The transaction ID wasn't verified on received DNS responses, plus the
ID needs to be difficult to predict in order to avoid MitM (man in the
middle) being able to easily forge responses.
The ID is generated from the time of the request, probably not strongly
unpredictable, this what musl does and it is considered to be enough.
Signed-off-by: Jules Maselbas <jmaselbas@xxxxxxxxx>
---
v2: fix the dns_req_id type to uint16_t, added pr_debug when incorrect id
is received, drop uses of the random32.
net/dns.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/dns.c b/net/dns.c
index 78588b96f..8b5e8d59e 100644
--- a/net/dns.c
+++ b/net/dns.c
@@ -58,6 +58,7 @@ struct header {
static struct net_connection *dns_con;
static uint64_t dns_timer_start;
+static uint16_t dns_req_id;
static int dns_state;
static IPaddr_t dns_ip;
@@ -70,9 +71,12 @@ static int dns_send(const char *name)
unsigned char *p, *s, *fullname, *dotptr;
const unsigned char *domain;
+ /* generate "difficult" to predict transaction id */
+ dns_req_id = dns_timer_start + (dns_timer_start >> 16);
+
/* Prepare DNS packet header */
header = (struct header *)packet;
- header->tid = 1;
+ header->tid = htons(dns_req_id);
header->flags = htons(0x100); /* standard query */
header->nqueries = htons(1); /* Just one query */
header->nanswers = 0;
@@ -127,6 +131,12 @@ static void dns_recv(struct header *header, unsigned len)
pr_debug("%s\n", __func__);
+ /* Only accept responses with the expected request id */
+ if (ntohs(header->tid) != dns_req_id) {
+ pr_debug("DNS response with incorrect id\n");
+ return;
+ }
+
/* We sent 1 query. We want to see more that 1 answer. */
if (ntohs(header->nqueries) != 1)
return;
--
2.17.1
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
