Validate high order two bits of first dns label octet (#494)

mfontanini · Jan 3, 2023 · f89cc9f · f89cc9f
1 parent 638bf9b
commit f89cc9f
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/src/dns.cpp b/src/dns.cpp
@@ -86,14 +86,18 @@ void DNS::skip_to_dname_end(InputMemoryStream& stream) const {
             break;
         }
         else {
-            if ((value & 0xc0)) {
-                // This is an offset label, skip the second byte and we're done
+            const uint8_t offset_discriminator = value & 0xc0;
+            if (offset_discriminator == 0xc0) {
+                // This is an offset pointer, skip the second byte and we're done
                 stream.skip(1);
                 break;
             }
-            else {
+            else if (offset_discriminator == 0) {
                 // This is an actual label, skip its contents
                 stream.skip(value);
+            } else {
+                // high order two bits of the first octet of a label must be either 11 or 00
+                throw malformed_packet();
             }
         }
     }

diff --git a/tests/src/dns_test.cpp b/tests/src/dns_test.cpp
@@ -571,6 +571,7 @@ TEST_F(DNSTest, BadLabelSize) {
 
     // add bad length
     const size_t bad_label_len{0x80};
+    const size_t label_offset = payload_sz;
     payload[payload_sz++] = bad_label_len; 
 
     // fill label for incorrect length and terminate
@@ -590,13 +591,18 @@ TEST_F(DNSTest, BadLabelSize) {
               payload + payload_sz);
     payload_sz += sizeof(type_class);
 
-    // SUCCEED moves from dns_decompression_pointer_out_of_bounds to malformed_packet after fix
-    const DNS packet(payload, payload_sz);
-    EXPECT_EQ(packet.questions_count(), 1);
+    // invalid high two bits of label first octest is detected early now
     try {
-        const auto queries{packet.queries()};
+        const DNS packet(payload, payload_sz);
         FAIL();
-    } catch (dns_decompression_pointer_out_of_bounds& oob) {
+    } catch (malformed_packet& mp) {
+        SUCCEED();
+    }
+
+    // check the other invalid value of high two bits in label size
+    payload[label_offset] = 0x10;
+    try {
+        const DNS packet(payload, payload_sz);
         FAIL();
     } catch (malformed_packet& mp) {
         SUCCEED();