1. 14
  1. 5

    My favourite slapstick bug in DNS software is due to DNS name compression. If the programmer is not careful enough, their DNS message parsing code can get into an infinite loop when trying to decode a compressed name.

    I worked at a company where our product had this exact bug. When it hit in the field, it started blocking network traffic and we had a fun time. All hands on deck. I don’t remember who ultimately found the issue (it was a team effort) but it was exciting in retrospect. At the time it was terrifying.

    1. 1

      I know of two solutions to this:

      1. Assume that a label pointer can only point to a place prior to the current parsing location; an infinite loop can only happen if the label pointer is pointing to the current location or forward in the packet, or
      2. keep a count of pointer traversals and bail if you hit some limit.

      When I wrote my own DNS parser, I did the second method. The first one didn’t even occur to me.

      1. 1

        I very nearly hit that bug when writing my own DNS server, but a more careful reading of RFC 1035 ruled that problem out:

        In order to reduce the size of messages, the domain system utilizes a compression scheme which eliminates the repetition of domain names in a message. In this scheme, an entire domain name or a list of labels at the end of a domain name is replaced with a pointer to a prior occurance of the same name.

        So I added a check that the pointer refers to somewhere before the start of the currently-being-parsed domain name.

        1. 1

          This is not enough, because labels can contain arbitrary bytes and the pointer can also point to a prior rdata. This allows to build a loop even when the pointer refers before the currently parsed name.