Bug#607379: DoS in TCP DNS lookups when IPv6 is disabled on the system

Mon, 20 Dec 2010 01:24:22 -0800 

On 20/12/2010 03:10, Amos Jeffries wrote:

Ah you would be needing this as well I think:

http://www.squid-cache.org/Versions/v3/3.1/changesets/squid-3.1-10063.patch
(upstream bug 3011)
Thanks, this patch indeed fixes the bug. It doesn't apply cleanly to the Debian source package, though; that's why I backported it. The attached patch should apply correctly to Debian squid3_3.1.6-1.2. 

--
Etienne Dechamps / e-t172 - AKE Group
Phone: +33 6 23 42 24 82

#! /bin/sh /usr/share/dpatch/dpatch-run
------------------------------------------------------------
revno: 10722
revision-id: amosjeffr...@squid-cache.org-20100810103304-7u5h40xatdgesdgp
parent: kin...@squid-cache.org-20100810071917-acdd4oubhyocuakq
committer: Amos Jeffries <amosjeffr...@squid-cache.org>
branch nick: trunk
timestamp: Tue 2010-08-10 04:33:04 -0600
message:
  Add IPv6 wrappers around more outbound ports.
  
  This protects TCP DNS links, peer probes and CONNECT tunnels against
  IPv4/IPv6 crossover in split-stack or IPv4-only systems.
  
  Also corrects the error message output on generated forwarding errors.
------------------------------------------------------------

See Squid bug 3011 [http://bugs.squid-cache.org/show_bug.cgi?id=3011]
Backported to Debian squid3_3.1.6-1.2 by e-t172 <e-t...@akegroup.org>
See Debian bug #607379 [http://bugs.debian.org/607379]

--- a/src/dns_internal.cc       2010-12-20 09:52:48.000000000 +0100
+++ b/src/dns_internal.cc       2010-12-20 09:43:13.000000000 +0100
@@ -201,10 +201,15 @@
 
     if (A.IsAnyAddr()) {
         debugs(78, 0, "WARNING: Squid does not accept " << A << " in DNS 
server specifications.");
-        A = "127.0.0.1";
+        A.SetLocalhost();
         debugs(78, 0, "Will be using " << A << " instead, assuming you meant 
that DNS is running on the same machine");
     }
 
+    if (!Ip::EnableIpv6 && !A.SetIPv4()) {
+        debugs(78, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Discarding " << 
A << " in DNS server specifications.");
+        return;
+    }
+
     if (nns == nns_alloc) {
         int oldalloc = nns_alloc;
         ns *oldptr = nameservers;
@@ -742,6 +747,12 @@
     else
         addr = Config.Addrs.udp_incoming;
 
+    if (nameservers[ns].S.IsIPv4() && !addr.SetIPv4()) {
+        debugs(31, DBG_CRITICAL, "ERROR: Cannot contact DNS nameserver " << 
nameservers[ns].S << " from " << addr);
+        addr.SetAnyAddr();
+        addr.SetIPv4();
+    }
+
     vc->queue = new MemBuf;
 
     vc->msg = new MemBuf;
--- a/src/forward.cc    2010-08-01 16:01:37.000000000 +0200
+++ b/src/forward.cc    2010-12-20 09:17:24.000000000 +0100
@@ -870,9 +870,9 @@
 
     // if IPv6 is disabled try to force IPv4-only outgoing.
     if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) {
-        debugs(50, 4, "fwdConnectStart: " << xstrerror());
+        debugs(50, 4, "fwdConnectStart: IPv6 is Disabled. Cannot connect from 
" << outgoing);
         ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, 
HTTP_SERVICE_UNAVAILABLE, request);
-        anErr->xerrno = errno;
+        anErr->xerrno = EAFNOSUPPORT;
         fail(anErr);
         self = NULL;   // refcounted
         return;
--- a/src/neighbors.cc  2010-08-01 16:01:38.000000000 +0200
+++ b/src/neighbors.cc  2010-12-20 09:26:05.000000000 +0100
@@ -46,6 +46,7 @@
 #include "Store.h"
 #include "icmp/net_db.h"
 #include "ip/IpAddress.h"
+#include "ip/tools.h"
 
 /* count mcast group peers every 15 minutes */
 #define MCAST_COUNT_RATE 900
@@ -1387,6 +1388,20 @@
 
     IpAddress temp(getOutgoingAddr(NULL,p));
 
+    // if IPv6 is disabled try to force IPv4-only outgoing.
+    if (!Ip::EnableIpv6 && !temp.SetIPv4()) {
+        debugs(50, DBG_IMPORTANT, "WARNING: IPv6 is disabled. Failed to use " 
<< temp << " to probe " << p->host);
+        return ret;
+    }
+
+    // if IPv6 is split-stack, prefer IPv4
+    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) {
+        // NP: This is not a great choice of default,
+        // but with the current Internet being IPv4-majority has a higher 
success rate.
+        // if setting to IPv4 fails we dont care, that just means to use IPv6 
outgoing.
+        temp.SetIPv4();
+    }
+
     fd = comm_open(SOCK_STREAM, IPPROTO_TCP, temp, COMM_NONBLOCKING, p->host);
 
     if (fd < 0)
--- a/src/tunnel.cc     2010-08-01 16:01:38.000000000 +0200
+++ b/src/tunnel.cc     2010-12-20 09:42:59.000000000 +0100
@@ -46,6 +46,7 @@
 #include "client_side.h"
 #include "MemBuf.h"
 #include "http.h"
+#include "ip/tools.h"
 
 class TunnelStateData
 {
@@ -641,6 +642,24 @@
     statCounter.server.other.requests++;
     /* Create socket. */
     IpAddress temp = getOutgoingAddr(request,NULL);
+
+    // if IPv6 is disabled try to force IPv4-only outgoing.
+    if (!Ip::EnableIpv6 && !temp.SetIPv4()) {
+        debugs(50, 4, "tunnelStart: IPv6 is Disabled. Tunnel failed from " << 
temp);
+        ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, 
HTTP_SERVICE_UNAVAILABLE, request);
+        anErr->xerrno = EAFNOSUPPORT;
+       errorSend(fd, anErr);
+        return;
+    }
+    
+    // if IPv6 is split-stack, prefer IPv4
+    if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) {
+        // NP: This is not a great choice of default,
+        // but with the current Internet being IPv4-majority has a higher 
success rate.
+        // if setting to IPv4 fails we dont care, that just means to use IPv6 
outgoing.
+        temp.SetIPv4();
+    }
+
     int flags = COMM_NONBLOCKING;
     if (request->flags.spoof_client_ip) {
         flags |= COMM_TRANSPARENT;

Reply via email to