Missing underscore char "_" in whitelist in node DNS module - "resolvePtr"

[phakpin]

Version

12.22.5 14.17.5 all X.XX.5

Platform

AllPlatforms

Subsystem

DNS node module

What steps will reproduce the bug?

Just try to resolve domain by a pointer that contains underscore char "_".

How often does it reproduce? Is there a required condition?

Every time.

What is the expected behavior?

Domain should be resolved :)

What do you see instead?

errno: 'EBADRESP',
code: 'EBADRESP',
syscall: 'queryPtr',

Additional information

So the problem is related directly to fix for those vulnerabilities CVE-ID: CVE-2021-3672, CVE-2021-22931 - 5f947db68c
especially this new function is problematic:

static int is_hostnamech(int ch)
{
  /* [A-Za-z0-9-.]
   * Don't use isalnum() as it is locale-specific
   */
  if (ch >= 'A' && ch <= 'Z')
    return 1;
  if (ch >= 'a' && ch <= 'z')
    return 1;
  if (ch >= '0' && ch <= '9')
    return 1;
  if (ch == '-' || ch == '.')
    return 1;
  return 0;
}

So allow list doesn't contain underscore char "_". It's easy to fix that by changing last "if" to: if (ch == '-' || ch == '.' || ch == '_').
The question is if this is by design or just oversight.
It's critical in our business because our domains contain underscore. Do you able to fix that?

[thunder-coding]

This has been already fixed upstream c-ares/c-ares@5c995d5#diff-d5f0115462852e53122bb8acffb14015df473bc321f1e7eca7d6dadce474208c,

Should be fixed as soon as a new version is released by upstream amd nodejs updates to use newer c-ares

[phakpin]

Thanks for answer!

[Ayase-252]

I'm closing this as duplicate of #39780.

As @thunder-coding mentioned, it will be fixed when upstream releases.