EDNS0: res_nopt truncates buffer size incorrectly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Low
|
|||
glibc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Resolver functions allow buffer sizes > 65535 bytes. If RES_USE_EDNS0 is set, res_nopt() truncates this value to 16 bit, resulting in an incorrect buffer size advertised in EDNS query headers.
portable OpenSSH triggers this behaviour, as described here:
http://
openbsd-
[...]
and sent out to the recursor (UDPsize: 0xf0000 & 0xffff == 0)
| IP 127.0.0.1.44138 > 127.0.0.1.53: 31454+ [1au] SSHFP?
orbit.attraktor
| IP 127.0.0.1.53 > 127.0.0.1.44138: 31454 ServFail-| [0q] 0/0/0 (12)
tags: | added: patch patch-accepted-upstream |
Changed in glibc: | |
status: | Unknown → Fix Released |
Changed in glibc: | |
importance: | Unknown → Low |
Resolver functions allow buffer sizes > 65535 bytes. If RES_USE_EDNS0 is set,
res_nopt() truncates this value to 16 bit, resulting in an incorrect buffer size
advertised in EDNS query headers.
portable OpenSSH triggers this behaviour, as described here: marc.info/ ?l=openssh- unix-dev& m=1246253324277 04&w=2
http://
openbsd- compat/ getrrsetbyname( ) sets a buffer size of 65536 bytes. In the glibc res_mkquery. c:
NS_PUT16( anslen & 0xffff, cp); /* CLASS = UDP payload size */
stub-resolver, it is eventually passed on as "anslen" to __res_nopt() in
resolv/
[...]
and sent out to the recursor (UDPsize: 0xf0000 & 0xffff == 0)
| IP 127.0.0.1.44138 > 127.0.0.1.53: 31454+ [1au] SSHFP? .org. ar: . OPT UDPsize=0 (48)
orbit.attraktor
| IP 127.0.0.1.53 > 127.0.0.1.44138: 31454 ServFail-| [0q] 0/0/0 (12)