Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsdist-1.9.x: Backport #14636 - Fix handling of proxy protocol payload outside of TLS for DoT #14639

Merged
merged 1 commit into from
Sep 10, 2024
Merged

dnsdist-1.9.x: Backport #14636 - Fix handling of proxy protocol payload outside of TLS for DoT #14639

merged 1 commit into from
Sep 10, 2024

Conversation

rgacogne
Copy link
Member

@rgacogne rgacogne commented Sep 9, 2024
edited
Loading

Short description

Backport of #14636 to dnsdist-1.9.x.

After reading the proxy protocol payload from the I/O buffer we were clearing the buffer but failed to properly reset the position, leading to an exception when trying to read the DNS payload after processing the TLS handshake:

Got an exception while handling (reading) TCP query from 127.0.0.1:59426: Calling tryRead() with a too small buffer (2) for a read of 18446744073709551566 bytes starting at 52

The huge value comes from the fact that the position (52 here) is larger than the size of the buffer (2 at this point to read the size of the incoming DNS payload), leading to an unsigned underflow. The code is properly detecting that the value makes no sense in this context, but the connection is then dropped because we cannot recover.

It turns out we had a end-to-end test for the "proxy protocol outside of TLS" case but only over incoming DoH, and the DoH case avoids this specific issue because the buffer is always properly resized, and the position updated.

(cherry picked from commit 4931fb2)

Checklist

I have:

  • read the CONTRIBUTING.md document
  • compiled this code
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)
  • checked that this code was merged to master

@rgacogne
dnsdist: Fix handling of proxy protocol payload outside of TLS for DoT
d77e211 
After reading the proxy protocol payload from the I/O buffer
we were clearing the buffer but failed to properly reset the
position, leading to an exception when trying to read the DNS
payload after processing the TLS handshake:

```
Got an exception while handling (reading) TCP query from 127.0.0.1:59426: Calling tryRead() with a too small buffer (2) for a read of 18446744073709551566 bytes starting at 52
```

The huge value comes from the fact that the position (52 here)
is larger than the size of the buffer (2 at this point to read
the size of the incoming DNS payload), leading to an unsigned
underflow. The code is properly detecting that the value makes
no sense in this context, but the connection is then dropped
because we cannot recover.

It turns out we had a end-to-end test for the "proxy protocol
outside of TLS" case but only over incoming DoH, and the DoH
case avoids this specific issue because the buffer is always
properly resized, and the position updated.

(cherry picked from commit 4931fb2)
@rgacogne rgacogne added this to the dnsdist-1.9.x milestone Sep 9, 2024
@coveralls
Copy link

Pull Request Test Coverage Report for Build 10774209009

Details

  • 4 of 4 (100.0%) changed or added relevant lines in 1 file are covered.
  • 19 unchanged lines in 7 files lost coverage.
  • Overall coverage decreased (-0.02%) to 55.776%
Files with Coverage Reduction New Missed Lines %
pdns/dnsdistdist/dnsdist-crypto.cc 1 76.01%
pdns/pollmplexer.cc 1 82.39%
pdns/iputils.hh 2 74.95%
pdns/misc.cc 2 40.24%
pdns/dnsdistdist/dnsdist-async.cc 2 82.21%
pdns/dnsdist-carbon.cc 3 62.09%
pdns/dnsdist-tcp.cc 8 76.48%
Totals Coverage Status
Change from base Build 9987810845: -0.02%
Covered Lines: 47990
Relevant Lines: 65507
💛 - Coveralls

@rgacogne rgacogne merged commit cb78a88 into PowerDNS:rel/dnsdist-1.9.x Sep 10, 2024
12 checks passed
@rgacogne rgacogne deleted the ddist19-14636 branch September 10, 2024 09:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omoerbeek omoerbeek omoerbeek approved these changes

Assignees
No one assigned
Labels
defect dnsdist
Projects
None yet
Milestone
dnsdist-1.9.x
Development

Successfully merging this pull request may close these issues.
3 participants
@rgacogne @coveralls @omoerbeek