The Tcpdump Group git mirrors

author	Guy Harris <[email protected]>
	Sat, 11 Feb 2017 02:52:17 +0000 (18:52 -0800)
committer	Denis Ovsienko <[email protected]>
	Wed, 13 Sep 2017 11:25:44 +0000 (12:25 +0100)
commit	3a76fd7c95fced2c2f8c8148a9055c3a542eff29
tree	462fc3a587a150a93c81bbf47ea65ffb71068e1c	tree
parent	866c60236c41cea1e1654c8a071897292f64be49	commit \| diff

CVE-2017-12995/Check for DNS compression pointers that don't point backwards.

This is what BIND 9.11.0-P2 does; it not only detects pointers that
loop, as "point backwards" means "point before anything we've processed
so far, including what we're processing right now", so the pointer can't
point to itself (as that's what we're processing right now).

This fixes an infinite loop discovered by Forcepoint's security
researchers Otto Airamo & Antti Levomäki.

Add a test using the capture file supplied by the reporter(s).

Also, add some infinite-pointer-loop captures.

More checks should be done. We might, for example, want to make sure
the upper 2 bits of the label length/pointer byte are 00 or 11, and that
if we encounter a pointer and jump backwards to what we think is a label
the label ends before the beginning of the last label we processed, to
make sure the pointer doesn't point backwards into the *middle* of a
label, and also make sure the entire name is <= 255 bytes long.

print-domain.c		diff \| blob \| history
tests/TESTLIST		diff \| blob \| history
tests/dns-zlip-1.out	[new file with mode: 0644]	blob
tests/dns-zlip-1.pcap	[new file with mode: 0644]	blob
tests/dns-zlip-2.out	[new file with mode: 0644]	blob
tests/dns-zlip-2.pcap	[new file with mode: 0644]	blob
tests/dns-zlip-3.out	[new file with mode: 0644]	blob
tests/dns-zlip-3.pcap	[new file with mode: 0644]	blob
tests/dns_fwdptr.out	[new file with mode: 0644]	blob
tests/dns_fwdptr.pcap	[new file with mode: 0644]	blob