network: Restrict the valid charset of DNR names

Not all possible DNS names will survive serialization. Restrict the set of valid dns names to LDH encoded names. Fixes: 25c33e3500 (network: parse RFC9463 DHCPv4 DNR option, 2024-01-16) Fixes: a07e83cc58 (network: Parse RFC9463 DHCPv6 DNR option, 2024-01-17) Fixes: 0c90d1d2f2 (ndisc: Parse RFC9463 encrypted DNS (DNR) option, 2024-01-19)
2026-04-14 08:25:20 +09:00 · 2024-10-28 21:26:51 -07:00
parent f54f473b36
commit b31b99d76f
3 changed files with 16 additions and 0 deletions
--- a/src/libsystemd-network/ndisc-option.c
+++ b/src/libsystemd-network/ndisc-option.c
@@ -1358,6 +1358,11 @@ static int ndisc_option_parse_encrypted_dns(Set **options, size_t offset, size_t
        r = ndisc_get_dns_name(opt + off, ilen, &res.auth_name);
        if (r < 0)
                return r;
+        r = dns_name_is_valid_ldh(res.auth_name);
+        if (r < 0)
+                return r;
+        if (!r)
+                return -EBADMSG;
        if (dns_name_is_root(res.auth_name))
                return -EBADMSG;
        off += ilen;
--- a/src/libsystemd-network/sd-dhcp-lease.c
+++ b/src/libsystemd-network/sd-dhcp-lease.c
@@ -628,6 +628,11 @@ static int lease_parse_dnr(const uint8_t *option, size_t len, sd_dns_resolver **
                r = lease_parse_dns_name(option + offset, ilen, &res.auth_name);
                if (r < 0)
                        return r;
+                r = dns_name_is_valid_ldh(res.auth_name);
+                if (r < 0)
+                        return r;
+                if (!r)
+                        return -EBADMSG;
                if (dns_name_is_root(res.auth_name))
                        return -EBADMSG;
                offset += ilen;
--- a/src/libsystemd-network/sd-dhcp6-lease.c
+++ b/src/libsystemd-network/sd-dhcp6-lease.c
@@ -8,6 +8,7 @@
 #include "alloc-util.h"
 #include "dhcp6-internal.h"
 #include "dhcp6-lease-internal.h"
+#include "dns-domain.h"
 #include "network-common.h"
 #include "sort-util.h"
 #include "strv.h"
@@ -465,6 +466,11 @@ static int dhcp6_lease_add_dnr(sd_dhcp6_lease *lease, const uint8_t *optval, siz
        r = dhcp6_option_parse_domainname(optval + offset, ilen, &res.auth_name);
        if (r < 0)
                return r;
+        r = dns_name_is_valid_ldh(res.auth_name);
+        if (r < 0)
+                return r;
+        if (!r)
+                return -EBADMSG;
        offset += ilen;

        /* RFC9463 § 3.1.6: adn only mode */