Opened 2 years ago

Closed 15 months ago

#18035 closed bug (fixed)

Possible buffer overflow in the domain name resolver

Reported by: haikupr Owned by: nobody
Priority: normal Milestone: R1/beta5
Component: System/libroot.so Version: R1/Development
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

The bug here reported occurs on Haiku x86_64 R1/beta3 as well as on hrev56554, both running as bhyve guests on a FreeBSD 12.1 host. I've not performed tests on any other configuration.

Let Haiku use a non recursive DNS server while omitting the domain and search clauses in resolv.conf. (In my case, the server is a bind 9.14, the Haikus aren't part of its localnets ACL, thus preventing recursive service and lookup in the cache.)

When calling gethostbyname(3), haiku tries first to lookup for itself (seeking both A and AAAA RRs), it sends incorrect packets to the server, the queried domain is "haiku.??????" where ? are non ASCII bytes. The querried domain is composed of two labels, the first is five bytes-long ("haiku"), it is followed by an unexpected six bytes long label composed of out of range bytes. The response from the server is obviously negative. After that more queries follow, almost all exhibit identically incorrect construction behavior.

Because the queries include a completely bogus label composed of random bytes, I'm tempted to think this is the manifestation of a buffer overflow in the Haiku resolver. Could this be exploited? I don't know, only a review of the resolver could tell.

I join a packets capture which plainly in which the incorrect reported behavior can be observed.

Attachments (1)

haikudomain.pcap (3.6 KB ) - added by haikupr 2 years ago.
Packet capture of some incorrect DNS queries made by Haiku

Download all attachments as: .zip

Change History (5)

by haikupr, 2 years ago

Attachment: haikudomain.pcap added

Packet capture of some incorrect DNS queries made by Haiku

comment:1 by waddlesplash, 2 years ago

Component: Network & Internet/IPv4System/libroot.so
Keywords: dns buffer-overlow removed
Owner: changed from axeld to nobody

The resolver is mostly imported from NetBSD's netresolv and likely should be totally replaced, to be completely honest.

comment:2 by waddlesplash, 15 months ago

libnetwork's DNS resolver synchronized with NetBSD in hrev57256. Please retest after that.

comment:3 by haikupr, 15 months ago

After reconstructing the network situation originally described in this ticket (no domain name and no search list in resolv.conf, and excluding the haiku host from being able to submit recursive queries in named configuration); after updating to hrev57256; I no longer obverse malformed DNS queries produced by Haiku. I consider this bug as being fixed. Thank you.

comment:4 by waddlesplash, 15 months ago

Milestone: UnscheduledR1/beta5
Resolution: fixed
Status: newclosed

Excellent, thanks for testing!

Note: See TracTickets for help on using tickets.