Blame SOURCES/unbound-1.7.3-ipsec-hook.patch

bb9b5b
diff --git a/ipsecmod/ipsecmod.c b/ipsecmod/ipsecmod.c
bb9b5b
index c8400c6..9e916d6 100644
bb9b5b
--- a/ipsecmod/ipsecmod.c
bb9b5b
+++ b/ipsecmod/ipsecmod.c
bb9b5b
@@ -162,6 +162,71 @@ generate_request(struct module_qstate* qstate, int id, uint8_t* name,
bb9b5b
 }
bb9b5b
 
bb9b5b
 /**
bb9b5b
+ * Check if the string passed is a valid domain name with safe characters to
bb9b5b
+ * pass to a shell.
bb9b5b
+ * This will only allow:
bb9b5b
+ *  - digits
bb9b5b
+ *  - alphas
bb9b5b
+ *  - hyphen (not at the start)
bb9b5b
+ *  - dot (not at the start, or the only character)
bb9b5b
+ *  - underscore
bb9b5b
+ * @param s: pointer to the string.
bb9b5b
+ * @param slen: string's length.
bb9b5b
+ * @return true if s only contains safe characters; false otherwise.
bb9b5b
+ */
bb9b5b
+static int
bb9b5b
+domainname_has_safe_characters(char* s, size_t slen) {
bb9b5b
+	size_t i;
bb9b5b
+	for(i = 0; i < slen; i++) {
bb9b5b
+		if(s[i] == '\0') return 1;
bb9b5b
+		if((s[i] == '-' && i != 0)
bb9b5b
+			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
bb9b5b
+			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
bb9b5b
+			|| (s[i] >= 'A' && s[i] <= 'Z')
bb9b5b
+			|| (s[i] >= 'a' && s[i] <= 'z')) {
bb9b5b
+			continue;
bb9b5b
+		}
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
+	return 1;
bb9b5b
+}
bb9b5b
+
bb9b5b
+/**
bb9b5b
+ * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
bb9b5b
+ * a shell.
bb9b5b
+ * This is only relevant for checking the gateway when the gateway type is 3
bb9b5b
+ * (domainname).
bb9b5b
+ * @param s: pointer to the string.
bb9b5b
+ * @param slen: string's length.
bb9b5b
+ * @return true if s contains only safe characters; false otherwise.
bb9b5b
+ */
bb9b5b
+static int
bb9b5b
+ipseckey_has_safe_characters(char* s, size_t slen) {
bb9b5b
+	int precedence, gateway_type, algorithm;
bb9b5b
+	char* gateway;
bb9b5b
+	gateway = (char*)calloc(slen, sizeof(char));
bb9b5b
+	if(!gateway) {
bb9b5b
+		log_err("ipsecmod: out of memory when calling the hook");
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
+	if(sscanf(s, "%d %d %d %s ",
bb9b5b
+			&precedence, &gateway_type, &algorithm, gateway) != 4) {
bb9b5b
+		free(gateway);
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
+	if(gateway_type != 3) {
bb9b5b
+		free(gateway);
bb9b5b
+		return 1;
bb9b5b
+	}
bb9b5b
+	if(domainname_has_safe_characters(gateway, slen)) {
bb9b5b
+		free(gateway);
bb9b5b
+		return 1;
bb9b5b
+	}
bb9b5b
+	free(gateway);
bb9b5b
+	return 0;
bb9b5b
+}
bb9b5b
+
bb9b5b
+/**
bb9b5b
  *  Prepare the data and call the hook.
bb9b5b
  *
bb9b5b
  *  @param qstate: query state.
bb9b5b
@@ -175,7 +240,7 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
bb9b5b
 {
bb9b5b
 	size_t slen, tempdata_len, tempstring_len, i;
bb9b5b
 	char str[65535], *s, *tempstring;
bb9b5b
-	int w;
bb9b5b
+	int w = 0, w_temp, qtype;
bb9b5b
 	struct ub_packed_rrset_key* rrset_key;
bb9b5b
 	struct packed_rrset_data* rrset_data;
bb9b5b
 	uint8_t *tempdata;
bb9b5b
@@ -192,9 +257,9 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
bb9b5b
 	memset(s, 0, slen);
bb9b5b
 
bb9b5b
 	/* Copy the hook into the buffer. */
bb9b5b
-	sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
bb9b5b
+	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
bb9b5b
 	/* Put space into the buffer. */
bb9b5b
-	sldns_str_print(&s, &slen, " ");
bb9b5b
+	w += sldns_str_print(&s, &slen, " ");
bb9b5b
 	/* Copy the qname into the buffer. */
bb9b5b
 	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
bb9b5b
 		qstate->qinfo.qname_len);
bb9b5b
@@ -202,68 +267,96 @@ call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
bb9b5b
 		log_err("ipsecmod: out of memory when calling the hook");
bb9b5b
 		return 0;
bb9b5b
 	}
bb9b5b
-	sldns_str_print(&s, &slen, "\"%s\"", tempstring);
bb9b5b
+	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
bb9b5b
+		log_err("ipsecmod: qname has unsafe characters");
bb9b5b
+		free(tempstring);
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
bb9b5b
 	free(tempstring);
bb9b5b
 	/* Put space into the buffer. */
bb9b5b
-	sldns_str_print(&s, &slen, " ");
bb9b5b
+	w += sldns_str_print(&s, &slen, " ");
bb9b5b
 	/* Copy the IPSECKEY TTL into the buffer. */
bb9b5b
 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
bb9b5b
-	sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
bb9b5b
 	/* Put space into the buffer. */
bb9b5b
-	sldns_str_print(&s, &slen, " ");
bb9b5b
-	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
bb9b5b
-	 * with a double quote. */
bb9b5b
+	w += sldns_str_print(&s, &slen, " ");
bb9b5b
 	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
bb9b5b
 		qstate->return_msg->rep);
bb9b5b
+	/* Double check that the records are indeed A/AAAA.
bb9b5b
+	 * This should never happen as this function is only executed for A/AAAA
bb9b5b
+	 * queries but make sure we don't pass anything other than A/AAAA to the
bb9b5b
+	 * shell. */
bb9b5b
+	qtype = ntohs(rrset_key->rk.type);
bb9b5b
+	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
bb9b5b
+		log_err("ipsecmod: Answer is not of A or AAAA type");
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
 	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
bb9b5b
-	sldns_str_print(&s, &slen, "\"");
bb9b5b
+	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
bb9b5b
+	 * with a double quote. */
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"");
bb9b5b
 	for(i=0; i<rrset_data->count; i++) {
bb9b5b
 		if(i > 0) {
bb9b5b
 			/* Put space into the buffer. */
bb9b5b
-			sldns_str_print(&s, &slen, " ");
bb9b5b
+			w += sldns_str_print(&s, &slen, " ");
bb9b5b
 		}
bb9b5b
 		/* Ignore the first two bytes, they are the rr_data len. */
bb9b5b
-		w = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
bb9b5b
+		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
bb9b5b
 			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
bb9b5b
-		if(w < 0) {
bb9b5b
+		if(w_temp < 0) {
bb9b5b
 			/* Error in printout. */
bb9b5b
-			return -1;
bb9b5b
-		} else if((size_t)w >= slen) {
bb9b5b
+			log_err("ipsecmod: Error in printing IP address");
bb9b5b
+			return 0;
bb9b5b
+		} else if((size_t)w_temp >= slen) {
bb9b5b
 			s = NULL; /* We do not want str to point outside of buffer. */
bb9b5b
 			slen = 0;
bb9b5b
-			return -1;
bb9b5b
+			log_err("ipsecmod: shell command too long");
bb9b5b
+			return 0;
bb9b5b
 		} else {
bb9b5b
-			s += w;
bb9b5b
-			slen -= w;
bb9b5b
+			s += w_temp;
bb9b5b
+			slen -= w_temp;
bb9b5b
+			w += w_temp;
bb9b5b
 		}
bb9b5b
 	}
bb9b5b
-	sldns_str_print(&s, &slen, "\"");
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"");
bb9b5b
 	/* Put space into the buffer. */
bb9b5b
-	sldns_str_print(&s, &slen, " ");
bb9b5b
+	w += sldns_str_print(&s, &slen, " ");
bb9b5b
 	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
bb9b5b
 	 * with a double quote. */
bb9b5b
-	sldns_str_print(&s, &slen, "\"");
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"");
bb9b5b
 	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
bb9b5b
 	for(i=0; i<rrset_data->count; i++) {
bb9b5b
 		if(i > 0) {
bb9b5b
 			/* Put space into the buffer. */
bb9b5b
-			sldns_str_print(&s, &slen, " ");
bb9b5b
+			w += sldns_str_print(&s, &slen, " ");
bb9b5b
 		}
bb9b5b
 		/* Ignore the first two bytes, they are the rr_data len. */
bb9b5b
 		tempdata = rrset_data->rr_data[i] + 2;
bb9b5b
 		tempdata_len = rrset_data->rr_len[i] - 2;
bb9b5b
 		/* Save the buffer pointers. */
bb9b5b
 		tempstring = s; tempstring_len = slen;
bb9b5b
-		w = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, &slen,
bb9b5b
-			NULL, 0);
bb9b5b
+		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
bb9b5b
+			&slen, NULL, 0);
bb9b5b
 		/* There was an error when parsing the IPSECKEY; reset the buffer
bb9b5b
 		 * pointers to their previous values. */
bb9b5b
-		if(w == -1){
bb9b5b
+		if(w_temp == -1) {
bb9b5b
 			s = tempstring; slen = tempstring_len;
bb9b5b
+		} else if(w_temp > 0) {
bb9b5b
+			if(!ipseckey_has_safe_characters(
bb9b5b
+					tempstring, tempstring_len - slen)) {
bb9b5b
+				log_err("ipsecmod: ipseckey has unsafe characters");
bb9b5b
+				return 0;
bb9b5b
+			}
bb9b5b
+			w += w_temp;
bb9b5b
 		}
bb9b5b
 	}
bb9b5b
-	sldns_str_print(&s, &slen, "\"");
bb9b5b
-	verbose(VERB_ALGO, "ipsecmod: hook command: '%s'", str);
bb9b5b
+	w += sldns_str_print(&s, &slen, "\"");
bb9b5b
+	if(w >= (int)sizeof(str)) {
bb9b5b
+		log_err("ipsecmod: shell command too long");
bb9b5b
+		return 0;
bb9b5b
+	}
bb9b5b
+	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
bb9b5b
 	/* ipsecmod-hook should return 0 on success. */
bb9b5b
 	if(system(str) != 0)
bb9b5b
 		return 0;