1 /***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 2019, Daniel Stenberg, <daniel@haxx.se>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.haxx.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 ***************************************************************************/
22 #include "curlcheck.h"
23
24 #include "doh.h" /* from the lib dir */
25
unit_setup(void)26 static CURLcode unit_setup(void)
27 {
28 /* whatever you want done first */
29 return CURLE_OK;
30 }
31
unit_stop(void)32 static void unit_stop(void)
33 {
34 /* done before shutting down and exiting */
35 }
36
37 #ifndef CURL_DISABLE_DOH
38
39 UNITTEST_START
40
41 /*
42 * Prove detection of write overflow using a short buffer and a name
43 * of maximal valid length.
44 *
45 * Prove detection of other invalid input.
46 */
47 do {
48 const char *max =
49 /* ..|....1.........2.........3.........4.........5.........6... */
50 /* 3456789012345678901234567890123456789012345678901234567890123 */
51 "this.is.a.maximum-length.hostname." /* 34: 34 */
52 "with-no-label-of-greater-length-than-the-sixty-three-characters."
53 /* 64: 98 */
54 "specified.in.the.RFCs." /* 22: 120 */
55 "and.with.a.QNAME.encoding.whose.length.is.exactly." /* 50: 170 */
56 "the.maximum.length.allowed." /* 27: 197 */
57 "that.is.two-hundred.and.fifty-six." /* 34: 231 */
58 "including.the.last.null." /* 24: 255 */
59 "";
60 const char *toolong =
61 /* ..|....1.........2.........3.........4.........5.........6... */
62 /* 3456789012345678901234567890123456789012345678901234567890123 */
63 "here.is.a.hostname.which.is.just.barely.too.long." /* 49: 49 */
64 "to.be.encoded.as.a.QNAME.of.the.maximum.allowed.length."
65 /* 55: 104 */
66 "which.is.256.including.a.final.zero-length.label." /* 49: 153 */
67 "representing.the.root.node.so.that.a.name.with." /* 47: 200 */
68 "a.trailing.dot.may.have.up.to." /* 30: 230 */
69 "255.characters.never.more." /* 26: 256 */
70 "";
71 const char *emptylabel =
72 "this.is.an.otherwise-valid.hostname."
73 ".with.an.empty.label.";
74 const char *outsizelabel =
75 "this.is.an.otherwise-valid.hostname."
76 "with-a-label-of-greater-length-than-the-sixty-three-characters-"
77 "specified.in.the.RFCs.";
78
79 struct test {
80 const char *name;
81 const DOHcode expected_result;
82 };
83
84 /* plays the role of struct dnsprobe in urldata.h */
85 struct demo {
86 unsigned char dohbuffer[255 + 16]; /* deliberately short buffer */
87 unsigned char canary1;
88 unsigned char canary2;
89 unsigned char canary3;
90 };
91
92 const struct test playlist[4] = {
93 { toolong, DOH_DNS_NAME_TOO_LONG }, /* expect early failure */
94 { emptylabel, DOH_DNS_BAD_LABEL }, /* also */
95 { outsizelabel, DOH_DNS_BAD_LABEL }, /* also */
96 { max, DOH_OK } /* expect buffer overwrite */
97 };
98
99 for(int i = 0; i < (int)(sizeof(playlist)/sizeof(*playlist)); i++) {
100 const char *name = playlist[i].name;
101 size_t olen = 100000;
102 struct demo victim;
103 DOHcode d;
104
105 victim.canary1 = 87; /* magic numbers, arbritrarily picked */
106 victim.canary2 = 35;
107 victim.canary3 = 41;
108 d = doh_encode(name, DNS_TYPE_A, victim.dohbuffer,
109 sizeof(struct demo), /* allow room for overflow */
110 &olen);
111
112 fail_unless(d == playlist[i].expected_result,
113 "result returned was not as expected");
114 if(d == playlist[i].expected_result) {
115 if(name == max) {
116 fail_if(victim.canary1 == 87,
117 "demo one-byte buffer overwrite did not happen");
118 }
119 else {
120 fail_unless(victim.canary1 == 87,
121 "one-byte buffer overwrite has happened");
122 }
123 fail_unless(victim.canary2 == 35,
124 "two-byte buffer overwrite has happened");
125 fail_unless(victim.canary3 == 41,
126 "three-byte buffer overwrite has happened");
127 }
128 else {
129 if(d == DOH_OK) {
130 fail_unless(olen <= sizeof(victim.dohbuffer), "wrote outside bounds");
131 fail_unless(olen > strlen(name), "unrealistic low size");
132 }
133 }
134 }
135 } while(0);
136
137 /* run normal cases and try to trigger buffer length related errors */
138 do {
139 DNStype dnstype = DNS_TYPE_A;
140 unsigned char buffer[128];
141 const size_t buflen = sizeof(buffer);
142 const size_t magic1 = 9765;
143 size_t olen1 = magic1;
144 const char *sunshine1 = "a.com";
145 const char *dotshine1 = "a.com.";
146 const char *sunshine2 = "aa.com";
147 size_t olen2;
148 DOHcode ret2;
149 size_t olen;
150
151 DOHcode ret = doh_encode(sunshine1, dnstype, buffer, buflen, &olen1);
152 fail_unless(ret == DOH_OK, "sunshine case 1 should pass fine");
153 fail_if(olen1 == magic1, "olen has not been assigned properly");
154 fail_unless(olen1 > strlen(sunshine1), "bad out length");
155
156 /* with a trailing dot, the response should have the same length */
157 olen2 = magic1;
158 ret2 = doh_encode(dotshine1, dnstype, buffer, buflen, &olen2);
159 fail_unless(ret2 == DOH_OK, "dotshine case should pass fine");
160 fail_if(olen2 == magic1, "olen has not been assigned properly");
161 fail_unless(olen1 == olen2, "olen should not grow for a trailing dot");
162
163 /* add one letter, the response should be one longer */
164 olen2 = magic1;
165 ret2 = doh_encode(sunshine2, dnstype, buffer, buflen, &olen2);
166 fail_unless(ret2 == DOH_OK, "sunshine case 2 should pass fine");
167 fail_if(olen2 == magic1, "olen has not been assigned properly");
168 fail_unless(olen1 + 1 == olen2, "olen should grow with the hostname");
169
170 /* pass a short buffer, should fail */
171 ret = doh_encode(sunshine1, dnstype, buffer, olen1 - 1, &olen);
172 fail_if(ret == DOH_OK, "short buffer should have been noticed");
173
174 /* pass a minimum buffer, should succeed */
175 ret = doh_encode(sunshine1, dnstype, buffer, olen1, &olen);
176 fail_unless(ret == DOH_OK, "minimal length buffer should be long enough");
177 fail_unless(olen == olen1, "bad buffer length");
178 } while(0);
179 UNITTEST_STOP
180
181 #else /* CURL_DISABLE_DOH */
182
183 UNITTEST_START
184 {
185 return 1; /* nothing to do, just fail */
186 }
187 UNITTEST_STOP
188
189 #endif
190