x/net/dnsmessage: dots inside dns name label should be considered invalid #56246
Comments
|
Or maybe it could lead to some security issues? // Resource Header
msg = append(msg, nameIN...)
msg = binary.BigEndian.AppendUint16(msg, uint16(dnsmessage.TypeCNAME))
msg = binary.BigEndian.AppendUint16(msg, uint16(dnsmessage.ClassINET))
msg = binary.BigEndian.AppendUint32(msg, 1)
nameCNAME := []byte{12, 's', 't', 'h', '.', 'i', 'n', 't', 'e', 'r', 'n', 'a', 'l', 2, 'g', 'o', 3, 'd', 'e', 'v', 0} // valid RFC 1035 name
msg = binary.BigEndian.AppendUint16(msg, uint16(len(nameCNAME)))
msg = append(msg, nameCNAME...)
_, err := parser.Start(msg)
if err != nil {
panic(err)
}
err = parser.SkipAllQuestions()
if err != nil {
panic(err)
}
_, err = parser.AnswerHeader()
if err != nil {
panic(err)
}
cname, err := parser.CNAMEResource()
if err != nil {
panic(err)
}
fmt.Println(cname.CNAME.Data[:cname.CNAME.Length])
fmt.Println(cname)
Having two different interpretations in never good in terms of security. |
|
Change https://go.dev/cl/443215 mentions this issue: |
|
We might also try to add |
|
@neild, can you give this a look? |
dr2chase
added
the
NeedsInvestigation
|
Hey @mateusz834 I'd like to try to get this fixed for 1.20, but I think we should be implementing the full 1034 escaping behavior (similar to what miekg/dns does), rather than just hard failing on this one specific. I'm happy to review if you'd like to update your CL to implement this, but we have a hard freeze at the end of next week before which we need to land the change. If you're short on time I'm also happy to take over and implement this behavior if you don't think you can get to it before then. |
|
Edit: I also found a discussion about the same issue here: #10631 (but marked as net). @rolandshoemaker I can try to implement this, give me few days.
You mean RFC 1035? Only these two? How to handle case in which we have to unpack a 255B (dns encoded name) that requires one character to be encoded as |
|
Oh bah, I missed we use a sized byte slice to avoid allocations, this ends up being more complicated than I anticipated. Perhaps just failing out here is the lowest impact fix we can reasonably apply in the short term. That said I think we should be failing on all non-LDH characters though, since otherwise we'll still be mis-parsing other special characters. |
|
@rolandshoemaker Note that the net package always checks for invalid hostnames: Lines 72 to 75 in a11cd6f This function is executed for every input/output hostname. So let's say that MX query returns []byte{3, 11, 22, 33, 2, 'g', 'o', 3, 'd', 'e', 'v', 0}. This will be rejected in LookupMX by isDomainName function. So this issue affects the net package only in case when someone sends a dot inside a label. []byte{12, 's', 't', 'h', '.', 'i', 'n', 't', 'e', 'r', 'n', 'a', 'l', 2, 'g', 'o', 3, 'd', 'e', 'v', 0}
Edit:
If we really need something like that we probably should reject dots and ASCII characters: |
|
Do we want to do something with this for go 1.21? |
|
ping @rolandshoemaker |
Unpacking
[]byte{2, '.', '.', 0}causes theNamefield ofdnsmessage.Questionto be:[46 46 46](which is an invalid name). And thus while packing that name inside builder.Question we get an error (even thought the parser did not report any error while unpacking).[]byte{2, '.', '.', 0}is a valid RFC 1035 name, but this package does not handle it correctly. (we are not able to express this name using the Name struct)I don't know what we should do with that. We might just return an error (while unpacking) when there is a dot inside a label (I don't know a better solution to fix that).
This is not a critical bug, I found it while testing this package. Any Thoughts?
The text was updated successfully, but these errors were encountered: