pidgin3: comparison src/protocols/rendezvous/mdns.c

-:a0c7f0bfedfa
+:d49af923e2ce
 * draft-cheshire-dnsext-multicastdns.txt, and buy
 * me a doughnut.  thx k bye.
 */
 /*
-* XXX - THIS DOESN'T DO BOUNDS CHECKING!!!  DON'T USE IT ON AN UNTRUSTED
+* XXX - This entire file could use another pair of eyes to audit for
-* NETWORK UNTIL IT DOES!!!  THERE ARE POSSIBLE REMOTE ACCESS VIA BUFFER
+* any possible buffer overflow exploits.
-* OVERFLOW SECURITY HOLES!!!
 */
 #include "internal.h"
 #include "debug.h"
 #include "mdns.h"
 #include "util.h"
+/******************************************/
+/* Functions for freeing a DNS structure  */
+/******************************************/
+/**
+* Free the rdata associated with a given resource record.
+*/
+static void
+mdns_free_rr_rdata(unsigned short type, void *rdata)
+{
+	if (rdata == NULL)
+		return;
+	switch (type) {
+			case RENDEZVOUS_RRTYPE_NULL:
+			case RENDEZVOUS_RRTYPE_PTR:
+				g_free(rdata);
+			break;
+			case RENDEZVOUS_RRTYPE_TXT:
+				g_hash_table_destroy(rdata);
+			break;
+			case RENDEZVOUS_RRTYPE_SRV:
+				g_free(((ResourceRecordRDataSRV *)rdata)->target);
+				g_free(rdata);
+			break;
+	}
+}
+/**
+* Free a given question
+*/
+static void
+mdns_free_q(Question *q)
+{
+	g_free(q->name);
+}
+/**
+* Free a given resource record.
+*/
+static void
+mdns_free_rr(ResourceRecord *rr)
+{
+	g_free(rr->name);
+	mdns_free_rr_rdata(rr->type, rr->rdata);
+}
+void
+mdns_free(DNSPacket *dns)
+{
+	int i;
+	for (i = 0; i < dns->header.numquestions; i++)
+		mdns_free_q(&dns->questions[i]);
+	for (i = 0; i < dns->header.numanswers; i++)
+		mdns_free_rr(&dns->answers[i]);
+	for (i = 0; i < dns->header.numauthority; i++)
+		mdns_free_rr(&dns->authority[i]);
+	for (i = 0; i < dns->header.numadditional; i++)
+		mdns_free_rr(&dns->additional[i]);
+	g_free(dns->questions);
+	g_free(dns->answers);
+	g_free(dns->authority);
+	g_free(dns->additional);
+	g_free(dns);
+}
 /******************************************/
 /* Functions for connection establishment */
 /******************************************/
 	}
 	return fd;
 }
+/**
+* Multicast raw data over a file descriptor.
+*
+* @param fd A file descriptor that is a socket bound to a UDP port.
+* @param datalen The length of the data you wish to send.
+* @param data The data you wish to send.
+* @return 0 on success, otherwise return -1.
+*/
 static int
 mdns_send_raw(int fd, unsigned int datalen, unsigned char *data)
 {
 	struct sockaddr_in addr;
 	int n;
 }
 static int
 mdns_getlength_RR(ResourceRecord *rr)
 {
-	rr->rdlength = mdns_getlength_RR_rdata(rr->type, rr->rdata);
 	return mdns_getlength_name(rr->name) + 10 + rr->rdlength;
 }
 static int
 mdns_put_name(char *data, unsigned int datalen, unsigned int offset, const char *name)
 	i += util_put16(&data[offset + i], rr->class);
 	i += util_put32(&data[offset + i], rr->ttl);
 	i += util_put16(&data[offset + i], rr->rdlength);
 	switch (rr->type) {
+		case RENDEZVOUS_RRTYPE_NULL:
+			memcpy(&data[offset + i], rr->rdata, rr->rdlength);
+			i += rr->rdlength;
+		break;
 		case RENDEZVOUS_RRTYPE_PTR:
 			i += mdns_put_name(data, datalen, offset + i, (const char *)rr->rdata);
 		break;
 		case RENDEZVOUS_RRTYPE_TXT: {
 	return ret;
 }
 int
-mdns_query(int fd, const char *domain)
+mdns_query(int fd, const char *domain, unsigned short type)
 {
 	int ret;
 	DNSPacket *dns;
 	if (strlen(domain) > 255) {
 	dns->header.numauthority = 0x0000;
 	dns->header.numadditional = 0x0000;
 	dns->questions = (Question *)g_malloc(1 * sizeof(Question));
 	dns->questions[0].name = g_strdup(domain);
-	dns->questions[0].type = RENDEZVOUS_RRTYPE_PTR;
+	dns->questions[0].type = type;
-	dns->questions[0].class = 0x8001;
+	dns->questions[0].class = 0x0001;
 	dns->answers = NULL;
 	dns->authority = NULL;
 	dns->additional = NULL;
 	return ret;
 }
 int
-mdns_advertise_ptr(int fd, const char *name, const char *domain)
+mdns_advertise_null(int fd, const char *name, const char *rdata, unsigned short rdlength)
 {
 	int ret;
 	DNSPacket *dns;
-	if ((strlen(name) > 255) || (strlen(domain) > 255)) {
+	if ((strlen(name) > 255)) {
 		return -EINVAL;
 	}
 	dns = (DNSPacket *)g_malloc(sizeof(DNSPacket));
 	dns->header.id = 0x0000;
 	dns->header.numadditional = 0x0000;
 	dns->questions = NULL;
 	dns->answers = (ResourceRecord *)g_malloc(1 * sizeof(ResourceRecord));
 	dns->answers[0].name = g_strdup(name);
-	dns->answers[0].type = RENDEZVOUS_RRTYPE_PTR;
+	dns->answers[0].type = RENDEZVOUS_RRTYPE_NULL;
-	dns->answers[0].class = 0x8001;
+	dns->answers[0].class = 0x0001;
 	dns->answers[0].ttl = 0x00001c20;
-	dns->answers[0].rdlength = 0x0000; /* Set automatically */
+	dns->answers[0].rdlength = rdlength;
-	dns->answers[0].rdata = (void *)g_strdup(domain);
+	dns->answers[0].rdata = (void *)rdata;
 	dns->authority = NULL;
 	dns->additional = NULL;
 	mdns_send_dns(fd, dns);
+	/* The rdata should be freed by the caller of this function */
+	dns->answers[0].rdata = NULL;
 	mdns_free(dns);
 	return ret;
 }
 int
-mdns_advertise_txt(int fd, const char *name, const GSList *rdata)
+mdns_advertise_ptr(int fd, const char *name, const char *domain)
 {
 	int ret;
 	DNSPacket *dns;
-	if ((strlen(name) > 255)) {
+	if ((strlen(name) > 255) || (strlen(domain) > 255)) {
 		return -EINVAL;
 	}
 	dns = (DNSPacket *)g_malloc(sizeof(DNSPacket));
 	dns->header.id = 0x0000;
 	dns->header.numadditional = 0x0000;
 	dns->questions = NULL;
 	dns->answers = (ResourceRecord *)g_malloc(1 * sizeof(ResourceRecord));
 	dns->answers[0].name = g_strdup(name);
-	dns->answers[0].type = RENDEZVOUS_RRTYPE_TXT;
+	dns->answers[0].type = RENDEZVOUS_RRTYPE_PTR;
 	dns->answers[0].class = 0x8001;
 	dns->answers[0].ttl = 0x00001c20;
-	dns->answers[0].rdlength = 0x0000; /* Set automatically */
+	dns->answers[0].rdata = (void *)g_strdup(domain);
-	dns->answers[0].rdata = (void *)rdata;
+	dns->answers[0].rdlength = mdns_getlength_RR_rdata(dns->answers[0].type, dns->answers[0].rdata);
 	dns->authority = NULL;
 	dns->additional = NULL;
 	mdns_send_dns(fd, dns);
-	/* The rdata should be freed by the caller of this function */
-	dns->answers[0].rdata = NULL;
 	mdns_free(dns);
 	return ret;
 }
 int
-mdns_advertise_srv(int fd, const char *name, unsigned short port, const char *target)
+mdns_advertise_txt(int fd, const char *name, const GSList *rdata)
 {
 	int ret;
 	DNSPacket *dns;
-	ResourceRecordRDataSRV *rdata;
+	if ((strlen(name) > 255)) {
-	if ((strlen(target) > 255)) {
 		return -EINVAL;
 	}
-	rdata = g_malloc(sizeof(ResourceRecordRDataSRV));
-	rdata->port = port;
-	rdata->target = g_strdup(target);
 	dns = (DNSPacket *)g_malloc(sizeof(DNSPacket));
 	dns->header.id = 0x0000;
 	dns->header.flags = 0x8400;
 	dns->header.numquestions = 0x0000;
 	dns->header.numadditional = 0x0000;
 	dns->questions = NULL;
 	dns->answers = (ResourceRecord *)g_malloc(1 * sizeof(ResourceRecord));
 	dns->answers[0].name = g_strdup(name);
-	dns->answers[0].type = RENDEZVOUS_RRTYPE_SRV;
+	dns->answers[0].type = RENDEZVOUS_RRTYPE_TXT;
 	dns->answers[0].class = 0x8001;
 	dns->answers[0].ttl = 0x00001c20;
-	dns->answers[0].rdlength = 0x0000; /* Set automatically */
+	dns->answers[0].rdata = (void *)rdata;
-	dns->answers[0].rdata = rdata;
+	dns->answers[0].rdlength = mdns_getlength_RR_rdata(dns->answers[0].type, dns->answers[0].rdata);
 	dns->authority = NULL;
+	dns->additional = NULL;
+	mdns_send_dns(fd, dns);
+	/* The rdata should be freed by the caller of this function */
+	dns->answers[0].rdata = NULL;
+	mdns_free(dns);
+	return ret;
+}
+int
+mdns_advertise_srv(int fd, const char *name, unsigned short port, const char *target)
+{
+	int ret;
+	DNSPacket *dns;
+	ResourceRecordRDataSRV *rdata;
+	if ((strlen(target) > 255)) {
+		return -EINVAL;
+	}
+	rdata = g_malloc(sizeof(ResourceRecordRDataSRV));
+	rdata->port = port;
+	rdata->target = g_strdup(target);
+	dns = (DNSPacket *)g_malloc(sizeof(DNSPacket));
+	dns->header.id = 0x0000;
+	dns->header.flags = 0x8400;
+	dns->header.numquestions = 0x0000;
+	dns->header.numanswers = 0x0000;
+	dns->header.numauthority = 0x0001;
+	dns->header.numadditional = 0x0000;
+	dns->questions = NULL;
+	dns->answers = NULL;
+	dns->authority = (ResourceRecord *)g_malloc(1 * sizeof(ResourceRecord));
+	dns->authority[0].name = g_strdup(name);
+	dns->authority[0].type = RENDEZVOUS_RRTYPE_SRV;
+	dns->authority[0].class = 0x8001;
+	dns->authority[0].ttl = 0x00001c20;
+	dns->authority[0].rdata = rdata;
+	dns->authority[0].rdlength = mdns_getlength_RR_rdata(dns->authority[0].type, dns->authority[0].rdata);
 	dns->additional = NULL;
 	mdns_send_dns(fd, dns);
 	mdns_free(dns);
 		} else { /* First two bits are 11 */
 			/* Jump to another position in the data */
 			newoffset = util_get8(&data[offset]);
 			if (newoffset >= offset)
 				/* Invalid pointer!  Could lead to infinite recursion! Bailing! */
-				g_string_free(ret, TRUE);
+				return g_string_free(ret, TRUE);
 			offset = newoffset;
 		}
 	}
+	if (offset > datalen)
+		return g_string_free(ret, TRUE);
 	return g_string_free(ret, FALSE);
 }
 /*
 	return offset - startoffset + 1;
 }
 /*
-* XXX - Needs bounds checking!
+*
 *
 */
 static Question *
 mdns_read_questions(int numquestions, const char *data, unsigned int datalen, int *offset)
 {
 	ret = (Question *)g_malloc0(numquestions * sizeof(Question));
 	for (i = 0; i < numquestions; i++) {
 		ret[i].name = mdns_read_name(data, datalen, *offset);
 		*offset += mdns_read_name_len(data, datalen, *offset);
+		if (*offset + 4 > datalen)
+			break;
 		ret[i].type = util_get16(&data[*offset]); /* QTYPE */
 		*offset += 2;
 		ret[i].class = util_get16(&data[*offset]); /* QCLASS */
 		*offset += 2;
+		if (*offset > datalen)
+			break;
+	}
+	/* Malformed packet check */
+	if (i < numquestions) {
+		for (i = 0; i < numquestions; i++)
+			g_free(ret[i].name);
+		g_free(ret);
+		return NULL;
 	}
 	return ret;
 }
 	return ret;
 }
 /*
-* XXX - Needs bounds checking!
+* Read in a compressed name.
 *
 */
 static char *
 mdns_read_rr_rdata_ptr(const char *data, unsigned int datalen, unsigned int offset)
 {
-	char *ret = NULL;
+	return mdns_read_name(data, datalen, offset);
-	ret = mdns_read_name(data, datalen, offset);
-	return ret;
 }
 /*
-*
+* Read in a list of name=value pairs into a GHashTable.
 *
 */
 static GHashTable *
 mdns_read_rr_rdata_txt(const char *data, unsigned int datalen, unsigned int offset, unsigned short rdlength)
 {
 	while (offset < endoffset) {
 		/* Read in the length of the next name/value pair */
 		tmp = util_get8(&data[offset]);
 		offset++;
-		/* Ensure packet is valid */
+		/* Malformed packet check */
 		if (offset + tmp > endoffset)
 			break;
 		/* Read in the next name/value pair */
 		strncpy(buf, &data[offset], tmp);
 			g_hash_table_insert(ret, key, g_strdup(value));
 		else
 			g_free(key);
 	}
+	/* Malformed packet check */
+	if ((offset > datalen) || (offset != endoffset)) {
+		g_hash_table_destroy(ret);
+		return NULL;
+	}
 	return ret;
 }
 /*
 *
 mdns_read_rr_rdata_srv(const char *data, unsigned int datalen, unsigned int offset, unsigned short rdlength)
 {
 	ResourceRecordSRV *ret = NULL;
 	int endoffset = offset + rdlength;
+	/* Malformed packet check */
 	if (offset + 7 > endoffset)
 		return NULL;
 	ret = g_malloc(sizeof(ResourceRecordSRV));
 	/*
 	 * XXX - RFC2782 says it's not supposed to be an alias...
 	 * but it was in the packet capture I looked at from iChat.
 	 */
 	ret->target = mdns_read_name(data, datalen, offset);
+	offset += mdns_read_name_len(data, datalen, offset);
+	/* Malformed packet check */
+	if ((offset > endoffset) || (ret->target == NULL)) {
+		g_free(ret->target);
+		g_free(ret);
+		return NULL;
+	}
 	return ret;
 }
 /*
-* XXX - Needs bounds checking!
+*
 *
 */
 static ResourceRecord *
 mdns_read_rr(int numrecords, const char *data, unsigned int datalen, int *offset)
 {
 	ResourceRecord *ret;
 	int i;
 	ret = (ResourceRecord *)g_malloc0(numrecords * sizeof(ResourceRecord));
 	for (i = 0; i < numrecords; i++) {
-		ret[i].name = mdns_read_name(data, datalen, *offset); /* NAME */
+		/* NAME */
+		ret[i].name = mdns_read_name(data, datalen, *offset);
 		*offset += mdns_read_name_len(data, datalen, *offset);
-		ret[i].type = util_get16(&data[*offset]); /* TYPE */
+		/* Malformed packet check */
+		if (*offset + 10 > datalen)
+			break;
+		/* TYPE */
+		ret[i].type = util_get16(&data[*offset]);
 		*offset += 2;
-		ret[i].class = util_get16(&data[*offset]); /* CLASS */
+		/* CLASS */
+		ret[i].class = util_get16(&data[*offset]);
 		*offset += 2;
-		ret[i].ttl = util_get32(&data[*offset]); /* TTL */
+		/* TTL */
+		ret[i].ttl = util_get32(&data[*offset]);
 		*offset += 4;
-		ret[i].rdlength = util_get16(&data[*offset]); /* RDLENGTH */
+		/* RDLENGTH */
+		ret[i].rdlength = util_get16(&data[*offset]);
 		*offset += 2;
 		/* RDATA */
-		switch (ret[i].type) {
+		if (ret[i].type == RENDEZVOUS_RRTYPE_NULL) {
-			case RENDEZVOUS_RRTYPE_NULL:
+			ret[i].rdata = mdns_read_rr_rdata_null(data, datalen, *offset, ret[i].rdlength);
-				ret[i].rdata = mdns_read_rr_rdata_null(data, datalen, *offset, ret[i].rdlength);
+			if (ret[i].rdata == NULL)
+				break;
+		} else if (ret[i].type == RENDEZVOUS_RRTYPE_PTR) {
+			ret[i].rdata = mdns_read_rr_rdata_ptr(data, datalen, *offset);
+			if (ret[i].rdata == NULL)
+				break;
+		} else if (ret[i].type == RENDEZVOUS_RRTYPE_TXT) {
+			ret[i].rdata = mdns_read_rr_rdata_txt(data, datalen, *offset, ret[i].rdlength);
+			if (ret[i].rdata == NULL)
+				break;
+		} else if (ret[i].type == RENDEZVOUS_RRTYPE_SRV) {
+			ret[i].rdata = mdns_read_rr_rdata_srv(data, datalen, *offset, ret[i].rdlength);
+			if (ret[i].rdata == NULL)
+				break;
+		}
+		/* Malformed packet check */
+		*offset += ret[i].rdlength;
+		if (*offset > datalen)
 			break;
+	}
-			case RENDEZVOUS_RRTYPE_PTR:
-				ret[i].rdata = mdns_read_rr_rdata_ptr(data, datalen, *offset);
+	/* Malformed packet check */
-			break;
+	if (i < numrecords) {
+		for (i = 0; i < numrecords; i++) {
-			case RENDEZVOUS_RRTYPE_TXT:
+			g_free(ret[i].name);
-				ret[i].rdata = mdns_read_rr_rdata_txt(data, datalen, *offset, ret[i].rdlength);
+			mdns_free_rr_rdata(ret[i].type, ret[i].rdata);
-			break;
-			case RENDEZVOUS_RRTYPE_SRV:
-				ret[i].rdata = mdns_read_rr_rdata_srv(data, datalen, *offset, ret[i].rdlength);
-			break;
-			default:
-				ret[i].rdata = NULL;
-			break;
 		}
-		*offset += ret[i].rdlength;
+		g_free(ret);
+		return NULL;
 	}
 	return ret;
 }
 /*
-* XXX - Needs bounds checking!
+*
 *
 */
 DNSPacket *
 mdns_read(int fd)
 {
 	DNSPacket *ret = NULL;
-	int i; /* Current position in datagram */
+	int offset; /* Current position in datagram */
 	/* XXX - Find out what to use as a maximum incoming UDP packet size */
 	/* char data[512]; */
 	char data[10096];
 	unsigned int datalen;
 	struct sockaddr_in addr;
 	}
 	ret = (DNSPacket *)g_malloc0(sizeof(DNSPacket));
 	/* Parse the incoming packet, starting from 0 */
-	i = 0;
+	offset = 0;
+	if (offset + 12 > datalen) {
+		g_free(ret);
+		return NULL;
+	}
 	/* The header section */
-	ret->header.id = util_get16(&data[i]); /* ID */
+	ret->header.id = util_get16(&data[offset]); /* ID */
-	i += 2;
+	offset += 2;
 	/* For the flags, some bits must be 0 and some must be 1, the rest are ignored */
-	ret->header.flags = util_get16(&data[i]); /* Flags (QR, OPCODE, AA, TC, RD, RA, Z, AD, CD, and RCODE */
+	ret->header.flags = util_get16(&data[offset]); /* Flags (QR, OPCODE, AA, TC, RD, RA, Z, AD, CD, and RCODE */
-	i += 2;
+	offset += 2;
 	if ((ret->header.flags & 0x8000) == 0) {
 		/* QR should be 1 */
 		g_free(ret);
 		return NULL;
 	}
 		g_free(ret);
 		return NULL;
 	}
 	/* Read in the number of other things in the packet */
-	ret->header.numquestions = util_get16(&data[i]);
+	ret->header.numquestions = util_get16(&data[offset]);
-	i += 2;
+	offset += 2;
-	ret->header.numanswers = util_get16(&data[i]);
+	ret->header.numanswers = util_get16(&data[offset]);
-	i += 2;
+	offset += 2;
-	ret->header.numauthority = util_get16(&data[i]);
+	ret->header.numauthority = util_get16(&data[offset]);
-	i += 2;
+	offset += 2;
-	ret->header.numadditional = util_get16(&data[i]);
+	ret->header.numadditional = util_get16(&data[offset]);
-	i += 2;
+	offset += 2;
 	/* Read in all the questions */
-	ret->questions = mdns_read_questions(ret->header.numquestions, data, datalen, &i);
+	ret->questions = mdns_read_questions(ret->header.numquestions, data, datalen, &offset);
 	/* Read in all resource records */
-	ret->answers = mdns_read_rr(ret->header.numanswers, data, datalen, &i);
+	ret->answers = mdns_read_rr(ret->header.numanswers, data, datalen, &offset);
 	/* Read in all authority records */
-	ret->authority = mdns_read_rr(ret->header.numauthority, data, datalen, &i);
+	ret->authority = mdns_read_rr(ret->header.numauthority, data, datalen, &offset);
 	/* Read in all additional records */
-	ret->additional = mdns_read_rr(ret->header.numadditional, data, datalen, &i);
+	ret->additional = mdns_read_rr(ret->header.numadditional, data, datalen, &offset);
+	/* Malformed packet check */
+	if ((ret->header.numquestions > 0 && ret->questions == NULL) ||
+		(ret->header.numanswers > 0 && ret->answers == NULL) ||
+		(ret->header.numauthority > 0 && ret->authority == NULL) ||
+		(ret->header.numadditional > 0 && ret->additional == NULL)) {
+		gaim_debug_error("mdns", "Received an invalid DNS packet.\n");
+		return NULL;
+	}
 	/* We should be at the end of the packet */
-	if (i != datalen) {
+	if (offset != datalen) {
-		gaim_debug_error("mdns", "Finished parsing before end of DNS packet!  Only parsed %d of %d bytes.", i, datalen);
+		gaim_debug_error("mdns", "Finished parsing before end of DNS packet!  Only parsed %d of %d bytes.", offset, datalen);
 		g_free(ret);
 		return NULL;
 	}
 	return ret;
 }
-/**
-* Free the rdata associated with a given resource record.
-*/
-static void
-mdns_free_rr_rdata(unsigned short type, void *rdata)
-{
-	switch (type) {
-			case RENDEZVOUS_RRTYPE_NULL:
-			case RENDEZVOUS_RRTYPE_PTR:
-				g_free(rdata);
-			break;
-			case RENDEZVOUS_RRTYPE_TXT:
-				g_hash_table_destroy(rdata);
-			break;
-			case RENDEZVOUS_RRTYPE_SRV:
-				g_free(((ResourceRecordRDataSRV *)rdata)->target);
-				g_free(rdata);
-			break;
-	}
-}
-/**
-* Free a given question
-*/
-static void
-mdns_free_q(Question *q)
-{
-	g_free(q->name);
-}
-/**
-* Free a given resource record.
-*/
-static void
-mdns_free_rr(ResourceRecord *rr)
-{
-	g_free(rr->name);
-	if (rr->rdata != NULL)
-		mdns_free_rr_rdata(rr->type, rr->rdata);
-}
-void
-mdns_free(DNSPacket *dns)
-{
-	int i;
-	for (i = 0; i < dns->header.numquestions; i++)
-		mdns_free_q(&dns->questions[i]);
-	for (i = 0; i < dns->header.numanswers; i++)
-		mdns_free_rr(&dns->answers[i]);
-	for (i = 0; i < dns->header.numauthority; i++)
-		mdns_free_rr(&dns->authority[i]);
-	for (i = 0; i < dns->header.numadditional; i++)
-		mdns_free_rr(&dns->additional[i]);
-	g_free(dns->questions);
-	g_free(dns->answers);
-	g_free(dns->authority);
-	g_free(dns->additional);
-	g_free(dns);
-}

Mercurial > pidgin3 / file comparison

comparison: src/protocols/rendezvous/mdns.c

src/protocols/rendezvous/mdns.c