Skip to content

Fix vizier-pem DNS parser crash due to stack overflow and eventual segfault#2349

Open
ddelnano wants to merge 1 commit intopixie-io:mainfrom
ddelnano:ddelnano/fix-vizier-dns-parser-crash
Open

Fix vizier-pem DNS parser crash due to stack overflow and eventual segfault#2349
ddelnano wants to merge 1 commit intopixie-io:mainfrom
ddelnano:ddelnano/fix-vizier-dns-parser-crash

Conversation

@ddelnano
Copy link
Copy Markdown
Member

@ddelnano ddelnano commented Apr 7, 2026

Summary: Fix vizier-pem DNS parser crash due to stack overflow and eventual segfault

The DNS parser library stirling uses didn't properly handle the RFC 1035 message compression pointers (section 4.1.4). These message compression pointers consist of the lower 14 bits of a 16 bit field. The DNS parser only read 8 bits of this field, meaning any DNS message that had a message compression pointer with offset > 256 (8 bits) would point to bogus memory.

For the end user I worked with, this manifested as a stack overflow and eventual segfault. See the stack trace below that shows ~20k frames after the first dnsReadName call:

#21782 0x000055ae2b4de095 in dnsReadName (retstr=..., nameOffset=43, payload=0x55ae9c43a160 "\"\304\205\200", payloadLen=334) at external/com_github_packetzero_dnsparser/src/dnsparse.cpp:103

#21783 0x000055ae2b4de636 in DnsParserImpl::dnsReadAnswers (this=0x55ae6dfeb7c0, payload=0x55ae9c43a160 "\"\304\205\200", payloadLen=334, ptr=0x55ae9c43a17f "\005apxy1\002hk\004hsbc", remaining=303,

    numAnswers=1) at external/com_github_packetzero_dnsparser/src/dnsparse.cpp:278

#21784 0x000055ae2b4deb33 in DnsParserImpl::parse (this=0x55ae6dfeb7c0, payload=0x55ae9c43a160 "\"\304\205\200", payloadLen=334) at external/com_github_packetzero_dnsparser/src/dnsparse.cpp:351

#21785 0x000055ae2b4d6d0c in px::stirling::protocols::dns::ParseFrame (type=kResponse, buf=0x7fbc327ef8b8, result=0x7fbc327ef818)

    at src/stirling/source_connectors/socket_tracer/protocols/dns/parse.cc:59

#21786 0x000055ae2b4d7927 in px::stirling::protocols::ParseFrame<px::stirling::protocols::dns::Frame, px::stirling::protocols::NoState> (type=kResponse, buf=0x7fbc327ef8b8, result=0x7fbc327ef818)      

    at src/stirling/source_connectors/socket_tracer/protocols/dns/parse.cc:91

#21787 0x000055ae2b2f1bbd in px::stirling::protocols::ParseFramesLoop<unsigned short, px::stirling::protocols::dns::Frame, px::stirling::protocols::NoState> (type=kResponse, buf=...,

    frames=0x55ae6ea2ba48, state=0x0) at ./src/stirling/source_connectors/socket_tracer/protocols/common/event_parser.h:193

#21788 0x000055ae2b2b8e48 in px::stirling::protocols::ParseFrames<unsigned short, px::stirling::protocols::dns::Frame, px::stirling::protocols::NoState> (type=kResponse,

    data_stream_buffer=0x55ae6ea2ba40, frames=0x55ae6ea2ba48, resync=false, state=0x0) at ./src/stirling/source_connectors/socket_tracer/protocols/common/event_parser.h:132

#21789 0x000055ae2b2b8020 in px::stirling::DataStream::ProcessBytesToFrames<unsigned short, px::stirling::protocols::dns::Frame, px::stirling::protocols::NoState> (this=0x55ae6ea2ba40, type=kResponse, 

    state=0x0) at src/stirling/source_connectors/socket_tracer/data_stream.cc:117

#21790 0x000055ae2b3e7edb in px::stirling::ConnTracker::DataStreamsToFrames<unsigned short, px::stirling::protocols::dns::Frame, px::stirling::protocols::NoState> (this=0x55ae6ea2b8c0)

Relevant Issues: N/A

Type of change: /kind bugfix

Test Plan: End user verified it worked and unit test passes with new dnsparser changes (pixie-io/dnsparser#1)

Changelog Message: Fixed an issue where certain large DNS query responses could cause a vizier-pem segfault

@ddelnano ddelnano requested review from a team as code owners April 7, 2026 06:12
@ddelnano
Fix DNS parser issue with compression pointers
abd0098 
The previous version of the parser didn't properly
use the entire 14 bit compression field. This meant
large DNS packets w/ compression ptrs had the chance
of pointing to bogus memory.

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>
(cherry picked from commit c153155)
@ddelnano ddelnano force-pushed the ddelnano/fix-vizier-dns-parser-crash branch from c153155 to abd0098 Compare April 7, 2026 06:13
ddelnano
ddelnano commented Apr 7, 2026
View reviewed changes
bazel/repository_locations.bzl
Comment on lines -188 to +190
sha256 = "bdf6c7f56f33725c1c32e672a4779576fb639dd2df565115778eb6be48296431",
strip_prefix = "dnsparser-77398ffc200765db1cea9000d9f550ea99a29f7b",
urls = ["https://github.com/pixie-io/dnsparser/archive/77398ffc200765db1cea9000d9f550ea99a29f7b.tar.gz"],
sha256 = "de1c4270ddaf03c2d25ec02afd4b9b25e0748f84155449a2b68127813abad3a4",
strip_prefix = "dnsparser-362f3988b06b0831683155e110fdac946795c469",
urls = ["https://github.com/ddelnano/dnsparser/archive/362f3988b06b0831683155e110fdac946795c469.tar.gz"],
Copy link
Copy Markdown
Member Author

@ddelnano ddelnano Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will be updated to pixie-io/dnsparser once pixie-io/dnsparser#1 is merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ddelnano