git » dnss » commit b1919c9

httpresolver: Limit message sizes to 64k

author Alberto Bertogli
2018-07-17 09:08:25 UTC
committer Alberto Bertogli
2018-07-17 09:08:25 UTC
parent bf20861288f42f69e88eaa4eacadd7a41cb9e0a8

httpresolver: Limit message sizes to 64k

In order to reduce the risk of denial of service and similar issues, we
want to limit the answer message sizes. Today, the limit for DoH is 4k,
and there is no limit for the JSON protocol.

There's been discussions in the DoH mailing list about increasing the
maximum message size to 64k, so this patch applies that limit to both
protocols, to err on the side of caution.

internal/httpresolver/resolver.go +2 -2

diff --git a/internal/httpresolver/resolver.go b/internal/httpresolver/resolver.go
index fd805c3..17c5fb2 100644
--- a/internal/httpresolver/resolver.go
+++ b/internal/httpresolver/resolver.go
@@ -145,7 +145,7 @@ func (r *httpsResolver) queryDoH(req *dns.Msg, tr trace.Trace) (*dns.Msg, error)
 		return nil, fmt.Errorf("unknown response content type %q", ct)
 	}
 
-	respRaw, err := ioutil.ReadAll(io.LimitReader(hr.Body, 4092))
+	respRaw, err := ioutil.ReadAll(io.LimitReader(hr.Body, 64*1024))
 	if err != nil {
 		return nil, fmt.Errorf("error reading from body: %v", err)
 	}
@@ -197,7 +197,7 @@ func (r *httpsResolver) queryJSON(req *dns.Msg, tr trace.Trace) (*dns.Msg, error
 	}
 
 	// Read the HTTPS response, and parse the JSON.
-	body, err := ioutil.ReadAll(hr.Body)
+	body, err := ioutil.ReadAll(io.LimitReader(hr.Body, 64*1024))
 	if err != nil {
 		return nil, fmt.Errorf("Failed to read body: %v", err)
 	}