Bug 305 - malformed reply packet may cause unbound running in infinite loop when set use-caps-for-id to yes
malformed reply packet may cause unbound running in infinite loop when set us...
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.4.1
All All
: P2 critical
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-08 15:46 CEST by Hua Zhang
Modified: 2010-04-09 11:23 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hua Zhang 2010-04-08 15:46:35 CEST
this bug is caused by unbound call pkt_dname_tolower on unchecked reply packet in function serviced_callbacks ( services/outside_network.c line 1354,1359 in svn version 2069). I noticed this bug while unbound try to resolve ns2.kcdn.kowo.cn and then run into infinite loop in pkt_dname_tolower.

As shown below:

dig +norec @60.28.193.253 ns2.kcdn.kuwo.cn

; <<>> DiG 9.5.1-P3 <<>> +norec @60.28.193.253 ns2.kcdn.kuwo.cn
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54333
;; flags: qr; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;ns2.kcdn.kuwo.cn.              IN      A

;; ANSWER SECTION:
ns2.kcdn.kuwo.cn.       300     IN      A       60.28.193.254

;; Query time: 62 msec
;; SERVER: 60.28.193.253#53(60.28.193.253)
;; WHEN: Thu Apr  8 21:18:56 2010
;; MSG SIZE  rcvd: 66

dig +norec @60.28.193.253 Ns2.Kcdn.KuWo.cN
;; Warning: query response not set
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.5.1-P3 <<>> +norec @60.28.193.253 Ns2.Kcdn.KuWo.cN
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48846
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 64 msec
;; SERVER: 60.28.193.253#53(60.28.193.253)
;; WHEN: Thu Apr  8 21:19:48 2010
;; MSG SIZE  rcvd: 12

Apparently, the reply from 60.28.193.253 is malformed while query with random caps. But it will result in unbound calling pkt_dname_tolower in uninitialized memory which modify unintended location or stuck with infinite loop. More seriously, if the reply packet come with RCODE=servfail, QDCOUND=0 and crafted qname starting at position 12, pkt_dname_tolower will be called with crafted qname.
Comment 1 Wouter Wijngaards 2010-04-09 11:23:34 CEST
Yes thank you for reporting this bug.
It is fixed in the code repository.

Best regards,   Wouter