Bug 1280 - Unbound fails assert when response from authoritative contains malformed qname
Unbound fails assert when response from authoritative contains malformed qname
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.5.6
Other All
: P5 major
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-12 23:34 CEST by Charles Walker
Modified: 2017-06-13 16:09 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Charles Walker 2017-06-12 23:34:39 CEST
NOTE: I looked at the tip of the svn trunk, and I believe that this problem still exists in the latest unbound code.

When a response comes back from an authoritative nameserver which contains a qname which has a length which would make unbound index off the end of the buffer, unbound asserts.  Here is a real live example of such a response:

13:03:37.605841 IP 140.205.81.25.53 > 216.87.137.213.27520: 52658 Refused- 0/0/1 (38)
        0x0000:  03b8 0800 4500 0042 b40d 0000 7211 548a  ....E..B....r.T.
        0x0010:  8ccd 5119 d857 89d5 0035 6b80 002e 0000  ..Q..W...5k.....
        0x0020:  cdb2 8015 0001 0000 0000 0001 0558 7a6a  .............Xzj
        0x0030:  7051 0378 797a e4c2 d1e3 d2f8 d48c b5df  pQ.xyz..........
        0x0040:  1b93 0800 4500                           ....E.

Note that there is a label length of e4 at offset 0x36.

In serviced_check_qname function in services/outside_network.c, where it calls sldns_buffer_at, it is asserting inside sldns_buffer_at.
Comment 1 Wouter Wijngaards 2017-06-13 16:09:26 CEST
Hi Charles,

Thank you for the bugreport.  The issue is fixed in the upcoming release of unbound 1.6.3.

I'll close this ticket, then.

Best regards, Wouter