ASTERISK-28127: Buffer overflow for DNS SRV/NAPTR records

[Home]

Summary: ASTERISK-28127: Buffer overflow for DNS SRV/NAPTR records

Reporter: Jan Hoffmann (janhoffmann) Labels: patch security

Date Opened: 2018-10-23 16:48:11 Date Closed: 2018-11-14 10:12:37.000-0600

Priority: Blocker Regression?

Status: Closed/Complete Components: Core/DNS

Versions: 16.0.0 Frequency of
Occurrence

Related
Issues:

Environment: Attachments: ( 0) patch.diff
( 1) patch.diff

Description: There is a possible buffer overflow in {{dns_srv_alloc}} and {{dns_naptr_alloc}} when a SRV/NAPTR record contains a compressed domain name. I am using Asterisk 16, but it looks like this issue exists since Asterisk 14.

In both functions, {{dn_expand}} is used to expand a compressed domain name. The return value is used to calculate the size of the buffer for the {{ast_dns_srv_record}} / {{ast_dns_naptr_record}} struct, where the expanded domain name will be stored. However, the return value of {{dn_expand}} is actually the length of the compressed domain name, so this can lead to a buffer overflow.

This can be fixed by using the actual string length of the expanded domain name instead of the return value of {{dn_expand}} to calculate the buffer size.

The specific case where this bug occurred for me is {{_sip._udp.tel.t-online.de}}, which resolves to the following here:

{noformat}
_sip._udp.tel.t-online.de. 325 IN SRV 10 0 5060 do-epp-801.edns.t-ipnet.de.
_sip._udp.tel.t-online.de. 325 IN SRV 20 0 5060 h2-epp-801.edns.t-ipnet.de.
{noformat}

For the first record, the first three labels of the name are encoded directly. Only the last label ({{de}}) is encoded as a reference. In this case, the length of the compressed name happens to be identical to length of the expanded name at 26 bytes. Contents of the data parameter (domain name starts at 7th byte):
{noformat}
00 0A 00 00 13 C4 0A 64 6F 2D 65 70 70 2D 38 30 31 04 65 64 6E 73 07 74 2D 69 70 6E 65 74 C0 23
{noformat}

For the second record, only the first label ({{h2-epp-801}}) is encoded directly, and the rest is a reference. The expanded name has a length of 26 bytes, while the compressed name is only 13 bytes long. Contents of the data parameter (domain name starts at 7th byte):
{noformat}
00 14 00 00 13 C4 0A 68 32 2D 65 70 70 2D 38 30 31 C0 48
{noformat}

Comments: By: Asterisk Team (asteriskteam) 2018-10-23 16:48:15.084-0500

This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged.
By: Asterisk Team (asteriskteam) 2018-10-23 16:48:15.331-0500

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Jan Hoffmann (janhoffmann) 2018-10-27 06:43:18.361-0500

I just noticed that my original patch is faulty, since host_size is used again later in dns_srv_alloc to explicitly set the terminating null byte. Thus, the domain name is truncated.

Setting the null byte there does not actually seem necessary to me, as it is already done by strcpy. It also isn't done at the equivalent place in dns_naptr_alloc.
By: Jan Hoffmann (janhoffmann) 2018-10-27 06:44:12.886-0500

Updated patch
By: Friendly Automation (friendly-automation) 2018-11-14 10:12:38.186-0600

Change 10644 merged by George Joseph:
AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

[https://gerrit.asterisk.org/10644|https://gerrit.asterisk.org/10644]
By: Friendly Automation (friendly-automation) 2018-11-14 10:13:06.106-0600

Change 10641 merged by George Joseph:
AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

[https://gerrit.asterisk.org/10641|https://gerrit.asterisk.org/10641]
By: Friendly Automation (friendly-automation) 2018-11-14 10:13:29.653-0600

Change 10643 merged by George Joseph:
AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

[https://gerrit.asterisk.org/10643|https://gerrit.asterisk.org/10643]
By: Friendly Automation (friendly-automation) 2018-11-14 10:13:58.335-0600

Change 10642 merged by George Joseph:
AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

[https://gerrit.asterisk.org/10642|https://gerrit.asterisk.org/10642]
By: Friendly Automation (friendly-automation) 2018-11-14 10:31:23.624-0600

Change 10645 merged by George Joseph:
AST-2018-010: Fix length of buffer needed for SRV and NAPTR results

[https://gerrit.asterisk.org/10645|https://gerrit.asterisk.org/10645]