Zephyr DNS Buffer Overflow Vulnerability in Versions Through 4.3

A memory-safety vulnerability has been identified in the Zephyr Project's DNS resolver component, specifically in versions through 4.3. The issue arises in the 'dns_unpack_name()' function, which improperly manages buffer tailroom when appending DNS labels. This mismanagement can lead to out-of-bounds writes, allowing attacker-controlled data to be written beyond the allocated buffer space. The vulnerability is present when assertions are disabled, which is the default configuration, and can be exploited by sending a crafted DNS response that takes advantage of the flawed buffer handling.

Impact

Exploitation of this vulnerability causes out-of-bounds writes of attacker-controlled data, posing a significant risk to the integrity and availability of the application. Depending on the memory layout, this vulnerability could potentially lead to remote code execution.

Reproduction

To reproduce this vulnerability, build a Zephyr application with the DNS resolver enabled and the default assertion settings that disable checks. Then, send a crafted DNS response containing repeated 63-byte labels, ensuring that the total length of the labels exceeds the default 255-byte buffer limit but remains within the maximum allowed message length of 512 bytes. As the DNS response is parsed, the outdated tailroom size allows the buffer length to be advanced beyond the actual buffer capacity, causing an overflow of approximately 100 to 200 bytes.

Remediation

Users can update to Zephyr versions 4.4 or later, where this vulnerability has been addressed.