ref: e6d31c1715cc50bd3d9a0301a41647295f739071
parent: 1f95e98dddc420321a8942d9f3195d966c7cc6c0
author: Ori Bernstein <[email protected]>
date: Wed Jun 29 21:24:27 EDT 2022
spf: limit recursion depth to prevent ddos (thanks tijay, iashiq5) An attacker may use an infinite number of SPF referrals in his/her SPF setting and can send an email to your mail server which would make your SMTP server make a lot of DNS queries. By exploiting this vulnerability, an attacker can block your SMTP queue, flood the associated recursive resolver, or any DNS authoritative server. According to RFC recommendations (https://datatracker.ietf.org/doc/html/rfc7208#section-4.6), a few DNS lookup limits exist that an SMTP server needs to maintain while resolving an SPF record. That is, SPF implementations MUST limit the total number of query-causing terms to 10 and the number of void lookups to 2 to avoid unreasonable load on the DNS. from: Taejoong “Tijay” Chung ([email protected]) Ishtiaq Ashiq ([email protected])
--- a/sys/src/cmd/upas/spf/spf.c
+++ b/sys/src/cmd/upas/spf/spf.c
@@ -387,7 +387,7 @@
}
int
-spfquery(Squery *x, char *d, int include)
+spfquery(Squery *x, char *d, int include, int depth)
{
char *s, **t, *r, *p, *q, buf[10];
int i, n, c;
@@ -398,6 +398,10 @@
fprint(2, "spf: include loop: %s (%s)\n", d, inc->s);
return -1;
}
+ if(depth >= 10){
+ fprint(2, "spf: too much recursion %s\n", d);
+ return -1;
+ }
s = spffetch(x, d);
if(!s)
return -1;
@@ -457,7 +461,7 @@
if(rflag)
fprint(2, "I> %s\n", q);
addbegin(mod, r, q);
- if(spfquery(x, q, 1) == -1){
+ if(spfquery(x, q, 1, depth+1) == -1){
ditch();
addfail();
}else
@@ -704,7 +708,7 @@
goto loop;
spfinit(&q, d, argc, argv); /* or s? */
addbegin('+', ".", s);
- if(spfquery(&q, s, 0) != -1)
+ if(spfquery(&q, s, 0, 0) != -1)
break;
}
if(eflag && nspf)