From a06951323496ee084b49e01d436616adf2d67f1b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:15:49 +1100 Subject: [PATCH 1/3] Check that buffer length in dns_message_renderbegin The maximum DNS message size is 65535 octets. Check that the buffer being passed to dns_message_renderbegin does not exceed this as the compression code assumes that all offsets are no bigger than this. --- lib/dns/include/dns/message.h | 2 +- lib/dns/message.c | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h index a4b4b3ffbe..dc0c05846f 100644 --- a/lib/dns/include/dns/message.h +++ b/lib/dns/include/dns/message.h @@ -600,7 +600,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, * *\li 'cctx' be valid. * - *\li 'buffer' is a valid buffer. + *\li 'buffer' is a valid buffer with length less than 65536. * * Side Effects: * diff --git a/lib/dns/message.c b/lib/dns/message.c index 2f352dc7e7..c85e579b02 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1735,6 +1735,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, REQUIRE(DNS_MESSAGE_VALID(msg)); REQUIRE(buffer != NULL); + REQUIRE(isc_buffer_length(buffer) < 65536); REQUIRE(msg->buffer == NULL); REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTRENDER); From cbfcdbc19952b8c7679a21f5d4770f3b85bbf5c9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:22:02 +1100 Subject: [PATCH 2/3] Adjust message buffer sizes in test code --- bin/tests/wire_test.c | 2 +- tests/libtest/ns.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/wire_test.c b/bin/tests/wire_test.c index 772382849e..21c960ebed 100644 --- a/bin/tests/wire_test.c +++ b/bin/tests/wire_test.c @@ -286,7 +286,7 @@ process_message(isc_buffer_t *source) { } if (dorender) { - unsigned char b2[64 * 1024]; + unsigned char b2[65535]; isc_buffer_t buffer; dns_compress_t cctx; diff --git a/tests/libtest/ns.c b/tests/libtest/ns.c index 67be306d46..6f66b00a3c 100644 --- a/tests/libtest/ns.c +++ b/tests/libtest/ns.c @@ -250,7 +250,7 @@ attach_query_msg_to_client(ns_client_t *client, const char *qnamestr, dns_rdatatype_t qtype, unsigned int qflags) { dns_rdataset_t *qrdataset = NULL; dns_message_t *message = NULL; - unsigned char query[65536]; + unsigned char query[65535]; dns_name_t *qname = NULL; isc_buffer_t querybuf; dns_compress_t cctx; From 560c24597190a77e5d157543fc1179b84d7f74b0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 16 Nov 2023 11:22:47 +1100 Subject: [PATCH 3/3] Adjust comment to have correct message limit value --- lib/ns/xfrout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ns/xfrout.c b/lib/ns/xfrout.c index d0686e1da2..0e09ddcc22 100644 --- a/lib/ns/xfrout.c +++ b/lib/ns/xfrout.c @@ -1258,7 +1258,7 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id, * Note that although 65535-byte RRs are allowed in principle, they * cannot be zone-transferred (at least not if uncompressible), * because the message and RR headers would push the size of the - * TCP message over the 65536 byte limit. + * TCP message over the 65535 byte limit. */ mem = isc_mem_get(mctx, len); isc_buffer_init(&xfr->buf, mem, len);