Bugzilla – Bug 1280
Unbound fails assert when response from authoritative contains malformed qname
Last modified: 2017-06-13 16:09:26 CEST
NOTE: I looked at the tip of the svn trunk, and I believe that this problem still exists in the latest unbound code. When a response comes back from an authoritative nameserver which contains a qname which has a length which would make unbound index off the end of the buffer, unbound asserts. Here is a real live example of such a response: 13:03:37.605841 IP 140.205.81.25.53 > 216.87.137.213.27520: 52658 Refused- 0/0/1 (38) 0x0000: 03b8 0800 4500 0042 b40d 0000 7211 548a ....E..B....r.T. 0x0010: 8ccd 5119 d857 89d5 0035 6b80 002e 0000 ..Q..W...5k..... 0x0020: cdb2 8015 0001 0000 0000 0001 0558 7a6a .............Xzj 0x0030: 7051 0378 797a e4c2 d1e3 d2f8 d48c b5df pQ.xyz.......... 0x0040: 1b93 0800 4500 ....E. Note that there is a label length of e4 at offset 0x36. In serviced_check_qname function in services/outside_network.c, where it calls sldns_buffer_at, it is asserting inside sldns_buffer_at.
Hi Charles, Thank you for the bugreport. The issue is fixed in the upcoming release of unbound 1.6.3. I'll close this ticket, then. Best regards, Wouter