From 9b40446bea4cf74faaa159fddf0b8502f11619c1 Mon Sep 17 00:00:00 2001 From: Philippe Antoine Date: Wed, 2 Oct 2024 14:30:15 +0200 Subject: [PATCH] dns/probe: adds check for 0 records and big size Ticket: 7279 Make dns probing function stricter to avoid matching on non-DNS on port 53 and later returning a app-layer error. --- rust/src/dns/dns.rs | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/rust/src/dns/dns.rs b/rust/src/dns/dns.rs index ce67e577df..11ebfb1a4c 100644 --- a/rust/src/dns/dns.rs +++ b/rust/src/dns/dns.rs @@ -770,19 +770,24 @@ impl DNSState { const DNS_HEADER_SIZE: usize = 12; fn probe_header_validity(header: &DNSHeader, rlen: usize) -> (bool, bool, bool) { - let min_msg_size = 2 - * (header.additional_rr as usize - + header.answer_rr as usize - + header.authority_rr as usize - + header.questions as usize) - + DNS_HEADER_SIZE; + let nb_records = header.additional_rr as usize + + header.answer_rr as usize + + header.authority_rr as usize + + header.questions as usize; + let min_msg_size = 2 * nb_records; if min_msg_size > rlen { // Not enough data for records defined in the header, or // impossibly large. return (false, false, false); } + if nb_records == 0 && rlen > DNS_HEADER_SIZE { + // zero fields, data size should be just DNS_HEADER_SIZE + // happens when DNS server returns format error + return (false, false, false); + } + let is_request = header.flags & 0x8000 == 0; return (true, is_request, false); }