Fix two panics identified by fuzz testing

This commit adds additional bounds checking, one for DNSResourceRecord and another for DNSQuestion. The DNSResourceRecord panic was observed in production and the second panic was caught by fuzzing. Add a fuzz test with seeds to reproduce these two panics.
GameFabric · Aug 10, 2022 · 65a1dfb · 65a1dfb
1 parent 4e29164
commit 65a1dfb
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 0 deletions.
diff --git a/layers/dns.go b/layers/dns.go
@@ -639,6 +639,10 @@ func (q *DNSQuestion) decode(data []byte, offset int, df gopacket.DecodeFeedback
 		return 0, err
 	}
 
+	if len(data) < endq+4 {
+		return 0, errors.New("DNS question too small")
+	}
+
 	q.Name = name
 	q.Type = DNSType(binary.BigEndian.Uint16(data[endq : endq+2]))
 	q.Class = DNSClass(binary.BigEndian.Uint16(data[endq+2 : endq+4]))
@@ -709,6 +713,10 @@ func (rr *DNSResourceRecord) decode(data []byte, offset int, df gopacket.DecodeF
 		return 0, err
 	}
 
+	if len(data) < endq+10 {
+		return 0, errors.New("DNS record too small")
+	}
+
 	rr.Name = name
 	rr.Type = DNSType(binary.BigEndian.Uint16(data[endq : endq+2]))
 	rr.Class = DNSClass(binary.BigEndian.Uint16(data[endq+2 : endq+4]))

diff --git a/layers/dns_test.go b/layers/dns_test.go
@@ -15,6 +15,13 @@ import (
 	"github.com/google/gopacket"
 )
 
+func FuzzDecodeFromBytes(f *testing.F) {
+	f.Fuzz(func(t *testing.T, bytes []byte) {
+		dns := DNS{}
+		dns.DecodeFromBytes(bytes, gopacket.NilDecodeFeedback)
+	})
+}
+
 // it have a layer like that:
 //    name: xxx.com
 //    type: CNAME

diff --git a/...fuzz/FuzzDecodeFromBytes/27d23183d8ce7b719228870c23869cf21bf8829d7160c82da88f80aeff2d861c b/...fuzz/FuzzDecodeFromBytes/27d23183d8ce7b719228870c23869cf21bf8829d7160c82da88f80aeff2d861c
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("0000000\x10\x10\x00\x01\x01\x01\x01\x01\x01\x00")
diff --git a/...fuzz/FuzzDecodeFromBytes/3b53f220d321f20980b59f64e1617d6b334b152a90b141a7407c3c8fa4837a31 b/...fuzz/FuzzDecodeFromBytes/3b53f220d321f20980b59f64e1617d6b334b152a90b141a7407c3c8fa4837a31
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("000000000000\x00")
diff --git a/...fuzz/FuzzDecodeFromBytes/f539b7a397cf68c2129abd63d4c7cfb1979c489ad9bad6898510a4d4759bb85f b/...fuzz/FuzzDecodeFromBytes/f539b7a397cf68c2129abd63d4c7cfb1979c489ad9bad6898510a4d4759bb85f
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("01000\x10\x10\xdfd\x01\x01\x01\x00d\x01\x01\x01\x00")
diff --git a/...fuzz/FuzzDecodeFromBytes/fe20300d6b2057b406a06ec4f04065f6d0dda6b2b362c0a89192c1933e927adf b/...fuzz/FuzzDecodeFromBytes/fe20300d6b2057b406a06ec4f04065f6d0dda6b2b362c0a89192c1933e927adf
@@ -0,0 +1,2 @@
+go test fuzz v1
+[]byte("0000\x00\x00000000\x010\x000")