Summary

The dns_unpack_answer function in dns_pack.c decodes DNS answers from incoming DNS
data. A lack of input validation allows for out of bounds reads caused by malicious or malformed
packets.

These functions are mostly called by dns_unpack_answer (line 109 in subsys/net/lib/dns/dns_pack.c as of 6798064), which is responsible for decoding incoming DNS data. There are many cases where these out of bounds failures occur, but this report will be
focusing on a specific case and a general solution that will correct all out of bounds reads.

Details

The target function is called when validating received DNS messages. Here is a vulnerable
program flow.

• The answer pointer in line 118 is computed to point to the start of the DNS answers.
• dname_len is calculated in line 120.
• rem_size is computed and validated in line 137. However, this validation is wrong as it does not recognize the answer_offset. rem_size is computed with respect to the start of the packet, instead of the start of the answer region.
• Hence, all accesses to the buffer pointed to by answer (lines 152 to 169) can potentially lead to an out-of-bound read.

This vulnerability can be exposed with the following packet.

uint8_t msg[18] = {7, 7, 141, 128, 0,

Impact

This out-of-bounds read can cause a crash and lead to a denial of service.

Fix Recommendation

This vulnerability can be fixed by updating the computation of rem_size in line 137.

rem_size = dns_msg->msg_size - dns_msg->answer_offset - dname_len;
if (rem_size < 2 + 2 + 4 + 2) {
return -EINVAL;
}

Patches

main: #82072

v4.0.0: #82289
v3.7.0: #82288

For more information

If you have any questions or comments about this advisory:

• Open an issue in zephyr
• Email us at Zephyr-vulnerabilities

embargo: 2025-02-13