Opened 18 months ago
Closed 8 months ago
#18035 closed bug (fixed)
Possible buffer overflow in the domain name resolver
| Reported by: | haikupr | Owned by: | nobody |
|---|---|---|---|
| Priority: | normal | Milestone: | R1/beta5 |
| Component: | System/libroot.so | Version: | R1/Development |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
The bug here reported occurs on Haiku x86_64 R1/beta3 as well as on hrev56554, both running as bhyve guests on a FreeBSD 12.1 host. I've not performed tests on any other configuration.
Let Haiku use a non recursive DNS server while omitting the domain and search clauses in resolv.conf. (In my case, the server is a bind 9.14, the Haikus aren't part of its localnets ACL, thus preventing recursive service and lookup in the cache.)
When calling gethostbyname(3), haiku tries first to lookup for itself (seeking both A and AAAA RRs), it sends incorrect packets to the server, the queried domain is "haiku.??????" where ? are non ASCII bytes. The querried domain is composed of two labels, the first is five bytes-long ("haiku"), it is followed by an unexpected six bytes long label composed of out of range bytes. The response from the server is obviously negative. After that more queries follow, almost all exhibit identically incorrect construction behavior.
Because the queries include a completely bogus label composed of random bytes, I'm tempted to think this is the manifestation of a buffer overflow in the Haiku resolver. Could this be exploited? I don't know, only a review of the resolver could tell.
I join a packets capture which plainly in which the incorrect reported behavior can be observed.
Attachments (1)
Change History (5)
by , 18 months ago
| Attachment: | haikudomain.pcap added |
|---|
comment:1 by , 18 months ago
| Component: | Network & Internet/IPv4 → System/libroot.so |
|---|---|
| Keywords: | dns buffer-overlow removed |
| Owner: | changed from to |
The resolver is mostly imported from NetBSD's netresolv and likely should be totally replaced, to be completely honest.
comment:2 by , 8 months ago
libnetwork's DNS resolver synchronized with NetBSD in hrev57256. Please retest after that.
comment:3 by , 8 months ago
After reconstructing the network situation originally described in this ticket (no domain name and no search list in resolv.conf, and excluding the haiku host from being able to submit recursive queries in named configuration); after updating to hrev57256; I no longer obverse malformed DNS queries produced by Haiku. I consider this bug as being fixed. Thank you.
comment:4 by , 8 months ago
| Milestone: | Unscheduled → R1/beta5 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
Excellent, thanks for testing!
Packet capture of some incorrect DNS queries made by Haiku