Bug 1280 – Unbound fails assert when response from authoritative contains malformed qname

Bug 1280 - Unbound fails assert when response from authoritative contains malformed qname


Summary:	Unbound fails assert when response from authoritative contains malformed qname

Status:	RESOLVED FIXED

Product:	unbound
Classification:	Unclassified
Component:	server
Version:	1.5.6
Hardware:	Other All

Importance:	P5 major
Assigned To:	unbound team

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-06-12 23:34 CEST by Charles Walker
Modified:	2017-06-13 16:09 CEST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Charles Walker 2017-06-12 23:34:39 CEST

NOTE: I looked at the tip of the svn trunk, and I believe that this problem still exists in the latest unbound code.

When a response comes back from an authoritative nameserver which contains a qname which has a length which would make unbound index off the end of the buffer, unbound asserts.  Here is a real live example of such a response:

13:03:37.605841 IP 140.205.81.25.53 > 216.87.137.213.27520: 52658 Refused- 0/0/1 (38)
        0x0000:  03b8 0800 4500 0042 b40d 0000 7211 548a  ....E..B....r.T.
        0x0010:  8ccd 5119 d857 89d5 0035 6b80 002e 0000  ..Q..W...5k.....
        0x0020:  cdb2 8015 0001 0000 0000 0001 0558 7a6a  .............Xzj
        0x0030:  7051 0378 797a e4c2 d1e3 d2f8 d48c b5df  pQ.xyz..........
        0x0040:  1b93 0800 4500                           ....E.

Note that there is a label length of e4 at offset 0x36.

In serviced_check_qname function in services/outside_network.c, where it calls sldns_buffer_at, it is asserting inside sldns_buffer_at.

Comment 1 Wouter Wijngaards 2017-06-13 16:09:26 CEST

Hi Charles,

Thank you for the bugreport.  The issue is fixed in the upcoming release of unbound 1.6.3.

I'll close this ticket, then.

Best regards, Wouter