Bugzilla – Bug 1280
Unbound fails assert when response from authoritative contains malformed qname
Last modified: 2017-06-13 16:09:26 CEST
NOTE: I looked at the tip of the svn trunk, and I believe that this problem still exists in the latest unbound code.
When a response comes back from an authoritative nameserver which contains a qname which has a length which would make unbound index off the end of the buffer, unbound asserts. Here is a real live example of such a response:
13:03:37.605841 IP 220.127.116.11.53 > 18.104.22.168.27520: 52658 Refused- 0/0/1 (38)
0x0000: 03b8 0800 4500 0042 b40d 0000 7211 548a ....E..B....r.T.
0x0010: 8ccd 5119 d857 89d5 0035 6b80 002e 0000 ..Q..W...5k.....
0x0020: cdb2 8015 0001 0000 0000 0001 0558 7a6a .............Xzj
0x0030: 7051 0378 797a e4c2 d1e3 d2f8 d48c b5df pQ.xyz..........
0x0040: 1b93 0800 4500 ....E.
Note that there is a label length of e4 at offset 0x36.
In serviced_check_qname function in services/outside_network.c, where it calls sldns_buffer_at, it is asserting inside sldns_buffer_at.
Thank you for the bugreport. The issue is fixed in the upcoming release of unbound 1.6.3.
I'll close this ticket, then.
Best regards, Wouter