Patrick Williams | 03907ee | 2022-05-01 06:28:52 -0500 | [diff] [blame^] | 1 | From 812b407e545b70b16cf32aade135b5c32eaf674f Mon Sep 17 00:00:00 2001 |
| 2 | From: Ariadne Conill <ariadne@dereferenced.org> |
| 3 | Date: Sun, 3 Apr 2022 12:16:45 +0000 |
| 4 | Subject: [PATCH 2/2] nslookup: sanitize all printed strings with |
| 5 | printable_string |
| 6 | |
| 7 | Otherwise, terminal sequences can be injected, which enables various terminal injection |
| 8 | attacks from DNS results. |
| 9 | |
| 10 | CVE: CVE-2022-28391 |
| 11 | Upstream-Status: Pending |
| 12 | Signed-off-by: Ariadne Conill <ariadne@dereferenced.org> |
| 13 | Signed-off-by: Steve Sakoman <steve@sakoman.com> |
| 14 | --- |
| 15 | networking/nslookup.c | 10 +++++----- |
| 16 | 1 file changed, 5 insertions(+), 5 deletions(-) |
| 17 | |
| 18 | diff --git a/networking/nslookup.c b/networking/nslookup.c |
| 19 | index 6da97baf4..4bdcde1b8 100644 |
| 20 | --- a/networking/nslookup.c |
| 21 | +++ b/networking/nslookup.c |
| 22 | @@ -407,7 +407,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) |
| 23 | //printf("Unable to uncompress domain: %s\n", strerror(errno)); |
| 24 | return -1; |
| 25 | } |
| 26 | - printf(format, ns_rr_name(rr), dname); |
| 27 | + printf(format, ns_rr_name(rr), printable_string(dname)); |
| 28 | break; |
| 29 | |
| 30 | case ns_t_mx: |
| 31 | @@ -422,7 +422,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) |
| 32 | //printf("Cannot uncompress MX domain: %s\n", strerror(errno)); |
| 33 | return -1; |
| 34 | } |
| 35 | - printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, dname); |
| 36 | + printf("%s\tmail exchanger = %d %s\n", ns_rr_name(rr), n, printable_string(dname)); |
| 37 | break; |
| 38 | |
| 39 | case ns_t_txt: |
| 40 | @@ -434,7 +434,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) |
| 41 | if (n > 0) { |
| 42 | memset(dname, 0, sizeof(dname)); |
| 43 | memcpy(dname, ns_rr_rdata(rr) + 1, n); |
| 44 | - printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), dname); |
| 45 | + printf("%s\ttext = \"%s\"\n", ns_rr_name(rr), printable_string(dname)); |
| 46 | } |
| 47 | break; |
| 48 | |
| 49 | @@ -454,7 +454,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) |
| 50 | } |
| 51 | |
| 52 | printf("%s\tservice = %u %u %u %s\n", ns_rr_name(rr), |
| 53 | - ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), dname); |
| 54 | + ns_get16(cp), ns_get16(cp + 2), ns_get16(cp + 4), printable_string(dname)); |
| 55 | break; |
| 56 | |
| 57 | case ns_t_soa: |
| 58 | @@ -483,7 +483,7 @@ static NOINLINE int parse_reply(const unsigned char *msg, size_t len) |
| 59 | return -1; |
| 60 | } |
| 61 | |
| 62 | - printf("\tmail addr = %s\n", dname); |
| 63 | + printf("\tmail addr = %s\n", printable_string(dname)); |
| 64 | cp += n; |
| 65 | |
| 66 | printf("\tserial = %lu\n", ns_get32(cp)); |
| 67 | -- |
| 68 | 2.35.1 |
| 69 | |