Validate high order two bits of first dns label octet (#494)

bwillcox · web-flow · commit f89cc9f076f3 · 2023-01-03T09:10:41.000-08:00
diff --git a/src/dns.cpp b/src/dns.cpp
@@ -86,14 +86,18 @@ void DNS::skip_to_dname_end(InputMemoryStream& stream) const {
             break;
         }
         else {
-            if ((value & 0xc0)) {
-                // This is an offset label, skip the second byte and we're done
+            const uint8_t offset_discriminator = value & 0xc0;
+            if (offset_discriminator == 0xc0) {
+                // This is an offset pointer, skip the second byte and we're done
                 stream.skip(1);
                 break;
             }
-            else {
+            else if (offset_discriminator == 0) {
                 // This is an actual label, skip its contents
                 stream.skip(value);
+            } else {
+                // high order two bits of the first octet of a label must be either 11 or 00
+                throw malformed_packet();
             }
         }
     }
diff --git a/tests/src/dns_test.cpp b/tests/src/dns_test.cpp
@@ -571,6 +571,7 @@ TEST_F(DNSTest, BadLabelSize) {
 
     // add bad length
     const size_t bad_label_len{0x80};
+    const size_t label_offset = payload_sz;
     payload[payload_sz++] = bad_label_len; 
         
     // fill label for incorrect length and terminate
@@ -590,13 +591,18 @@ TEST_F(DNSTest, BadLabelSize) {
               payload + payload_sz);
     payload_sz += sizeof(type_class);
 
-    // SUCCEED moves from dns_decompression_pointer_out_of_bounds to malformed_packet after fix
-    const DNS packet(payload, payload_sz);
-    EXPECT_EQ(packet.questions_count(), 1);
+    // invalid high two bits of label first octest is detected early now
     try {
-        const auto queries{packet.queries()};
+        const DNS packet(payload, payload_sz);
         FAIL();
-    } catch (dns_decompression_pointer_out_of_bounds& oob) {
+    } catch (malformed_packet& mp) {
+        SUCCEED();
+    }
+
+    // check the other invalid value of high two bits in label size
+    payload[label_offset] = 0x10;
+    try {
+        const DNS packet(payload, payload_sz);
         FAIL();
     } catch (malformed_packet& mp) {
         SUCCEED();

Original file line number	Diff line number	Diff line change
`@@ -86,14 +86,18 @@ void DNS::skip_to_dname_end(InputMemoryStream& stream) const {`
`86`	`86`	`break;`
`87`	`87`	`}`
`88`	`88`	`else {`
`89`		`- if ((value & 0xc0)) {`
`90`		`- // This is an offset label, skip the second byte and we're done`
	`89`	`+ const uint8_t offset_discriminator = value & 0xc0;`
	`90`	`+ if (offset_discriminator == 0xc0) {`
	`91`	`+ // This is an offset pointer, skip the second byte and we're done`
`91`	`92`	`stream.skip(1);`
`92`	`93`	`break;`
`93`	`94`	`}`
`94`		`- else {`
	`95`	`+ else if (offset_discriminator == 0) {`
`95`	`96`	`// This is an actual label, skip its contents`
`96`	`97`	`stream.skip(value);`
	`98`	`+ } else {`
	`99`	`+ // high order two bits of the first octet of a label must be either 11 or 00`
	`100`	`+ throw malformed_packet();`
`97`	`101`	`}`
`98`	`102`	`}`
`99`	`103`	`}`