Bug 1280

Summary: Unbound fails assert when response from authoritative contains malformed qname
Product: unbound Reporter: Charles Walker <chwalker>
Component: serverAssignee: unbound team <unbound-team>
Severity: major CC: cathya, wouter
Priority: P5    
Version: 1.5.6   
Hardware: Other   
OS: All   

Description Charles Walker 2017-06-12 23:34:39 CEST
NOTE: I looked at the tip of the svn trunk, and I believe that this problem still exists in the latest unbound code.

When a response comes back from an authoritative nameserver which contains a qname which has a length which would make unbound index off the end of the buffer, unbound asserts.  Here is a real live example of such a response:

13:03:37.605841 IP > 52658 Refused- 0/0/1 (38)
        0x0000:  03b8 0800 4500 0042 b40d 0000 7211 548a  ....E..B....r.T.
        0x0010:  8ccd 5119 d857 89d5 0035 6b80 002e 0000  ..Q..W...5k.....
        0x0020:  cdb2 8015 0001 0000 0000 0001 0558 7a6a  .............Xzj
        0x0030:  7051 0378 797a e4c2 d1e3 d2f8 d48c b5df  pQ.xyz..........
        0x0040:  1b93 0800 4500                           ....E.

Note that there is a label length of e4 at offset 0x36.

In serviced_check_qname function in services/outside_network.c, where it calls sldns_buffer_at, it is asserting inside sldns_buffer_at.
Comment 1 Wouter Wijngaards 2017-06-13 16:09:26 CEST
Hi Charles,

Thank you for the bugreport.  The issue is fixed in the upcoming release of unbound 1.6.3.

I'll close this ticket, then.

Best regards, Wouter