Hi, On Thu, Dec 20, 2018 at 03:42:40PM +0100, Leonhard Wimmer wrote: > Hello, > > We are running HAProxy in our Docker (18.09.0) swarm and we are relying on > the Docker embedded DNS server for service discovery. > > The backend servers are configured to resolve the IP addresses via a > "resolvers" config entry pointing to the Docker embedded DNS running on > "127.0.0.11". > > Up to HAProxy 1.8.14 this worked like charm, but it stopped working with > version 1.8.15. Also the newly released version 1.9.0 is affected by this > problem. > > I've looked through the changes between 1.8.14 and 1.8.15 and I could narrow > it down to commit 2e53fe8: > "BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response()". > If I revert this commit on haproxy-1.8 it works perfectly, just as before. > > DNS resolution does not seem to be generally broken though. If I use a regular > (non-docker-internal) hostname, it can be resolved normally, even using the > Docker embedded DNS server. > > I'm not yet sure if it is the Docker DNS server returning an invalid result > or HAProxy having a problem with the validation. > > I'm happy to help with debugging. I can provide packet captures of the DNS > resolution and a sample config to reproduce the problem if you are interested. >
this is indeed a regression in haproxy. thanks for reporting it. attached patch should fix it. CC'ing Remi as the original author, and Baptiste, as DNS maintainer. Jérôme
>From 7868e9bfdc26c2a9e777470eae9d098b75b9070b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Magnin?= <[email protected]> Date: Thu, 20 Dec 2018 16:47:31 +0100 Subject: [PATCH] BUG/MEDIUM: Don't prevent reading the last byte of the payload in dns_validate_response() A regression was introduced with efbbdf72 BUG: dns: Prevent out-of-bounds read in dns_validate_dns_response() as it prevented from taking into account the last byte of the payload. this patch aims at fixing it. this must be backported in 1.8. --- src/dns.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dns.c b/src/dns.c index c1396f52..78d8f52f 100644 --- a/src/dns.c +++ b/src/dns.c @@ -810,7 +810,7 @@ static int dns_validate_dns_response(unsigned char *resp, unsigned char *bufend, /* Move forward 2 bytes for data len */ reader += 2; - if (reader + dns_answer_record->data_len >= bufend) { + if (reader + dns_answer_record->data_len > bufend) { pool_free(dns_answer_item_pool, dns_answer_record); return DNS_RESP_INVALID; } -- 2.20.1
