dns.setServers is memory unsafe and can be used to dump core

[deian]

• Version: 6.5.0
• Platform:
• Subsystem:

dns.setServers is memory unsafe and can be used to dump core.

This doesn't seem like a serious security vulnerability (hence my reporting here), but can certainly be used to cause DOS and it might be nice to have a stdlib that is memory safe.

const dns = require('dns');
const servers = [];
servers[0] = '127.0.0.1';
servers[2] = '0.0.0.0';
dns.setServers(servers);
// causes the CHECK src/cares_wrap.cc:1241 to dump core

another variant:

const dns = require('dns');
const servers = ['127.0.0.1','192.168.1.1'];
servers[3] = '127.1.0.1';
servers[4] = '127.1.0.1';
servers[5] = '127.1.1.1';
Object.defineProperty(servers, 2, {
  enumerable: true,
  get: () => {
    servers.length = 3;
    return '0.0.0.0';
  }
});
dns.setServers(servers);
// causes the CHECK src/cares_wrap.cc:1241 to dump core

Related to: #8539, #8537, #7902

• @mlfbrown

[imyller]

This is a known issue and affects most C++ API functions accepting non-primitive values.

For more information:

#7902 (comment)

[deian]

Like #8537, I also don' think this will be resolved by using the Maybe API. This is deliberately abusing the CHECK to dump core.

[cjihrig]

See #8567 for a fix for this one.