robur-coop / udns Goto Github PK
View Code? Open in Web Editor NEW[deprecated, developmeht moved to https://github.com/mirage/ocaml-dns] µDNS - an opinionated Domain Name System (DNS) library
License: BSD 2-Clause "Simplified" License
[deprecated, developmeht moved to https://github.com/mirage/ocaml-dns] µDNS - an opinionated Domain Name System (DNS) library
License: BSD 2-Clause "Simplified" License
As the primary server seems to handle fuzz testing without any bug, I tried to fuzz the resolver, and managed to crash it (https://pastebin.com/x3UB87Mf for an example). Here is the resolver log :
2018-07-12 14:11:54 +01:00: INF [application] reacting to (from 127.0.0.1:59757) 0001 query operation Notify rcode NoError flags: : example.com A?
2018-07-12 14:11:54 +01:00: ERR [dns_server] ignoring unsolicited request
2018-07-12 14:11:54 +01:00: ERR [application] answer from authoritative is none, shouldn't happen
Fatal error: exception "Assert_failure resolver/uDns_resolver.ml:239:12"
Raised at file "string.ml", line 118, characters 19-34
Called from file "src0/sexp.ml", line 93, characters 13-47
wt269@eagle:/auto/homes/wt269/OCaml/udns/mirage/examples/resolver$
TL;DR : Queries sent with opcode set to Notify are ignored by the primary server that responds with None, to which the resolver raises an error because it doesn't expect a None answer.
For a more detailed debug, which was simpler to find than the other issue :
UDns_resolver.handle
which parses correctly the packetUDns_resolver.handle_primary
is then called, which calls itself UDns_server.Primary.handle_frame
None
UDns_resovler.handle_primary
, seeing that is is a None
packet, calls assert false
try ... with
block to catch the error so the resolver crashes.I took a shortcut here: https://github.com/roburio/udns/blob/master/client/udns_client.ml#L20
Leaving this issue here so we don't forget about it.
EDIT: Also it's off by one (should be 0x10000
):
Random.int bound returns a random integer between 0 (inclusive)
and bound (exclusive). bound must be greater than 0 and less than 2^30.
See https://groups.google.com/forum/#!topic/public-dns-discuss/M982l7Lz9uA
$ dig -t TLSA _443._tcp.www.bartschnet.de
; <<>> DiG 9.11.5-P1-2-Debian <<>> -t TLSA _443._tcp.www.bartschnet.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16652
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;_443._tcp.www.bartschnet.de. IN TLSA
;; ANSWER SECTION:
_443._tcp.www.bartschnet.de. 3599 IN CNAME *._tcp.bartschnet.de.
*._tcp.bartschnet.de. 3599 IN TLSA 1 1 1 23ECDA1BAFF3350ADE5752800A79DAC0D91A121FCE40ED0D997B123D 2863D453
;; AUTHORITY SECTION:
bartschnet.de. 21599 IN NS ns2.core-networks.eu.
bartschnet.de. 21599 IN NS ns3.core-networks.com.
bartschnet.de. 21599 IN NS ns1.core-networks.de.
;; Query time: 191 msec
;; SERVER: 10.137.2.1#53(10.137.2.1)
;; WHEN: Sat Mar 09 19:09:08 CET 2019
;; MSG SIZE rcvd: 225
$ odns.exe tlsa _443._tcp.www.bartschnet.de
odns.exe: [ERROR] Failed to lookup _443._tcp.www.bartschnet.de: err: Error parsing response: bad content *._tcp.bartschnet.de
Is this something we want to handle?
After trying to fuzz the primary server from the example folder with big inputs, I found some packets that could crash main.native
. In this example, the culprit is a query of size 3451 that consists of many questions (https://pastebin.com/tnV0JUbR for a hexadecimal and byte representation of that packet) :
2018-07-05 16:21:20 +01:00: INF [tcpip-stack-socket] Manager: connect
2018-07-05 16:21:20 +01:00: INF [tcpip-stack-socket] Manager: configuring
2018-07-05 16:21:20 +01:00: WRN [application] no secondaries keys found (err not found TTL 300 soa SOA foo._key-management foo._key-management 0 16384 2048 1048576 300)
2018-07-05 16:21:20 +01:00: INF [application] loaded zone: mirage. 2560 SOA ns.mirage.hostmaster.mirage. 1 10 5 60 2560
mirage. 2560 NS ns.mirage.
charrua.mirage. 2560 A 10.0.42.3
ns.mirage. 2560 A 10.0.42.2
resolver.mirage. 2560 A 10.0.42.5
router.mirage. 2560 A 10.0.42.1
secondary.mirage. 2560 A 10.0.42.4
www.mirage. 2560 CNAME router.mirage.
2018-07-05 16:21:20 +01:00: INF [dns_mirage_server] DNS server listening on UDP port 53
2018-07-05 16:21:20 +01:00: INF [dns_mirage_server] DNS server listening on TCP port 53
2018-07-05 16:21:26 +01:00: INF [dns_mirage_server] udp frame from 127.0.0.1:33525
2018-07-05 16:21:26 +01:00: ERR [dns_server] 181 questions foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?, foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, foo.my.domain A?,
foo.my.domain A?, bailing
Fatal error: exception (Invalid_argument
"invalid bounds in Cstruct.BE.set_uint16 [0,450](450) off=449 len=2")
Raised at file "format.ml" (inlined), line 242, characters 35-52
Called from file "format.ml", line 469, characters 8-33
Called from file "format.ml", line 484, characters 6-24
TL;DR : The packet is faulty according to the uDNS primary server handle function because the question section contains more than one question. The server tries to reply with an answer containing the same question section (I think it must be done for security purposes), but it creates a buffer with a shorter length, that's why that error is raised and crashes the application.
Now for a more detailed explanation (took me a really long time to figure out !). If I understood correctly :
ERR [dns_server] partial frame (length 4096)
), so the packet goes throughUDns_server.Primary.handle
is called at one pointUDns_server.Primary.handle_inner
is called, which calls itself UDns_server.handle_frame
UDns_server.handle_query
UDns_server.handle_query
checks the question section and sees that there is more than one question, therefore it returns the rcode FormErr
to UDns_server.handle_inner
UDns_server.handle_inner
, seeing that it got an rcode error, calls UDns_server.err
, which calls Dns_packet.error
to create a reply with the same content but with the rcode set to FormErr
Dns_packet.error
creates a buffer of size Dns_packet.max_reply_udp
(= 450 !!) and tries to copy the initial packet into that buffer through Dns_packet.encode_query
Dns_packet.encode_query
calls List.fold_left
using Dns_packet.encode_question
as the folding function, which shifts the offset value in the reply bufferinvalid bounds
is raised.Maybe a solution would be to rise max_udp_size
to 4096 ?
After this was introduced in 8ad2bcc I'm struggling to pin local development branches.
Here's what I tried:
$ opam pin add -n dns --dev -k git git+https://github.com/roburio/udns.git
# ...
$ opam pin add -n dns-client --dev -k git git+https://github.com/roburio/udns.git
# ...
$ opam install dns
<><> Synchronising pinned packages ><><><><><><><><><><><><><><><><><><><><><><>
[dns.1.1.1] no changes from git+https://github.com/roburio/udns.git
[NOTE] Package dns is already installed (current version is 1.1.1).
$ opam install dns-client.1.1.1
[ERROR] Package dns-client has no version 1.1.1.
$ opam install dns-client
<><> Synchronising pinned packages ><><><><><><><><><><><><><><><><><><><><><><>
[dns-client.~dev] no changes from git+https://github.com/roburio/udns.git
Sorry, no solution found: there seems to be a problem with your request.
No solution found, exiting
My local workaround was:
$ sed -i 's/"dns"/#&/' dns-client.opam
$ opam pin add -n dns-client --dev '.'
$ opam install --working-dir dns-client
Is there a more ergonomic way to work with a development version
?
ping @hannesm
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.