Project

General

Profile

Actions
Copy link

Security #8584

closed
JI

dns/mdns: forward compression pointers accepted

Security #8584: dns/mdns: forward compression pointers accepted

Added by Jason Ish 17 days ago. Updated 5 days ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Label:
CVE:
Git IDs:
Severity:
Disclosure Date:
05/19/2026
GHSA:

Description

  1. Summary

The DNS name parser accepts forward compression pointers. RFC 1035 section 4.1.4 requires compression pointers to point backwards to a previous occurrence. Suricata only validates the upper bound and detects immediate self-reference, but does not validate that the pointer offset is before the current position.

  1. Affected Code

File: `rust/src/dns/parser.rs:92-116`

The DNS parser is reused by mDNS via `rust/src/mdns/mdns.rs:39`.

```rust
let offset = usize::from(leader) & 0x3fff;
if offset > message.len() { // only validates upper bound
return Err(...);
}
// Does NOT validate offset < current_position
pos = &message[offset..];
```

  1. Impact

Real resolvers such as BIND and Unbound reject forward pointers. An attacker can construct DNS messages where Suricata resolves a different name than the actual resolver, evading `dns.query` content or PCRE rules.

  1. Suggested Fix

Add validation to enforce backwards-only pointers per RFC 1035:

```rust
if offset >= current_position { return Err(...); }
```

  1. Environment

Suricata main branch @ commit 367ca7f (post v8.0.1, May 15, 2026).

  1. Credit

Reported by Chris Ramos.

Files

Download all files
dns.pcap (226 Bytes) dns.pcap Jason Ish, 05/19/2026 08:42 PM
dns_forward_pointer_query.py (8.21 KB) dns_forward_pointer_query.py Jason Ish, 05/19/2026 08:42 PM

JI Updated by Jason Ish 17 days ago Actions
Copy link
 #1

  • Description updated (diff)
  • Severity deleted (MODERATE)
  • Disclosure Date set to 05/19/2026
  • Affected Versions deleted (git main)

PA Updated by Philippe Antoine 17 days ago Actions
Copy link
 #2

Real resolvers such as BIND and Unbound reject forward pointers
Suricata resolves a different name than the actual resolver

Well, if the real resolver rejects it, it would only lead to FP...
This is an example of strict vs relaxed parsing, where I would lend more towards the actual relaxed parsing

JI Updated by Jason Ish 17 days ago Actions
Copy link Download all files
 #3

8.8.8.8 and dnsmasq appear to accept these forward pointers. See attached pcap.

JF Updated by Juliana Fajardini Reichow 11 days ago Actions
Copy link
 #4

  • Status changed from New to Triaged

JF Updated by Juliana Fajardini Reichow 5 days ago Actions
Copy link
 #5

  • Status changed from Triaged to Rejected
  • Assignee deleted (OISF Dev)
  • Target version deleted (TBD)

Rejecting as we understand that relaxed parsing is the way to go.
Jason will add an SV test showcasing this for DNS, to indicate that that's an allowed behavior.

JF Updated by Juliana Fajardini Reichow 5 days ago Actions
Copy link
 #6

  • Private changed from Yes to No
Actions
Copy link

Also available in: PDF Atom