[or-cvs] r9379: Detect and reject another (harmless) class of DNS replies. A (in tor/trunk: . src/or)

Sun Jan 21 18:22:06 UTC 2007

Author: nickm
Date: 2007-01-21 13:21:39 -0500 (Sun, 21 Jan 2007)
New Revision: 9379

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/eventdns.c
Log:
 r9701 at catbus:  nickm | 2007-01-21 13:21:25 -0500
 Detect and reject another (harmless) class of DNS replies.  Also, fix a couple of IPv6 bugs in evendns.c



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r9701] on 8246c3cf-6607-4228-993b-4d95d33730f1

Modified: tor/trunk/ChangeLog
===================================================================

--- tor/trunk/ChangeLog	2007-01-21 17:05:10 UTC (rev 9378)
+++ tor/trunk/ChangeLog	2007-01-21 18:21:39 UTC (rev 9379)
@@ -41,6 +41,11 @@
       handshake to finish. Previously we would let them sit around for
       days, if the connecting application didn't close them either.
     - Stop using C functions that OpenBSD's linker doesn't like.
+    - Detect and reject DNS replies containing IPv4 or IPv6 records with
+      an incorrect number of bytes. (Previously, we would ignore the extra
+      bytes.)
+    - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles in the
+      correct order.
 
 
 Changes in version 0.1.2.6-alpha - 2007-01-09

Modified: tor/trunk/src/or/eventdns.c
===================================================================
--- tor/trunk/src/or/eventdns.c	2007-01-21 17:05:10 UTC (rev 9378)
+++ tor/trunk/src/or/eventdns.c	2007-01-21 18:21:39 UTC (rev 9379)
@@ -862,7 +862,8 @@
 			if (req->request_type != TYPE_A) {
 				j += datalength; continue;
 			}
-			// XXXX do something sane with malformed A answers.
+			if ((datalength & 3) != 0) /* not an even number of As. */
+				return -1;
 			addrcount = datalength >> 2;
 			addrtocopy = MIN(MAX_ADDRS - reply.data.a.addrcount, (unsigned)addrcount);
 
@@ -889,7 +890,8 @@
 			if (req->request_type != TYPE_AAAA) {
 				j += datalength; continue;
 			}
-			// XXXX do something sane with malformed AAAA answers.
+			if ((datalength & 15) != 0) /* not an even number of AAAAs. */
+				return -1;
 			addrcount = datalength >> 4;  // each address is 16 bytes long
 			addrtocopy = MIN(MAX_ADDRS - reply.data.aaaa.addrcount, (unsigned)addrcount);
 			ttl_r = MIN(ttl_r, ttl);
@@ -901,7 +903,7 @@
 			reply.data.aaaa.addrcount += addrtocopy;
 			j += 16*addrtocopy;
 			reply.have_answer = 1;
-			if (reply.data.a.addrcount == MAX_ADDRS) break;
+			if (reply.data.aaaa.addrcount == MAX_ADDRS) break;
 		} else {
 			// skip over any other type of resource
 			j += datalength;
@@ -2238,12 +2240,12 @@
 	int i;
 	assert(in);
 	cp = buf;
-	for (i=0; i < 16; ++i) {
+	for (i=15; i >= 0; --i) {
 		u8 byte = in->s6_addr[i];
+		*cp++ = "0123456789abcdef"[byte & 0x0f];
+		*cp++ = '.';
 		*cp++ = "0123456789abcdef"[byte >> 4];
 		*cp++ = '.';
-		*cp++ = "0123456789abcdef"[byte & 0x0f];
-		*cp++ = '.';
 	}
 	assert(cp + strlen(".ip6.arpa") < buf+sizeof(buf));
 	memcpy(cp, ".ip6.arpa", strlen(".ip6.arpa")+1);

