diff options
| author | Daniel Salzman <daniel.salzman@nic.cz> | 2024-12-30 11:51:52 +0100 |
|---|---|---|
| committer | Daniel Salzman <daniel.salzman@nic.cz> | 2025-01-03 19:44:20 +0100 |
| commit | b80a8508e934b9e7748a75ca94854fd1f67c4556 (patch) | |
| tree | 95ccb8f29d33a51bc55ece413b5f24d2567f894b | |
| parent | xdp: add check for IP payload length and udp->len equality (diff) | |
| download | knot-b80a8508e934b9e7748a75ca94854fd1f67c4556.tar.xz knot-b80a8508e934b9e7748a75ca94854fd1f67c4556.zip | |
xdp: drop DNS messages shorter than DNS header length
| -rw-r--r-- | src/libknot/xdp/bpf-kernel.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libknot/xdp/bpf-kernel.c b/src/libknot/xdp/bpf-kernel.c index 97a187f13..49541a694 100644 --- a/src/libknot/xdp/bpf-kernel.c +++ b/src/libknot/xdp/bpf-kernel.c @@ -35,6 +35,9 @@ /* Define maximum reasonable number of NIC queues supported. */ #define QUEUE_MAX 256 +/* DNS header size. */ +#define DNS_HDR_SIZE 12 + /* A map of configuration options. */ struct { __uint(type, BPF_MAP_TYPE_ARRAY); @@ -217,6 +220,10 @@ int xdp_redirect_dns_func(struct xdp_md *ctx) (port_dest == opts.udp_port || ((opts.flags & (KNOT_XDP_FILTER_PASS | KNOT_XDP_FILTER_DROP)) && port_dest >= opts.udp_port))) { + /* Check for minimum DNS message content. */ + if (bpf_ntohs(udp->len) - sizeof(*udp) < DNS_HDR_SIZE) { + return XDP_DROP; + } match = 1; } else if ((opts.flags & KNOT_XDP_FILTER_QUIC) && (port_dest == opts.quic_port || |