git » spf » commit 00961f6

mx: Limit MX lookups to 10 records

author Alberto Bertogli
2019-10-14 01:27:54 UTC
committer Alberto Bertogli
2019-10-14 12:35:13 UTC
parent 0af9dacd59b85e23f977392d83261be227d5ff46
mx: Limit MX lookups to 10 records

There's an explicit maximum of 10 MX records per match, we should
honour it to prevent denial of service.
https://tools.ietf.org/html/rfc7208#section-4.6.4

Found by the standard test suite.
spf.go +8 -0 
diff --git a/spf.go b/spf.go
index c362b9c..1824128 100644
--- a/spf.go
+++ b/spf.go
@@ -94,6 +94,7 @@ var (
 	errInvalidDomain      = fmt.Errorf("invalid domain")
 	errNoResult           = fmt.Errorf("lookup yielded no result")
 	errMultipleRecords    = fmt.Errorf("multiple matching DNS records")
+	errTooManyMXRecords   = fmt.Errorf("too many MX records")
 
 	errMatchedAll    = fmt.Errorf("matched 'all'")
 	errMatchedA      = fmt.Errorf("matched 'a'")
@@ -553,6 +554,13 @@ func (r *resolution) mxField(res Result, field, domain string) (bool, Result, er
 		}
 		return false, "", err
 	}
+
+	// There's an explicit maximum of 10 MX records per match.
+	// https://tools.ietf.org/html/rfc7208#section-4.6.4
+	if len(mxs) > 10 {
+		return true, PermError, errTooManyMXRecords
+	}
+
 	mxips := []net.IP{}
 	for _, mx := range mxs {
 		r.count++