Uploaded image for project: 'OpenDNSSEC'
  1. OpenDNSSEC
  2. OPENDNSSEC-808

ods-signerd can be crashed remotely

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.4.9, 1.4.10, 2.0.0
    • Fix Version/s: 1.4.12, 2.0.0
    • Component/s: None
    • Labels:
      None
    • Environment:

      NetBSD/amd64 6.1.5
      OpenDNSSEC 1.4.9 (menu in issue tracker does not list it as alternative, please fix)

      Description

      I've been observing that ods-signerd from OpenDNSSEC 1.4.9 is
      prone to occasionally crash. After much back and forth with how
      to get a crash dump for the process, I finally have the remains
      of a deceased process to dissect, and this one looks like this:

      (gdb) where
      #0 0x00007f7ff783627a in ldns_rr_get_class () from /usr/pkg/lib/libldns.so.1
      #1 0x000000000042bfcf in query_process ()
      #2 0x000000000042f182 in sock_handle_udp ()
      #3 0x000000000042a51b in netio_dispatch ()
      #4 0x000000000040d9d9 in dnshandler_start ()
      #5 0x000000000040e1ae in dnshandler_thread_start ()
      #6 0x00007f7ff560b3ae in ?? () from /usr/lib/libpthread.so.1
      #7 0x00007f7ff6075e90 in ___lwp_park50 () from /usr/lib/libc.so.12
      #8 0x00007f7ff3800000 in ?? ()
      #9 0x00007f7ff7ff1540 in ?? ()
      #10 0x0000000111110001 in ?? ()
      #11 0x0000000033330003 in ?? ()
      #12 0x0000000000000000 in ?? ()
      (gdb) i reg
      rax 0x0 0
      rbx 0x7f7ff7b42040 140187593351232
      rcx 0x0 0
      rdx 0x7f7ff3400000 140187518631936
      rsi 0x0 0
      rdi 0x0 0
      rbp 0x7f7ff7b14100 0x7f7ff7b14100
      rsp 0x7f7ff37ff998 0x7f7ff37ff998
      r8 0x7f7fb9a03060 140186551857248
      r9 0x7f7ff7b420c8 140187593351368
      r10 0x0 0
      r11 0x246 582
      r12 0x0 0
      r13 0x7f7ff7b42048 140187593351240
      r14 0x20109 131337
      r15 0x1 1
      rip 0x7f7ff783627a 0x7f7ff783627a <ldns_rr_get_class>
      eflags 0x10246 [ PF ZF IF RF ]
      cs 0x1f 31
      ss 0x17 23
      ds 0x17 23
      es 0x17 23
      fs 0x0 0
      gs 0x0 0
      (gdb) x/i 0x7f7ff783627a
      => 0x7f7ff783627a <ldns_rr_get_class>: mov 0x1c(%rdi),%eax
      (gdb) x/3i ldns_rr_get_class
      => 0x7f7ff783627a <ldns_rr_get_class>: mov 0x1c(%rdi),%eax
      0x7f7ff783627d <ldns_rr_get_class+3>: retq
      0x7f7ff783627e <ldns_rr_list_rr_count>: test %rdi,%rdi
      (gdb)

      Looking at the source, it seems that this is a packet which
      passes the checks in ldns_wire2pkt(), but which has an empty
      RRset, so that ldns_rr_list_rr() returns NULL

      In the disassembly of query_process(), the call to
      ldns_rr_get_class() occurs before ldns_rr_owner(), explaining why
      the former and not the latter crashed in

      /* we can just lookup the zone, because we will only handle SOA queries,
      zone transfers, updates and notifies */
      q->zone = zonelist_lookup_zone_by_dname(e->zonelist, ldns_rr_owner(rr),
      ldns_rr_get_class(rr));

      "DoS with crafted packet"?

      Regards,

      Håvard

        Attachments

          Issue Links

          clones

          Bug - A problem which impairs or prevents the functions of the product. SUPPORT-193 ods-signerd can (probably) be crashed remotely

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              Assignee:
              yuri Yuri Schaeffer
              Reporter:
              he Håvard Eidnes
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: