dns/probe: adds check for 0 records and big size

Ticket: 7279 Make dns probing function stricter to avoid matching on non-DNS on port 53 and later returning a app-layer error.
5 months ago · 9b40446bea
parent 2c0d3b83c4
commit 9b40446bea
1 changed files with 11 additions and 6 deletions
--- a/rust/src/dns/dns.rs
+++ b/rust/src/dns/dns.rs
@ -770,19 +770,24 @@ impl DNSState {
 const DNS_HEADER_SIZE: usize = 12;

 fn probe_header_validity(header: &DNSHeader, rlen: usize) -> (bool, bool, bool) {
-    let min_msg_size = 2
-        * (header.additional_rr as usize
-            + header.answer_rr as usize
-            + header.authority_rr as usize
-            + header.questions as usize)
-        + DNS_HEADER_SIZE;
+    let nb_records = header.additional_rr as usize
+        + header.answer_rr as usize
+        + header.authority_rr as usize
+        + header.questions as usize;

+    let min_msg_size = 2 * nb_records;
    if min_msg_size > rlen {
        // Not enough data for records defined in the header, or
        // impossibly large.
        return (false, false, false);
    }

+    if nb_records == 0 && rlen > DNS_HEADER_SIZE {
+        // zero fields, data size should be just DNS_HEADER_SIZE
+        // happens when DNS server returns format error
+        return (false, false, false);
+    }
+
    let is_request = header.flags & 0x8000 == 0;
    return (true, is_request, false);
 }