net: (small) ddos vulnerability in stub dns resolver #77540
Description
Go version
go 1.25.x
Output of go env in your module/workspace:
n/aWhat did you do?
n/a
What did you see happen?
n/a
What did you expect to see?
Hello,
(was asked to open a public issue here)
I think I've found a (small) DOS vulnerability in the pure Go stub resolver.
In net/dnsclient_unix.go the function dnsStreamRoundTrip will allocate the max dns buffer (64KB) if told to do so. This is fine.
However when unpacking such a DNS name via dnsmessage/message.go (pkg https://cs.opensource.google/go/x/net), in the Name.unpack method, the length of a domain name is not checked until after it is parsed.
i.e. this:
if len(name) > nonEncodedNameMax {
return off, errNameTooLong
}is done after the parsing. This means I can send the resolver a 64K message with a question name of also that length and the Name.unpack code will loop through the entire message and will then conclude the name is too long.
A simple test:
func TestNameTooLong(t *testing.T) {
var name Name
// name := "verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel.verylongdomainlabel."
buf := []byte{
19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 19, 118, 101, 114, 121, 108, 111, 110, 103, 100, 111, 109, 97, 105, 110, 108, 97, 98, 101, 108, 0,
}
x, err := name.unpack(buf, 0)
if err != nil {
log.Fatal(err)
}
println(x)
}shows (with maybe a println in Name.unpack) that the entire name is parsed and afterwards the error is returned.
The fix is simple but checking the current length against the DNS limit of 256 bytes.
For UDP responses this is mitigated because a small buffer is used.