_request_format_response() sets TC flag wrong
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Fri Nov 12 00:32:55 UTC 2010
#1181: evdns_server_request_format_response() sets TC flag wrong
------------------------------+---------------------------------------------
Reporter: arma | Type: defect
Status: new | Priority: minor
Milestone: Tor: unspecified | Component: Tor Relay
Version: 0.2.1.20 | Resolution: None
Keywords: dns | Parent:
------------------------------+---------------------------------------------
Changes (by nickm):
* keywords: => dns
* milestone: => Tor: unspecified
Old description:
> kenobi> evdns_server_request_format_response() with dnsname_to_labels()
> wrongly implements part of rfc1035 about logic for sets of TC bit.
> kenobi> " Messages carried by UDP are restricted to 512 bytes (not
> counting
> the IP or UDP headers). Longer messages are truncated and the TC bit is
> set
> in the header"
> kenobi> TC bits should be sets only if lenght of all message via UDP was
> more
> than 512 bytes. Not alone lables or names.
> kenobi> for now TC bit sets for wrongly lengthed labels, which stricly
> limits
> for 63, but those means transmited error not signaling truncate bit.
>
> > do you have a patch? :)
> kenobi> I do not have patch, because it's should be designed for future
> tcp
> transport too, so it's slightly hard for patch by one line.
>
> > (does this affect anything in practice, or is it just a theoretical
> correctness issue?)
> kenobi> It's can be exploit via exotic attack, if reverse lookup was
> controled by attacker and exit relay was too. And resolv.conf contained
> ISP's
> DNS.
> > what would the attack achieve, in that case?
> kenobi> ip address of ISP's DNS
>
> [Automatically added by flyspray2trac: Operating System: All]
New description:
kenobi> evdns_server_request_format_response() with dnsname_to_labels()
wrongly implements part of rfc1035 about logic for sets of TC bit.
kenobi> " Messages carried by UDP are restricted to 512 bytes (not
counting
the IP or UDP headers). Longer messages are truncated and the TC bit is
set
in the header"
kenobi> TC bits should be sets only if lenght of all message via UDP was
more
than 512 bytes. Not alone lables or names.
kenobi> for now TC bit sets for wrongly lengthed labels, which stricly
limits
for 63, but those means transmited error not signaling truncate bit.
> do you have a patch? :)
kenobi> I do not have patch, because it's should be designed for future
tcp
transport too, so it's slightly hard for patch by one line.
> (does this affect anything in practice, or is it just a theoretical
correctness issue?)
kenobi> It's can be exploit via exotic attack, if reverse lookup was
controled by attacker and exit relay was too. And resolv.conf contained
ISP's
DNS.
> what would the attack achieve, in that case?
kenobi> ip address of ISP's DNS
[Automatically added by flyspray2trac: Operating System: All]
--
Comment:
DNS bug. This should get done as part of any future dns revamp.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1181#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list