search

miekg / dns

DNS library in Go
https://miek.nl/2014/august/16/go-dns-package
BSD 3-Clause "New" or "Revised" License
8.08k stars 1.14k forks source link

dns: overflow unpacking uint16 #1524

Closed ArisAachen closed 10 months ago

ArisAachen commented 11 months ago

企业微信截图_55c0bd5d-512a-4c1f-8504-881f0ec0b950

wireshark shows udp buffer size is 513 I use this project to send mdns request, but get an error when try to get a response 

// queryAirPlay query airplay result
func queryAirPlay(addr net.IP) common.TypeDevice {
    // create query message
    req := dns.Msg{}
    serviceType := "_airplay._tcp.local."
    // set question header as request for hostname
    req.Question = append(req.Question, dns.Question{
        Name:  serviceType,
        Qtype: dns.TypePTR,
        // set query unicast RFC 6762
        Qclass: dns.ClassINET | uint16(1)<<15,
    })
    // print query info
    logx.D("[scan] send query airplay service, addr: %v, serv: %v", addr, serviceType)
    // send query to target
    rsp, err := dns.Exchange(&req, addr.String()+":"+"5353")
    if err != nil {
        logx.W("[sacn] query airplay failed, addr: %v, err: %v", addr.String(), err)
        return common.TypeUnknown
    }
    logx.D("[scan] recv query airplay response, addr: %v, answer: %v", addr, rsp.Answer)
    // check if answer has include any hostname
    for _, answer := range rsp.Answer {
        // 144.31.168.192.in-addr.arpa. 10  IN  PTR Huawei-Mate-40-Pro.local.
        msgSl := strings.Fields(answer.String())
        // check length
        if len(msgSl) < 5 {
            continue
        }
    }
    return common.TypeUnknown
}
ArisAachen commented 11 months ago

here is mdns reponse, cap by wireshark 

Frame 77: 647 bytes on wire (5176 bits), 647 bytes captured (5176 bits)
Ethernet II, Src: Apple_5b:5a:9c (b8:e6:0c:5b:5a:9c), Dst: ZhejiangEver_2f:c3:27 (c0:4a:09:2f:c3:27)
Internet Protocol Version 4, Src: 192.168.121.199, Dst: 192.168.121.1
User Datagram Protocol, Src Port: 5353, Dst Port: 58984
Multicast Domain Name System (response)
    Transaction ID: 0x0000
    Flags: 0x8400 Standard query response, No error
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 5
    Queries
    Answers
    Additional records
        LeiGod的MacBook Pro._airplay._tcp.local: type SRV, class IN, priority 0, weight 0, port 7000, target LeiGoddeMacBook-Pro.local
            Instance: LeiGod的MacBook Pro
            Service: _airplay
            Protocol: _tcp
            Name: local
            Type: SRV (33) (Server Selection)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 10 (10 seconds)
            Data length: 28
            Priority: 0
            Weight: 0
            Port: 7000
            Target: LeiGoddeMacBook-Pro.local
        LeiGod的MacBook Pro._airplay._tcp.local: type TXT, class IN
            Name: LeiGod的MacBook Pro._airplay._tcp.local
            Type: TXT (16) (Text strings)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 10 (10 seconds)
            Data length: 350
            TXT Length: 5
            TXT: acl=0
            TXT Length: 26
            TXT: deviceid=B8:E6:0C:5B:5A:9C
            TXT Length: 16
            TXT: fex=1c9/St5PFbgG
            TXT Length: 30
            TXT: features=0x4A7FCFD5,0xB8154FDE
            TXT Length: 11
            TXT: flags=0x204
            TXT Length: 40
            TXT: gid=8E348CD8-2928-4B49-9743-B0293B7E0D67
            TXT Length: 5
            TXT: igl=0
            TXT Length: 6
            TXT: gcgl=0
            TXT Length: 20
            TXT: model=MacBookPro18,1
            TXT Length: 4
            TXT: at=4
            TXT Length: 13
            TXT: protovers=1.1
            TXT Length: 39
            TXT: pi=80e94178-d837-4227-8de6-0e918dd0a931
            TXT Length: 40
            TXT: psi=7830194B-3C44-4124-A8FA-23D611162DCD
            TXT Length: 67
            TXT: pk=914348c94ca942851d028142b7b81c1411688849022c9e7906a35fa35033f3c2
            TXT Length: 13
            TXT: srcvers=605.1
        LeiGod的MacBook Pro._device-info._tcp.local: type TXT, class IN
            Name: LeiGod的MacBook Pro._device-info._tcp.local
            Type: TXT (16) (Text strings)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 10 (10 seconds)
            Data length: 41
            TXT Length: 20
            TXT: model=MacBookPro18,1
            TXT Length: 10
            TXT: osxvers=21
            TXT Length: 8
            TXT: icolor=1
        LeiGoddeMacBook-Pro.local: type AAAA, class IN, addr fe80::18bd:aa26:620:8e11
            Name: LeiGoddeMacBook-Pro.local
            Type: AAAA (28) (IP6 Address)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 10 (10 seconds)
            Data length: 16
            AAAA Address: fe80::18bd:aa26:620:8e11
        LeiGoddeMacBook-Pro.local: type A, class IN, addr 192.168.121.199
            Name: LeiGoddeMacBook-Pro.local
            Type: A (1) (Host Address)
            .000 0000 0000 0001 = Class: IN (0x0001)
            0... .... .... .... = Cache flush: False
            Time to live: 10 (10 seconds)
            Data length: 4
            Address: 192.168.121.199
    [Request In: 47]
    [Time: 0.044878000 seconds]
miekg commented 11 months ago

Your receiving buffer is too small

On Tue, 26 Dec 2023, 11:05 Aris, @.***> wrote:

here is mdns reponse, cap by wireshark

Frame 77: 647 bytes on wire (5176 bits), 647 bytes captured (5176 bits) Ethernet II, Src: Apple_5b:5a:9c (b8:e6:0c:5b:5a:9c), Dst: ZhejiangEver_2f:c3:27 (c0:4a:09:2f:c3:27) Internet Protocol Version 4, Src: 192.168.121.199, Dst: 192.168.121.1 User Datagram Protocol, Src Port: 5353, Dst Port: 58984 Multicast Domain Name System (response) Transaction ID: 0x0000 Flags: 0x8400 Standard query response, No error Questions: 1 Answer RRs: 1 Authority RRs: 0 Additional RRs: 5 Queries Answers Additional records LeiGod的MacBook Pro._airplay._tcp.local: type SRV, class IN, priority 0, weight 0, port 7000, target LeiGoddeMacBook-Pro.local Instance: LeiGod的MacBook Pro Service: _airplay Protocol: _tcp Name: local Type: SRV (33) (Server Selection) .000 0000 0000 0001 = Class: IN (0x0001) 0... .... .... .... = Cache flush: False Time to live: 10 (10 seconds) Data length: 28 Priority: 0 Weight: 0 Port: 7000 Target: LeiGoddeMacBook-Pro.local LeiGod的MacBook Pro._airplay._tcp.local: type TXT, class IN Name: LeiGod的MacBook Pro._airplay._tcp.local Type: TXT (16) (Text strings) .000 0000 0000 0001 = Class: IN (0x0001) 0... .... .... .... = Cache flush: False Time to live: 10 (10 seconds) Data length: 350 TXT Length: 5 TXT: acl=0 TXT Length: 26 TXT: deviceid=B8:E6:0C:5B:5A:9C TXT Length: 16 TXT: fex=1c9/St5PFbgG TXT Length: 30 TXT: features=0x4A7FCFD5,0xB8154FDE TXT Length: 11 TXT: flags=0x204 TXT Length: 40 TXT: gid=8E348CD8-2928-4B49-9743-B0293B7E0D67 TXT Length: 5 TXT: igl=0 TXT Length: 6 TXT: gcgl=0 TXT Length: 20 TXT: model=MacBookPro18,1 TXT Length: 4 TXT: at=4 TXT Length: 13 TXT: protovers=1.1 TXT Length: 39 TXT: pi=80e94178-d837-4227-8de6-0e918dd0a931 TXT Length: 40 TXT: psi=7830194B-3C44-4124-A8FA-23D611162DCD TXT Length: 67 TXT: pk=914348c94ca942851d028142b7b81c1411688849022c9e7906a35fa35033f3c2 TXT Length: 13 TXT: srcvers=605.1 LeiGod的MacBook Pro._device-info._tcp.local: type TXT, class IN Name: LeiGod的MacBook Pro._device-info._tcp.local Type: TXT (16) (Text strings) .000 0000 0000 0001 = Class: IN (0x0001) 0... .... .... .... = Cache flush: False Time to live: 10 (10 seconds) Data length: 41 TXT Length: 20 TXT: model=MacBookPro18,1 TXT Length: 10 TXT: osxvers=21 TXT Length: 8 TXT: icolor=1 LeiGoddeMacBook-Pro.local: type AAAA, class IN, addr fe80::18bd:aa26:620:8e11 Name: LeiGoddeMacBook-Pro.local Type: AAAA (28) (IP6 Address) .000 0000 0000 0001 = Class: IN (0x0001) 0... .... .... .... = Cache flush: False Time to live: 10 (10 seconds) Data length: 16 AAAA Address: fe80::18bd:aa26:620:8e11 LeiGoddeMacBook-Pro.local: type A, class IN, addr 192.168.121.199 Name: LeiGoddeMacBook-Pro.local Type: A (1) (Host Address) .000 0000 0000 0001 = Class: IN (0x0001) 0... .... .... .... = Cache flush: False Time to live: 10 (10 seconds) Data length: 4 Address: 192.168.121.199 [Request In: 47] [Time: 0.044878000 seconds]

— Reply to this email directly, view it on GitHub https://github.com/miekg/dns/issues/1524#issuecomment-1869427250, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACWIW6CCL5E5NUBBCU5J7TYLKOPFAVCNFSM6AAAAABBDCZSCKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRZGQZDOMRVGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>