Hardening boundaries + various security fixes#36
Open
danielinux wants to merge 4 commits into
Open
Conversation
- Reap half-open streams that never send END_STREAM - Close idle connections, re-armed on read activity - Advertise SETTINGS_MAX_HEADER_LIST_SIZE (8 KB)
Verify and fix the confirmed findings from VULN-FINDINGS.json. This tightens DNS reply parsing bounds in dohd, adds explicit ODoH output-capacity checks for both server and ns2dohd paths, defers SIGHUP/SIGUSR1 reload work out of signal context, closes the duplicate-upstream-reply lifecycle hole, constrains dohproxyd dynamic targets and stream lifetime handling, widens heap timer ids, and makes Base64URL decode/check length- and capacity-bounded. Add focused regression tests for DNS parser bounds, URL64 capacity handling, and heap id behavior.
There was a problem hiding this comment.
Pull request overview
Hardens several parsing and resource-management boundaries across the DoH daemon, ODoH handling, and the companion proxy by adding explicit buffer capacities/lengths, bounding HTTP/2 connection/stream lifetimes, and tightening DNS/message parsing with new regression tests.
Changes:
- Refactors url64 APIs to take explicit input lengths and destination capacities; updates callers and expands tests.
- Adds output-capacity parameters to ODoH decrypt APIs and enforces bounds when extracting plaintext DNS.
- Introduces HTTP/2 stream timeout + connection idle timeout, signal-safe reload/stats triggering, stricter dynamic-target allow checks, and widens heap/timer ids to 64-bit.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| test/test_url64.c | Updates url64 decode invocation to pass lengths/capacity and enlarges test buffers. |
| test/test_url64_extended.c | Updates to new url64 API and adds decode-capacity-limit regression test. |
| test/test_heap.c | Adapts heap id expectations to uint64_t and updates wraparound test values. |
| test/test_dns_parser.c | Hardens test DNS parsing bounds and adds truncated-packet regressions. |
| src/url64.h | Updates url64 API signatures and includes needed types. |
| src/url64.c | Implements length/capacity-aware url64 check/decode with added boundary checks. |
| src/odoh.h | Adds dns_out_cap to decrypt APIs. |
| src/odoh.c | Enforces dns_out_cap during plaintext DNS extraction; adds additional ciphertext length check. |
| src/libevquick.c | Switches timer ids to uint64_t to match heap id widening. |
| src/heap.h | Widens heap ids to uint64_t and updates heap API signatures accordingly. |
| src/dohd.c | Adds stream/idle timeouts, signal-pipe wakeups, safer DNS parsing bounds, and url64 call updates. |
| proxy/dohproxyd.c | Adds dynamic target validation (syntax + public-IP enforcement), stream handling tweaks, and lowers max concurrent streams. |
| ns2dohd/ns2dohd.c | Updates ODoH response decrypt call to include destination capacity and improves error accounting. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.