BUG/MEDIUM: dns: fix accepted_payload_size parser to avoid integer overflow Since commit 9d8dbbc ("MINOR: dns: Maximum DNS udp payload set to 8192") it's possible to specify a packet size, but passing too large a size or a negative size is not detected and results in memset() being performed over a 2GB+ area upon receipt of the first DNS response, causing runtime crashes. We now check that the size is not smaller than the smallest packet which is the DNS header size (12 bytes). No backport is needed.

commit: 0c219be3dffa85b936048cc6b0ca45f3cf684d23 [log] [tgz]
author: Willy Tarreau <w@1wt.eu> Tue Aug 22 12:01:26 2017 +0200
committer: Willy Tarreau <w@1wt.eu> Tue Aug 22 12:03:46 2017 +0200
tree: 44070a1a39694872ff4e6f29a5d29cea643e7832
parent: f5f71304b009f6f00fdd521a10295a5314d2ffa4 [diff] [blame]
diff --git a/include/types/dns.h b/include/types/dns.h
index c7338c7..06e014c 100644
--- a/include/types/dns.h
+++ b/include/types/dns.h

@@ -82,7 +82,7 @@
 #define SRV_MAX_PREF_NET 5
 
 /* DNS header size */
-#define DNS_HEADER_SIZE		sizeof(struct dns_header)
+#define DNS_HEADER_SIZE		((int)sizeof(struct dns_header))
 
 /* DNS resolution pool size, per resolvers section */
 #define DNS_DEFAULT_RESOLUTION_POOL_SIZE	64
commit	0c219be3dffa85b936048cc6b0ca45f3cf684d23	[log] [tgz]
author	Willy Tarreau <w@1wt.eu>	Tue Aug 22 12:01:26 2017 +0200
committer	Willy Tarreau <w@1wt.eu>	Tue Aug 22 12:03:46 2017 +0200
tree	44070a1a39694872ff4e6f29a5d29cea643e7832
parent	f5f71304b009f6f00fdd521a10295a5314d2ffa4 [diff] [blame]