Skip to content

Llt 7441 pnet dns crash#3

Merged
jjanowsk merged 10 commits into
release/v0.35.0from
LLT-7441-pnet-dns-crash
Jun 23, 2026
Merged

Llt 7441 pnet dns crash#3
jjanowsk merged 10 commits into
release/v0.35.0from
LLT-7441-pnet-dns-crash

Conversation

@jjanowsk

@jjanowsk jjanowsk commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Add fuzz targets for all protocols that we use, and fix detected problems.
Get rid of the GRE protocol since we do not use it and it was panicking while being fuzzed.

jjanowsk added 8 commits June 19, 2026 19:21
@jjanowsk
Add fuzzing targets for packet parsers
a4b19c8 
Add cargo-fuzz targets for ipv4, ipv6, tcp, udp, icmp, icmpv6 and dns.
Convert all fuzzers to the libfuzzer_sys::fuzz_target! convention
and use std::hint::black_box so the reads aren't optimised out.
@jjanowsk
Build cleanly on current toolchains
d0c9b4d
@jjanowsk
dns: don't panic on unknown opcode/rcode values
bc3ac92 
Opcode::new / Retcode::new hit unreachable!() for the 4-bit field values
they didn't map, panicking on otherwise valid DNS headers.
Modify it to match the convention used by other types.
@jjanowsk
dns: fix out-of-bounds reads when computing section lengths
c9083cc 
The response/authority/additional length functions looped over query_count
instead of their own record counts, and sliced the packet unchecked. A
record whose packet_size (12 + attacker-controlled data_len) exceeded the
buffer pushed offsets past the end and panicked. Use the correct per-section
counts and only consume records that fully fit in the remaining bytes.
@jjanowsk
dns: bound qname so trailing qtype/qclass aren't read past the buffer
9a8471e 
qname_length returned len+1 when the name had no zero terminator, so the
generated qtype/qclass accessors indexed out of bounds. Cap it to leave
room for the 4 trailing bytes.
@jjanowsk
dns: parse qname labels without panicking
4a4a9b0 
get_qname_parsed indexed/sliced the name unchecked and unwrapped
str::from_utf8, panicking on truncated labels or non-UTF-8 bytes. Walk the
length-prefixed labels with checked access and String::from_utf8_lossy.
@jjanowsk
CI Fuzz
44ecb1f
@jjanowsk
icmpv6: fix ndp_option_payload_length
71c36f2 
Fix ndp_option_payload_length's u8 overflow
@jjanowsk jjanowsk force-pushed the LLT-7441-pnet-dns-crash branch from 552a9da to fb2096b Compare June 22, 2026 09:20
@jjanowsk jjanowsk force-pushed the LLT-7441-pnet-dns-crash branch from fb2096b to 0ce3a91 Compare June 22, 2026 09:27
@jjanowsk jjanowsk force-pushed the LLT-7441-pnet-dns-crash branch from 0ce3a91 to 09a136b Compare June 22, 2026 09:51
tomasz-grz
tomasz-grz reviewed Jun 22, 2026
View reviewed changes

@tomasz-grz tomasz-grz left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What should we base the branch on? Looks like release/v0.35.0 is 40 commits behind main, which already has some fixes, like #2.

Also looks like our main is 13 commits behind upstream, is there anything worth pulling in from there?

Comment thread pnet_packet/src/gre.rs
@jjanowsk

jjanowsk commented Jun 22, 2026

Copy link
Copy Markdown
Author

What should we base the branch on? Looks like release/v0.35.0 is 40 commits behind main, which already has some fixes, like #2.

Also looks like our main is 13 commits behind upstream, is there anything worth pulling in from there?

I think we should base it on the latest release which we are currently using, which is v0.35.0. I've created the target branch release/v0.35.0 for this purpose. When it comes to #1 and #2, we're currently not using this repository anyway, but this PR contains fixes from those two PRs too.

djkarwowski
djkarwowski reviewed Jun 22, 2026
View reviewed changes

@djkarwowski djkarwowski left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

+1

tomasz-grz
tomasz-grz approved these changes Jun 23, 2026
View reviewed changes

@tomasz-grz tomasz-grz left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@jjanowsk jjanowsk merged commit d4a4c80 into release/v0.35.0 Jun 23, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@djkarwowski djkarwowski djkarwowski left review comments
@tomasz-grz tomasz-grz tomasz-grz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jjanowsk @tomasz-grz @djkarwowski