Fix CVE-2017-13704, which resulted in a crash on a large DNS query.

A DNS query recieved by UDP which exceeds 512 bytes (or the EDNS0 packet size, if different.) is enough to cause SIGSEGV.
2025-12-19 10:18:25 +00:00 · 2017-09-06 22:34:21 +01:00
parent 69a815aa8f
commit 63437ffbb5
4 changed files with 15 additions and 10 deletions
--- a/7
+++ b/7
@@ -17,6 +17,13 @@ version 2.78
 	--strict-order active. Thanks to Hans Dedecker
 	for the patch

+	Fix regression in 2.77, ironically added as a security
+	improvement, which resulted in a crash when a DNS
+	query exceeded 512 bytes (or the EDNS0 packet size,
+	if different.) Thanks to Christian Kujau, Arne Woerner
+	Juan Manuel Fernandez and Kevin Darbyshire-Bryant for
+	chasing this one down.  CVE-2017-13704 applies.
+
 	
 version 2.77
 	Generate an error when configured with a CNAME loop,
--- a/src/auth.c
+++ b/src/auth.c
@@ -119,11 +119,6 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
  struct cname *a, *candidate;
  unsigned int wclen;
  
-  /* Clear buffer beyond request to avoid risk of
-     information disclosure. */
-  memset(((char *)header) + qlen, 0, 
-	 (limit - ((char *)header)) - qlen);
-  
  if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
    return 0;

--- a/src/forward.c
+++ b/src/forward.c
@@ -1189,6 +1189,10 @@ void receive_query(struct listener *listen, time_t now)
      (header->hb3 & HB3_QR))
    return;

+  /* Clear buffer beyond request to avoid risk of
+     information disclosure. */
+  memset(daemon->packet + n, 0, daemon->edns_pktsz - n);
+  
  source_addr.sa.sa_family = listen->family;
  
  if (listen->family == AF_INET)
@@ -1689,6 +1693,10 @@ unsigned char *tcp_request(int confd, time_t now,
      if (size < (int)sizeof(struct dns_header))
 	continue;

+      /* Clear buffer beyond request to avoid risk of
+	 information disclosure. */
+      memset(payload + size, 0, 65536 - size);
+      
      query_count++;

      /* log_query gets called indirectly all over the place, so 
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1223,11 +1223,6 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
  struct mx_srv_record *rec;
  size_t len;

-  /* Clear buffer beyond request to avoid risk of
-     information disclosure. */
-  memset(((char *)header) + qlen, 0, 
-	 (limit - ((char *)header)) - qlen);
-  
  if (ntohs(header->ancount) != 0 ||
      ntohs(header->nscount) != 0 ||
      ntohs(header->qdcount) == 0 ||