sock_dns: fix out-of-bound errors

[miri64]

Contribution description

Fixes #10739

Testing procedure

I compiled tests/gnrc_sock_dns with the following patch:

diff --git a/tests/gnrc_sock_dns/Makefile b/tests/gnrc_sock_dns/Makefile
index 4ef2c75..0b3824e 100644
--- a/tests/gnrc_sock_dns/Makefile
+++ b/tests/gnrc_sock_dns/Makefile
@@ -11,7 +11,11 @@ USEMODULE += sock_dns
 USEMODULE += gnrc_sock_udp
 USEMODULE += gnrc_ipv6_default
 USEMODULE += gnrc_ipv6_nib_dns
-USEMODULE += gnrc_netdev_default
+USEMODULE += ethos
+
+# ethos baudrate can be configured from make command
+ETHOS_BAUDRATE ?= 115200
+CFLAGS += -DETHOS_BAUDRATE=$(ETHOS_BAUDRATE) -DUSE_ETHOS_FOR_STDIO
 USEMODULE += auto_init_gnrc_netif
 
 USEMODULE += shell_commands
diff --git a/tests/gnrc_sock_dns/main.c b/tests/gnrc_sock_dns/main.c
index 52700fe..b8c2ad5 100644
--- a/tests/gnrc_sock_dns/main.c
+++ b/tests/gnrc_sock_dns/main.c
@@ -40,7 +40,7 @@ int main(void)
     uint8_t addr[16] = {0};
 
     puts("waiting for router advertisement...");
-    xtimer_usleep(1U*1000000);
+    xtimer_usleep(5U*1000000);
 
     /* print network addresses */
     puts("Configured network interfaces:");

flashed a samr21-xpro (alternatively pba-d-01-kw2x as described in #10739 is also possible), and connected an ethos terminal to the node

sudo ./dist/tools/ethos/start_network.sh /dev/ttyACM0 tap0 affe:abe::/48

I reset the node to get its link-local address for later.

Then I started a RADVD with the following config:

interface tap0 {
        AdvSendAdvert on;
        MinRtrAdvInterval 3;
        MaxRtrAdvInterval 10;
        prefix affe:abe::/64 {
                AdvOnLink off;
                AdvAutonomous on;
                AdvRouterAddr on;
        };
        RDNSS <a global address on your host> {
            AdvRDNSSLifetime 60;
        };
};

and reconfigured the correct route to the host (the preconfigured route by start_network.sh does not work, since uhcpc is not available on the node):

sudo ip route del affe:abe::/64
sudo ip route add affe:abe::/64 via "<link-local address of node>" dev tap0

Then I start the exploit script described in #10739 (or provided by https://github.com/beduino-project/exploit-riot-dns) and reset the node again to start the test. Without this PR the node will crash (note that the exploit described in #10739 does not work but only crashes the node since due to the usage of ethos the binary is different), withit it will just report error resolving example.org.

I also tested expected operation as described in the application's README.

Issues/PRs references

Fixes #10739.

[miri64]

Fixed some typos and unrelated changes that snuck in. Should be good for review now.

[kaspar030]

How I sometimes wish C had exceptions.

[miri64]

How I sometimes wish C had exceptions.

Those don't make your life any better and bloat the code (even Rust does something else)

[maribu]

My comments in the code are not relevant to this PR. (They are minor enough that they could be addressed in this PR easily as well, but with the urgency of this PR it might be better to make a new PR for that. I could also propose such a PR, if you want.)

So back to this PR: I do approve with the code, but I cannot test as I'm missing the hardware.

[miri64]

Addressed newest comments

[miri64]

Though this dependency is also pulled in by sock_util, I think it is cleaner to add this dependency due to https://github.com/RIOT-OS/RIOT/pull/10740/files#diff-0f2b4bcad3760716a76eab7708ea0e28R18 (it just adds the posix include path).

[miri64]

@kaspar030 backport to 2018.10?

[kaspar030]

@kaspar030 backport to 2018.10?

Yeah, I seem to remember that we intent to provide security fixes for the current release?

[pyropeter]

This is always true. Should be &&.

[miri64]

Nope, see newest version ;-)

[pyropeter]

I see, that is even better.

[miri64]

Ah wait, that doesn't work with AF_UNSPEC..

[kaspar030]

The comparison needs to be the other way around.

[miri64]

Need to go to bed -.-... Fixed.

[kaspar030]

Suggested change

	if (addrlen < len) {
	if (addrlen > len) {

[kaspar030]

I think this can be squashed?

[miri64]

Squashed on top of original merge base.

[miri64]

Fixed and squashed whitespace error reported by Murdock

[miri64]

(here is the diff https://github.com/RIOT-OS/RIOT/compare/b1de000aef472e9508c0dd6b7a00ec9cd4124a34..1a61b8aadf18d437bb85660506aeb104313e79d0)

[miri64]

@riot-ci is happy. @nmeum @pyropeter @kaspar030 @maribu are you?

[maribu]

ACK from my side :-)

[maribu]

Sorry, one thing just found :-/

[kaspar030]

I just tried the test on native, it returns "error resolving example.org".

dnsmasq seems to have gotten the request:

[kaspar@ng riot (minimize)]$ sudo dnsmasq -d -2 -z -i riot0 -q --no-resolv \                                                                 
>         --dhcp-range=::1,constructor:riot0,ra-only \
>         --listen-address 2001:db8::1 \
>         --host-record=example.org,10.0.0.1,2001:db8::1
dnsmasq: started, version 2.80 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN2 DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq: warning: no upstream servers configured
dnsmasq-dhcp: router advertisement on riot0
dnsmasq-dhcp: router advertisement on 2001:db8::, constructed for riot0                                                                      
dnsmasq-dhcp: RTR-ADVERT(riot0) 2001:db8::
dnsmasq: read /etc/hosts - 0 addresses
dnsmasq-dhcp: RTR-SOLICIT(riot0)
dnsmasq-dhcp: RTR-ADVERT(riot0) 2001:db8::
dnsmasq: config example.org is 2001:db8::1
dnsmasq: config example.org is 10.0.0.1
dnsmasq: config example.org is 2001:db8::1
dnsmasq: config example.org is 10.0.0.1

[kaspar030]

dns.c line 124 returns -EMULTIHOP

[kaspar030]

dns.c line 124 returns -EMULTIHOP

sorry, -EBADMSG

[kaspar030]

this got dropped

[miri64]

Nope, it got moved to line 158. However, I found the bug (the return in l 101 is wrong as it does not return the length of the hostname, but the offset of the end of the hostname).

…

[miri64]

I just tried the test on native, it returns "error resolving example.org".

Please try again with 4c507e9

[kaspar030]

Please try again with 4c507e9

works now. pls squash!

[miri64]

Squashed. Diff of force push should show no difference ;)

[kaspar030]

ACK.

[kaspar030]

Thanks everyone involved, and thanks @miri64 for dealing with the mess I created!

Lessons I learned:

• sure it's fun to quickly hack together something like a DNS client. But just because it is working doesn't mean that it is safe. always double check when sharing it .
• RIOT's review process needs a security tag. The buffer overflows in this code were so obvious...
• even community members don't know about security@riot-os.org. Maybe we should add a big(er) note in the issue template?

[miri64]

Thanks everyone involved, and thanks @miri64 for dealing with the mess I created!

Welp, I merged the mess IIRC, so I was as obligated as you ;-).

[miri64]

• sure it's fun to quickly hack together something like a DNS client. But just because it is working doesn't mean that it is safe. always double check when sharing it .

Failure tests, failure tests, failure tests. If I find some time tomorrow I will provide a PR for that (in a similar way as #10382 and #10392) before I tackle @maribu's suggestions in #10740 (review).

[miri64]

Backport provided in #10757

[miri64]

(forgot about that)