dns: parser reads into garbage on misreported packet size

bwillcoxpubfork · bwillcoxpubfork · commit 6af668ffbc91 · 2022-02-24T13:30:06.000-05:00
diff --git a/tests/src/dns_test.cpp b/tests/src/dns_test.cpp
@@ -602,3 +602,76 @@ TEST_F(DNSTest, BadLabelSize) {
         SUCCEED();
     }
 }
+
+TEST_F(DNSTest, BadPacketLength) {
+
+    // valid response packet with RR's in all sections
+    const uint8_t payload[] = {
+        0x74,0xa9,0x85,0x80,0x00,0x01,0x00,0x02,0x00,0x01,0x00,0x04,0x08,0x5f,0x73,0x65,0x72,
+        0x76,0x69,0x63,0x65,0x04,0x5f,0x74,0x63,0x70,0x05,0x77,0x69,0x66,0x69,0x36,0x03,
+        0x6c,0x61,0x6e,0x00,0x00,0x21,0x00,0x01,0xc0,0x0c,0x00,0x21,0x00,0x01,0x00,0x01,
+        0x51,0x80,0x00,0x16,0x00,0x00,0x00,0x03,0x00,0x09,0x04,0x66,0x61,0x73,0x74,0x05,
+        0x77,0x69,0x66,0x69,0x36,0x03,0x6c,0x61,0x6e,0x00,0xc0,0x0c,0x00,0x21,0x00,0x01,
+        0x00,0x01,0x51,0x80,0x00,0x16,0x00,0x00,0x00,0x01,0x00,0x09,0x04,0x73,0x6c,0x6f,
+        0x77,0x05,0x77,0x69,0x66,0x69,0x36,0x03,0x6c,0x61,0x6e,0x00,0xc0,0x62,0x00,0x02,
+        0x00,0x01,0x00,0x01,0x51,0x80,0x00,0x05,0x02,0x70,0x69,0xc0,0x62,0xc0,0x5d,0x00,
+        0x01,0x00,0x01,0x00,0x01,0x51,0x80,0x00,0x04,0x0a,0x18,0x00,0x02,0xc0,0x3b,0x00,
+        0x01,0x00,0x01,0x00,0x01,0x51,0x80,0x00,0x04,0x0a,0x18,0x00,0x02,0xc0,0x79,0x00,
+        0x01,0x00,0x01,0x00,0x01,0x51,0x80,0x00,0x04,0x0a,0x18,0x00,0x02,0x00,0x00,0x29,
+        0x10,0x00,0x00,0x00,0x00,0x00,0x00,0x1c,0x00,0x0a,0x00,0x18,0x86,0x1f,0x14,0x0f,
+        0x41,0xfa,0xf3,0x95,0x48,0x6e,0x79,0x61,0x61,0x78,0x32,0x0f,0x44,0x5d,0x21,0x47,
+        0x85,0x83,0x9a,0x95
+    };
+
+    // packet verifier for all but additional RR's
+    auto verify = [](const DNS& packet) {
+                      EXPECT_EQ(packet.questions_count(), 1);
+                      EXPECT_EQ(packet.answers_count(), 2);
+                      EXPECT_EQ(packet.authority_count(), 1);
+                      EXPECT_EQ(packet.additional_count(), 4);
+                      EXPECT_EQ(packet.queries().size(), 1U);
+                      EXPECT_EQ(packet.answers().size(), 2U);
+                      EXPECT_EQ(packet.authority().size(), 1U);
+                  };
+
+    // case 1; valid packet, correct size, everything ok
+    {
+        // packet parses successfully and expected RR's can be fetched including additional
+        const DNS packet(payload, sizeof(payload));
+
+        // most of the RR's parse ok
+        verify(packet);
+
+        // additional ok too
+        EXPECT_EQ(packet.additional().size(), 4U);
+    }
+
+    // case 2; valid DNS message but misreported packet size; parser heads into uncharted waters
+    {
+        // buffer with space for valid packet plus garbage bytes
+        constexpr size_t bigsz{512};
+        uint8_t big_packet[bigsz];
+
+        // copy valid packet
+        std::copy(payload, 
+                  payload + sizeof(payload), 
+                  big_packet);
+
+        // fill additional bytes with junk 
+        std::fill(big_packet + sizeof(payload), 
+                  big_packet + bigsz, 
+                  0x5A);
+        
+        // initial packet parse ok
+        const DNS packet(big_packet, bigsz);
+
+        // most of the RR's parse ok
+        verify(packet);
+
+        // but the additional section continues to read into the garbage and throws
+        // despite sufficient information to stop
+        EXPECT_THROW(packet.additional().size(), malformed_packet);
+    }
+}
+
+
