From ab2a450887b1c1736d9aa336e55f248fa17838a3 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:15:49 +1100 Subject: [PATCH 1/3] Check that buffer length in dns_message_renderbegin The maximum DNS message size is 65535 octets. Check that the buffer being passed to dns_message_renderbegin does not exceed this as the compression code assumes that all offsets are no bigger than this. (cherry picked from commit a06951323496ee084b49e01d436616adf2d67f1b) --- lib/dns/include/dns/message.h | 2 +- lib/dns/message.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index b5d9a5a168..940c9b1748 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -597,7 +597,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, * *\li 'cctx' be valid. * - *\li 'buffer' is a valid buffer. + *\li 'buffer' is a valid buffer with length less than 65536. * * Side Effects: * diff --git a/lib/dns/message.c b/lib/dns/message.c index 1b983d9194..761a8e1471 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1774,6 +1774,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(buffer != NULL); + REQUIRE(isc_buffer_length(buffer) < 65536); REQUIRE(msg->buffer == NULL); REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER); From dc0671e72410f3719110bac73468d659b9c5d680 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:22:02 +1100 Subject: [PATCH 2/3] Adjust message buffer sizes in test code (cherry picked from commit cbfcdbc19952b8c7679a21f5d4770f3b85bbf5c9) --- bin/tests/wire_test.c | 2 +- tests/libtest/ns.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c index 5b079ce3ea..b21f5f0f52 100644 --- a/bin/tests/wire_test.c +++ b/bin/tests/wire_test.c @@ -287,7 +287,7 @@ process_message(isc_buffer_t *source) { } if (dorender) { - unsigned char b2[64 * 1024]; + unsigned char b2[65535]; isc_buffer_t buffer; dns_compress_t cctx; diff --git a/tests/libtest/ns.c b/tests/libtest/ns.c index 4a53ad8fc6..16eaefcfe1 100644 --- a/tests/libtest/ns.c +++ b/tests/libtest/ns.c @@ -290,7 +290,7 @@ attach_query_msg_to_client(ns_client_t *client, const char *qnamestr, dns_rdatatype_t qtype, unsigned int qflags) { dns_rdataset_t *qrdataset = NULL; dns_message_t *message = NULL; - unsigned char query[65536]; + unsigned char query[65535]; dns_name_t *qname = NULL; isc_buffer_t querybuf; dns_compress_t cctx; From 617f73426d69e2e552fed29213d27af374abbfbf Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:22:47 +1100 Subject: [PATCH 3/3] Adjust comment to have correct message limit value (cherry picked from commit 560c24597190a77e5d157543fc1179b84d7f74b0) --- lib/ns/xfrout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index 9380924bf6..1429d3be6b 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -1264,7 +1264,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, * Note that although 65535-byte RRs are allowed in principle, they * cannot be zone-transferred (at least not if uncompressible), * because the message and RR headers would push the size of the - * TCP message over the 65536 byte limit. + * TCP message over the 65535 byte limit. */ mem = isc_mem_get(mctx, len); isc_buffer_init(&xfr->buf, mem, len);