#18035: Possible buffer overflow in the domain name resolver
-------------------------------------+-----------------------------
Reporter: haikupr | Owner: axeld
Type: bug | Status: new
Priority: normal | Milestone: Unscheduled
Component: Network & Internet/IPv4 | Version: R1/Development
Keywords: dns buffer-overlow | Blocked By:
Blocking: | Platform: All
-------------------------------------+-----------------------------
The bug here reported occurs on Haiku x86_64 R1/beta3 as well as on
hrev56554, both running as bhyve guests on a FreeBSD 12.1 host. I've not
performed tests on any other configuration.
Let Haiku use a non recursive DNS server while omitting the domain and
search clauses in resolv.conf. (In my case, the server is a bind 9.14, the
Haikus aren't part of its localnets ACL, thus preventing recursive service
and lookup in the cache.)
When calling gethostbyname(3), haiku tries first to lookup for itself
(seeking both A and AAAA RRs), it sends incorrect packets to the server,
the queried domain is "haiku.??????" where ? are non ASCII bytes. The
querried domain is composed of two labels, the first is five bytes-long
("haiku"), it is followed by an unexpected six bytes long label composed
of out of range bytes. The response from the server is obviously negative.
After that more queries follow, almost all exhibit identically incorrect
construction behavior.
Because the queries include a completely bogus label composed of random
bytes, I'm tempted to think this is the manifestation of a buffer overflow
in the Haiku resolver. Could this be exploited? I don't know, only a
review of the resolver could tell.
I join a packets capture which plainly in which the incorrect reported
behavior can be observed.
--
Ticket URL: <https://dev.haiku-os.org/ticket/18035>
Haiku <https://dev.haiku-os.org>
The Haiku operating system.