Skip to content

dnsparser: Harden the DNS parser against malformed records#17077

Open
rgacogne wants to merge 7 commits intoPowerDNS:masterfrom
rgacogne:ywh-137
Open

dnsparser: Harden the DNS parser against malformed records#17077
rgacogne wants to merge 7 commits intoPowerDNS:masterfrom
rgacogne:ywh-137

Conversation

@rgacogne
Copy link
Copy Markdown
Member

@rgacogne rgacogne commented Mar 31, 2026

Short description

There is no security issue: we are not reading outside of the packet or bypassing any checks. We might however accept packets that are not valid and that we could discard earlier in the process.

Reported by nrabrenovic aka Salvor Labs - https://salvor.fr in YWH-PGM6095-137, many thanks to them!

Checklist

I have:

  • read the CONTRIBUTING.md document
  • read and accepted the Developer Certificate of Origin document, including the AI Policy, and added a "Signed-off-by" to my commits
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

rgacogne added 6 commits March 31, 2026 12:31
@rgacogne
dnsparser: Harden the DNS parser against malformed records
3e37e40 
There is no security issue: we are not reading outside of the packet
or bypassing any checks. We might however accept packets that are not
valid and that we could discard earlier in the process.

Reported by nrabrenovic in YWH-PGM6095-137.

Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne
Implement a more useful version of PacketReader::getRemaining()
813473a 
Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne
Warn early when parsing a too large DNS record
2b4a6a2 
Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne
auth: Fix invalid TKEY payload in our tests
9718992 
Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne
dnsdist: Update unit tests for parsing issues now reported earlier in…
4e3a77a 
… the process

Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne
auth: Implement consumeRemaining in DNSParser, DNSWriter, RecordTex…
a5ac842 
…tReader and RecordTextWriter

This is needed to deal with a bug (PowerDNS#17000) in the authoritative code that at
some point created non-empty ENT records in our databases.

Signed-off-by: Remi Gacogne <[email protected]>
@rgacogne rgacogne added this to the common-soon milestone Mar 31, 2026
@coveralls
Copy link
Copy Markdown

coveralls commented Mar 31, 2026
edited
Loading

Pull Request Test Coverage Report for Build 23799818125

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 38 of 44 (86.36%) changed or added relevant lines in 6 files are covered.
  • 73 unchanged lines in 15 files lost coverage.
  • Overall coverage decreased (-0.03%) to 70.945%
Changes Missing Coverage Covered Lines Changed/Added Lines %
pdns/dnswriter.hh 1 2 50.0%
pdns/rcpgenerator.hh 6 7 85.71%
pdns/dnsparser.cc 20 22 90.91%
pdns/dnsparser.hh 6 8 75.0%
Files with Coverage Reduction New Missed Lines %
modules/gpgsqlbackend/gpgsqlbackend.cc 1 84.78%
pdns/dnsparser.hh 1 78.3%
pdns/dnsdistdist/dnsdist-ecs.cc 2 82.2%
pdns/dnsparser.cc 2 85.74%
pdns/recursordist/rec-eventtrace.hh 2 59.15%
pdns/misc.cc 3 62.18%
pdns/misc.hh 3 85.55%
pdns/dnsdistdist/dnsdist-carbon.cc 4 60.05%
pdns/dnsdistdist/dnsdist-tcp.cc 4 74.49%
pdns/packethandler.cc 5 69.95%
Totals Coverage Status
Change from base Build 23792385361: -0.03%
Covered Lines: 130969
Relevant Lines: 168511
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

auth dnsdist enhancement rec

Projects

None yet

Milestone

common-soon

Development

Successfully merging this pull request may close these issues.

2 participants

@rgacogne @coveralls