Asterisk
  1. Asterisk
  2. ASTERISK-28127

Buffer overflow for DNS SRV/NAPTR records

    Details

      Description

      There is a possible buffer overflow in dns_srv_alloc and dns_naptr_alloc when a SRV/NAPTR record contains a compressed domain name. I am using Asterisk 16, but it looks like this issue exists since Asterisk 14.

      In both functions, dn_expand is used to expand a compressed domain name. The return value is used to calculate the size of the buffer for the ast_dns_srv_record / ast_dns_naptr_record struct, where the expanded domain name will be stored. However, the return value of dn_expand is actually the length of the compressed domain name, so this can lead to a buffer overflow.

      This can be fixed by using the actual string length of the expanded domain name instead of the return value of dn_expand to calculate the buffer size.

      The specific case where this bug occurred for me is _sip._udp.tel.t-online.de, which resolves to the following here:

      _sip._udp.tel.t-online.de. 325	IN	SRV	10 0 5060 do-epp-801.edns.t-ipnet.de.
      _sip._udp.tel.t-online.de. 325	IN	SRV	20 0 5060 h2-epp-801.edns.t-ipnet.de.
      

      For the first record, the first three labels of the name are encoded directly. Only the last label (de) is encoded as a reference. In this case, the length of the compressed name happens to be identical to length of the expanded name at 26 bytes. Contents of the data parameter (domain name starts at 7th byte):

      00 0A 00 00 13 C4 0A 64 6F 2D 65 70 70 2D 38 30 31 04 65 64 6E 73 07 74 2D 69 70 6E 65 74 C0 23
      

      For the second record, only the first label (h2-epp-801) is encoded directly, and the rest is a reference. The expanded name has a length of 26 bytes, while the compressed name is only 13 bytes long. Contents of the data parameter (domain name starts at 7th byte):

      00 14 00 00 13 C4 0A 68 32 2D 65 70 70 2D 38 30 31 C0 48
      
      1. patch.diff
        0.8 kB
        Jan Hoffmann
      2. patch.diff
        0.6 kB
        Jan Hoffmann

        Issue Links

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          Asterisk Team added a comment -

          This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.

          Show
          Asterisk Team added a comment - This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.
          Hide
          Asterisk Team added a comment -

          Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

          A good first step is for you to review the Asterisk Issue Guidelines if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

          Then, if you are submitting a patch, please review the Patch Contribution Process.

          Show
          Asterisk Team added a comment - Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the Asterisk Issue Guidelines if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the Patch Contribution Process .
          Hide
          Jan Hoffmann added a comment -

          I just noticed that my original patch is faulty, since host_size is used again later in dns_srv_alloc to explicitly set the terminating null byte. Thus, the domain name is truncated.

          Setting the null byte there does not actually seem necessary to me, as it is already done by strcpy. It also isn't done at the equivalent place in dns_naptr_alloc.

          Show
          Jan Hoffmann added a comment - I just noticed that my original patch is faulty, since host_size is used again later in dns_srv_alloc to explicitly set the terminating null byte. Thus, the domain name is truncated. Setting the null byte there does not actually seem necessary to me, as it is already done by strcpy. It also isn't done at the equivalent place in dns_naptr_alloc.
          Hide
          Jan Hoffmann added a comment -

          Updated patch

          Show
          Jan Hoffmann added a comment - Updated patch
          Hide
          Friendly Automation added a comment -

          Change 10644 merged by George Joseph:
          AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

          https://gerrit.asterisk.org/10644

          Show
          Friendly Automation added a comment - Change 10644 merged by George Joseph: AST-2018-010: Fix length of buffer needed for SRV and NAPTR results https://gerrit.asterisk.org/10644
          Hide
          Friendly Automation added a comment -

          Change 10641 merged by George Joseph:
          AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

          https://gerrit.asterisk.org/10641

          Show
          Friendly Automation added a comment - Change 10641 merged by George Joseph: AST-2018-010: Fix length of buffer needed for SRV and NAPTR results https://gerrit.asterisk.org/10641
          Hide
          Friendly Automation added a comment -

          Change 10643 merged by George Joseph:
          AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

          https://gerrit.asterisk.org/10643

          Show
          Friendly Automation added a comment - Change 10643 merged by George Joseph: AST-2018-010: Fix length of buffer needed for SRV and NAPTR results https://gerrit.asterisk.org/10643
          Hide
          Friendly Automation added a comment -

          Change 10642 merged by George Joseph:
          AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

          https://gerrit.asterisk.org/10642

          Show
          Friendly Automation added a comment - Change 10642 merged by George Joseph: AST-2018-010: Fix length of buffer needed for SRV and NAPTR results https://gerrit.asterisk.org/10642
          Hide
          Friendly Automation added a comment -

          Change 10645 merged by George Joseph:
          AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

          https://gerrit.asterisk.org/10645

          Show
          Friendly Automation added a comment - Change 10645 merged by George Joseph: AST-2018-010: Fix length of buffer needed for SRV and NAPTR results https://gerrit.asterisk.org/10645

            People

            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: