about summary refs log tree commit diff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2022-09-25 22:48:12 -0400
committerRich Felker <dalias@aerifal.cx>2022-10-19 14:01:31 -0400
commitdec8f0a4fa7aa533c843e6eaec862be674ff3a1a (patch)
treed09af6325d48afde054df2b5783263df15d6346f
parent8c408937da4cb7f6460972a0f645694304de3c8c (diff)
downloadmusl-dec8f0a4fa7aa533c843e6eaec862be674ff3a1a.tar.gz
musl-dec8f0a4fa7aa533c843e6eaec862be674ff3a1a.tar.xz
musl-dec8f0a4fa7aa533c843e6eaec862be674ff3a1a.zip
dns query core: detect udp truncation at recv time
we already attempt to preclude this case by having res_send use a
sufficiently large temporary buffer even if the caller did not provide
one as large as or larger than the udp dns max of 512 bytes. however,
it's possible that the caller passed a custom-crafted query packet
using EDNS0, e.g. to get detailed DNSSEC results, with a larger udp
size allowance.

I have also seen claims that there are some broken nameservers in the
wild that do not honor the dns udp limit of 512 and send large answers
without the TC bit set, when the query was not using EDNS.

we generally don't aim to support broken nameservers, but in this case
both problems, if the latter is even real, have a common solution:
using recvmsg instead of recvfrom so we can examine the MSG_TRUNC
flag.
-rw-r--r--src/network/res_msend.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/src/network/res_msend.c b/src/network/res_msend.c
index 1e76886a..11c6aa0e 100644
--- a/src/network/res_msend.c
+++ b/src/network/res_msend.c
@@ -194,9 +194,18 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
 		/* Wait for a response, or until time to retry */
 		if (poll(pfd, nqueries+1, t1+retry_interval-t2) <= 0) continue;
 
-		while (next < nqueries &&
-		  (rlen = recvfrom(fd, answers[next], asize, 0,
-		  (void *)&sa, (socklen_t[1]){sl})) >= 0) {
+		while (next < nqueries) {
+			struct msghdr mh = {
+				.msg_name = (void *)&sa,
+				.msg_namelen = sl,
+				.msg_iovlen = 1,
+				.msg_iov = (struct iovec []){
+					{ .iov_base = (void *)answers[next],
+					  .iov_len = asize }
+				}
+			};
+			rlen = recvmsg(fd, &mh, 0);
+			if (rlen < 0) break;
 
 			/* Ignore non-identifiable packets */
 			if (rlen < 4) continue;
@@ -240,7 +249,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
 			if (next == nqueries) pfd[nqueries].events = 0;
 
 			/* If answer is truncated (TC bit), fallback to TCP */
-			if (answers[i][2] & 2) {
+			if ((answers[i][2] & 2) || (mh.msg_flags & MSG_TRUNC)) {
 				alens[i] = -1;
 				pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, 0);
 				r = start_tcp(pfd+i, family, ns+j, sl, queries[i], qlens[i]);