Use dns.decStr in dns-zone-transfer.nse instead of a custom DNS decoder. This

avoids an infinite recursion bug present in the old decoder. I raised the number of compression pointers that dns.decStr will follow from 1 to 3 because I found a server that sent 2.
2026-01-04 13:49:03 +00:00 · 2009-02-10 00:53:26 +00:00
parent b83d8141bf
commit 2d018963ca
2 changed files with 11 additions and 41 deletions
--- a/nselib/dns.lua
+++ b/nselib/dns.lua
@@ -479,14 +479,14 @@ end
 -- @param pos Starting position in packet.
 -- @return Position after decoding.
 -- @return Decoded domain, or <code>nil</code> on error.
-local function decStr(data, pos)
+function decStr(data, pos)
   local function dec(data, pos, limit)
      local partlen
      local parts = {}
      local part

      -- Avoid infinite recursion on malformed compressed messages.
-      limit = limit or 1
+      limit = limit or 3
      if limit < 0 then
         return pos, nil
      end
--- a/scripts/dns-zone-transfer.nse
+++ b/scripts/dns-zone-transfer.nse
@@ -54,6 +54,7 @@ require('stdnse')
 require('listop')
 require('bit')
 require('tab')
+require('dns')

 author = 'Eddie Bell <ejlbell@gmail.com>'
 license = 'Same as Nmap--See http://nmap.org/book/man-legal.html'
@@ -122,38 +123,7 @@ end
 --@param data String of data.
 --@param offset Offset in the string to read the domain name.
 function parse_domain(data, offset)
-	local i, x, record, line, ptr
-
-	record = strbuf.new()
-	x = string.byte(data, offset)
-	ptr = bto16(data, offset)
-
-	while not(x == 0) do 
-		-- if the first two bits are '11' then the next 14 
-		-- point to another location in the packet
-		if(bit.band(ptr, 49152) == 49152) then
- 			ptr, line = parse_domain(data, bit.band(ptr, 16383) + 3)
-			record = record .. line
-			offset = offset + 1
-			break
-		end
-
-		-- RFC 1035 format name
-		for i=0, x-1 do
-			offset = offset + 1
-			record = record .. string.char(string.byte(data, offset))
-		end
-
-		offset = offset + 1
-
-		-- replace length byte with a period
-		record = record .. '.'
-		
-		x = string.byte(data, offset)
-		ptr = bto16(data, offset)
-	end
-
-	return offset+1, strbuf.dump(record)
+	return dns.decStr(data, offset)
 end 

 --- Build RFC 1035 root domain name from the name of the DNS server
@@ -286,8 +256,8 @@ function responses_iter(data)
 		assert(remaining >= 14 + 2)
 		length = bto16(data, offset)
 		assert(length <= remaining)
-		-- + 2 for the length field.
-		length = length + 2
+		-- Skip over the length field.
+		offset = offset + 2
 		response = string.sub(data, offset, offset + length - 1)
 		offset = offset + length
 		return response
@@ -300,13 +270,13 @@ function dump_zone_info(table, data)
 	
 	offset = 1
 	-- number of available records
-	questions = bto16(data, offset+6)
-	answers = bto16(data, offset+8)
-	auth_answers = bto16(data, offset+10)
-	add_answers = bto16(data, offset+12)
+	questions = bto16(data, offset+4)
+	answers = bto16(data, offset+6)
+	auth_answers = bto16(data, offset+8)
+	add_answers = bto16(data, offset+10)

 	-- move to beginning of first section
-	offset = offset + 14
+	offset = offset + 12

 	if questions > 1 then
 		return 'More then 1 question record, something has gone wrong'