mirror of
https://github.com/slackhq/nebula.git
synced 2026-05-10 14:12:43 -07:00
fix: guard QueryCert against panic on short/empty QNAME (#1635)
Some checks are pending
gofmt / Run gofmt (push) Waiting to run
smoke-extra / Run extra smoke tests (push) Waiting to run
smoke / Run multi node smoke test (push) Waiting to run
Build and test / Build all and test on ubuntu-linux (push) Waiting to run
Build and test / Build and test on linux with boringcrypto (push) Waiting to run
Build and test / Build and test on linux with pkcs11 (push) Waiting to run
Build and test / Build and test on macos-latest (push) Waiting to run
Build and test / Build and test on windows-latest (push) Waiting to run
Some checks are pending
gofmt / Run gofmt (push) Waiting to run
smoke-extra / Run extra smoke tests (push) Waiting to run
smoke / Run multi node smoke test (push) Waiting to run
Build and test / Build all and test on ubuntu-linux (push) Waiting to run
Build and test / Build and test on linux with boringcrypto (push) Waiting to run
Build and test / Build and test on linux with pkcs11 (push) Waiting to run
Build and test / Build and test on macos-latest (push) Waiting to run
Build and test / Build and test on windows-latest (push) Waiting to run
* fix: guard QueryCert against panic on short/empty QNAME QueryCert slices data[:len(data)-1] to strip a trailing dot, which panics when data is empty (slice bounds [:-1]). Add a length check to return early for inputs shorter than a minimal valid "x." form. While miekg/dns currently rejects wire-format packets that would produce an empty QNAME, the Nebula code should not rely on library behavior for crash safety. Made-with: Cursor * fix merge conflicts --------- Co-authored-by: JackDoan <me@jackdoan.com>
This commit is contained in:
Guy Nesher
GitHub
parent
e753e6e93c
commit
2a1cc62001
2 changed files with 29 additions and 0 deletions
|
|
@ -241,6 +241,9 @@ func (d *dnsServer) Query(q uint16, data string) (netip.Addr, bool) {
|
|||
}
|
||||
|
||||
func (d *dnsServer) QueryCert(data string) string {
|
||||
if len(data) < 2 {
|
||||
return ""
|
||||
}
|
||||
ip, err := netip.ParseAddr(data[:len(data)-1])
|
||||
if err != nil {
|
||||
return ""
|
||||
|
|
|
|||
|
|
@ -16,6 +16,19 @@ import (
|
|||
"github.com/stretchr/testify/require"
|
||||
)
|
||||
|
||||
type stubDNSWriter struct{}
|
||||
|
||||
func (stubDNSWriter) LocalAddr() net.Addr { return &net.UDPAddr{} }
|
||||
func (stubDNSWriter) RemoteAddr() net.Addr {
|
||||
return &net.UDPAddr{IP: net.ParseIP("127.0.0.1"), Port: 5353}
|
||||
}
|
||||
func (stubDNSWriter) Write([]byte) (int, error) { return 0, nil }
|
||||
func (stubDNSWriter) WriteMsg(*dns.Msg) error { return nil }
|
||||
func (stubDNSWriter) Close() error { return nil }
|
||||
func (stubDNSWriter) TsigStatus() error { return nil }
|
||||
func (stubDNSWriter) TsigTimersOnly(bool) {}
|
||||
func (stubDNSWriter) Hijack() {}
|
||||
|
||||
func TestParsequery(t *testing.T) {
|
||||
l := logrus.New()
|
||||
hostMap := &HostMap{}
|
||||
|
|
@ -70,6 +83,19 @@ func TestParsequery(t *testing.T) {
|
|||
ds.parseQuery(m, nil)
|
||||
assert.Empty(t, m.Answer)
|
||||
assert.Equal(t, dns.RcodeNameError, m.Rcode)
|
||||
|
||||
// short lookups should not fail
|
||||
m = &dns.Msg{}
|
||||
m.Question = []dns.Question{{Name: "", Qtype: dns.TypeTXT, Qclass: dns.ClassINET}}
|
||||
ds.parseQuery(m, stubDNSWriter{})
|
||||
assert.Empty(t, m.Answer)
|
||||
assert.Equal(t, dns.RcodeNameError, m.Rcode)
|
||||
|
||||
m = &dns.Msg{}
|
||||
m.Question = []dns.Question{{Name: ".", Qtype: dns.TypeTXT, Qclass: dns.ClassINET}}
|
||||
ds.parseQuery(m, stubDNSWriter{})
|
||||
assert.Empty(t, m.Answer)
|
||||
assert.Equal(t, dns.RcodeNameError, m.Rcode)
|
||||
}
|
||||
|
||||
func Test_getDnsServerAddr(t *testing.T) {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue