[GH-ISSUE #2210] malformed query can cause assertion failure at encoder.rs:234 #922

New issue

Closed

opened 2026-03-16 00:57:55 +03:00 by kerem · 2 comments

kerem commented

2026-03-16 00:57:55 +03:00

Owner

Originally created by @rtmrtmrtmrtm on GitHub (May 13, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2210

If a client sends this DNS request to the hickory 0.24.0 DNS server:

08 00 00 00 00 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00

i.e.:
08 00 ID
00 00 flags
00 01 QDCOUNT
00 00 ANCOUNT
00 00 NSCOUNT
00 00 ARCOUNT
c0 00 QNAME
00 00 QTYPE
00 00 QCLASS

hickory-dns fails the 2nd assert here while building the reply message
(really while remembering names for pointers):

pub fn slice_of(&self, start: usize, end: usize) -> &[u8] {
    assert!(start < self.offset);
    assert!(end <= self.buffer.len());
    &self.buffer.buffer()[start..end]
}

The name is eight bytes long, but the current message size (after the
current offset of 12) is only six, because QueriesEmitAndCount::emit()
stored just the six bytes of the original encoded query:

    encoder.emit_vec(self.cached_serialized)?;

So the assert fails.

I've attached a demo program that assumes something like this is
already running:

hickory-dns/target/debug/hickory-dns -d -c hickory-dns/tests/test-data/test_configs/example.toml -z hickory-dns/tests/test-data/test_configs/ -p 24141

hickory1a.txt

Originally created by @rtmrtmrtmrtm on GitHub (May 13, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2210 If a client sends this DNS request to the hickory 0.24.0 DNS server: 08 00 00 00 00 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 i.e.: 08 00 ID 00 00 flags 00 01 QDCOUNT 00 00 ANCOUNT 00 00 NSCOUNT 00 00 ARCOUNT c0 00 QNAME 00 00 QTYPE 00 00 QCLASS hickory-dns fails the 2nd assert here while building the reply message (really while remembering names for pointers): pub fn slice_of(&self, start: usize, end: usize) -> &[u8] { assert!(start < self.offset); assert!(end <= self.buffer.len()); &self.buffer.buffer()[start..end] } The name is eight bytes long, but the current message size (after the current offset of 12) is only six, because QueriesEmitAndCount::emit() stored just the six bytes of the original encoded query: encoder.emit_vec(self.cached_serialized)?; So the assert fails. I've attached a demo program that assumes something like this is already running: hickory-dns/target/debug/hickory-dns -d -c hickory-dns/tests/test-data/test_configs/example.toml -z hickory-dns/tests/test-data/test_configs/ -p 24141 [hickory1a.txt](https://github.com/hickory-dns/hickory-dns/files/15300523/hickory1a.txt)

kerem

2026-03-16 00:57:55 +03:00

closed this issue
added the
bug

crate:proto
labels

kerem commented

2026-03-16 00:58:12 +03:00

Author

Owner

@djc commented on GitHub (May 14, 2024):

Thanks for the report! Could you send your test case as a PR adding a unit test in crates/proto/src/rr/serialize/encoder.rs? Bonus points if you can also come up with a fix, but I can probably find some time to fix it myself. 👍

@djc commented on GitHub (May 14, 2024): Thanks for the report! Could you send your test case as a PR adding a unit test in `crates/proto/src/rr/serialize/encoder.rs`? Bonus points if you can also come up with a fix, but I can probably find some time to fix it myself. 👍

kerem commented

2026-03-16 00:58:17 +03:00

Author

Owner

@bluejekyll commented on GitHub (Aug 11, 2024):

I'm working on a patch for this. Thanks for the test case, that helped me construct a unit test that can recreate the same issue. It's definitely related to using the original Query bytes during the encoding of the response.

@bluejekyll commented on GitHub (Aug 11, 2024): I'm working on a patch for this. Thanks for the test case, that helped me construct a unit test that can recreate the same issue. It's definitely related to using the original Query bytes during the encoding of the response.