shithub: plan9front

Download patch

ref: e6d31c1715cc50bd3d9a0301a41647295f739071
parent: 1f95e98dddc420321a8942d9f3195d966c7cc6c0
author: Ori Bernstein <ori@eigenstate.org>
date: Wed Jun 29 21:24:27 EDT 2022

spf: limit recursion depth to prevent ddos (thanks tijay, iashiq5)

An attacker may use an infinite number of SPF referrals in his/her SPF
setting and can send an email to your mail server which would make
your SMTP server make a lot of DNS queries.  By exploiting this
vulnerability, an attacker can block your SMTP queue, flood the
associated recursive resolver, or any DNS authoritative server.

According to RFC recommendations
(https://datatracker.ietf.org/doc/html/rfc7208#section-4.6), a few DNS
lookup limits exist that an SMTP server needs to maintain while
resolving an SPF record.  That is, SPF implementations MUST limit the
total number of query-causing terms to 10 and the number of void
lookups to 2 to avoid unreasonable load on the DNS.

from:

Taejoong “Tijay” Chung (tijay@vt.edu)
Ishtiaq Ashiq (iashiq5@vt.edu)

--- a/sys/src/cmd/upas/spf/spf.c	Wed Jun 29 20:56:10 2022
+++ b/sys/src/cmd/upas/spf/spf.c	Wed Jun 29 21:24:27 2022
@@ -387,7 +387,7 @@
 }
 
 int
-spfquery(Squery *x, char *d, int include)
+spfquery(Squery *x, char *d, int include, int depth)
 {
 	char *s, **t, *r, *p, *q, buf[10];
 	int i, n, c;
@@ -398,6 +398,10 @@
 		fprint(2, "spf: include loop: %s (%s)\n", d, inc->s);
 		return -1;
 	}
+	if(depth >= 10){
+		fprint(2, "spf: too much recursion %s\n", d);
+		return -1;
+	}
 	s = spffetch(x, d);
 	if(!s)
 		return -1;
@@ -457,7 +461,7 @@
 				if(rflag)
 					fprint(2, "I> %s\n", q);
 				addbegin(mod, r, q);
-				if(spfquery(x, q, 1) == -1){
+				if(spfquery(x, q, 1, depth+1) == -1){
 					ditch();
 					addfail();
 				}else
@@ -704,7 +708,7 @@
 				goto loop;
 			spfinit(&q, d, argc, argv);	/* or s? */
 			addbegin('+', ".", s);
-			if(spfquery(&q, s, 0) != -1)
+			if(spfquery(&q, s, 0, 0) != -1)
 				break;
 		}
 		if(eflag && nspf)