[tor-bugs] #1181 [Tor Relay]: evdns_server_request_format_response() sets TC flag wrong

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Fri Nov 12 00:32:55 UTC 2010 

#1181: evdns_server_request_format_response() sets TC flag wrong
------------------------------+---------------------------------------------
 Reporter:  arma              |         Type:  defect   
   Status:  new               |     Priority:  minor    
Milestone:  Tor: unspecified  |    Component:  Tor Relay
  Version:  0.2.1.20          |   Resolution:  None     
 Keywords:  dns               |       Parent:           
------------------------------+---------------------------------------------
Changes (by nickm):

  * keywords:  => dns
  * milestone:  => Tor: unspecified


Old description:

> kenobi> evdns_server_request_format_response() with dnsname_to_labels()
> wrongly implements part of rfc1035 about logic for sets of TC bit.
> kenobi> " Messages carried by UDP are restricted to 512 bytes (not
> counting
> the IP or UDP headers).  Longer messages are truncated and the TC bit is
> set
> in the header"
> kenobi> TC bits should be sets only if lenght of all message via UDP was
> more
> than 512 bytes. Not alone lables or names.
> kenobi> for now TC bit sets for wrongly lengthed labels, which stricly
> limits
> for 63, but those means transmited error not signaling truncate bit.
>
> > do you have a patch? :)
> kenobi> I do not have patch, because it's should be designed for future
> tcp
> transport too, so it's slightly hard for patch by one line.
>
> > (does this affect anything in practice, or is it just a theoretical
> correctness issue?)
> kenobi> It's can be exploit via exotic attack, if reverse lookup was
> controled by attacker and exit relay was too. And resolv.conf contained
> ISP's
> DNS.
> > what would the attack achieve, in that case?
> kenobi> ip address of ISP's DNS
>

> [Automatically added by flyspray2trac: Operating System: All]

New description:

 kenobi> evdns_server_request_format_response() with dnsname_to_labels()
 wrongly implements part of rfc1035 about logic for sets of TC bit.
 kenobi> " Messages carried by UDP are restricted to 512 bytes (not
 counting
 the IP or UDP headers).  Longer messages are truncated and the TC bit is
 set
 in the header"
 kenobi> TC bits should be sets only if lenght of all message via UDP was
 more
 than 512 bytes. Not alone lables or names.
 kenobi> for now TC bit sets for wrongly lengthed labels, which stricly
 limits
 for 63, but those means transmited error not signaling truncate bit.

 > do you have a patch? :)
 kenobi> I do not have patch, because it's should be designed for future
 tcp
 transport too, so it's slightly hard for patch by one line.

 > (does this affect anything in practice, or is it just a theoretical
 correctness issue?)
 kenobi> It's can be exploit via exotic attack, if reverse lookup was
 controled by attacker and exit relay was too. And resolv.conf contained
 ISP's
 DNS.
 > what would the attack achieve, in that case?
 kenobi> ip address of ISP's DNS


 [Automatically added by flyspray2trac: Operating System: All]

--

Comment:

 DNS bug.  This should get done as part of any future dns revamp.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/1181#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list