CVE-2021-43523

An attacker who controls a DNS server (e.g., through man-in-the-middle, compromised upstream resolver, or malicious network) can return crafted DNS responses containing domain names with invalid characters such as control characters, non-printable bytes, or labels that violate hostname rules. Because the stub resolver did not validate these names, the malformed hostnames would be passed to the application, potentially leading to domain hijacking, injection attacks (XSS, RCE), or application crashes [ref_id=1]. The attack requires no authentication beyond the ability to influence DNS responses seen by the victim.

The vulnerability resides in uClibc-ng's DNS stub resolver in `libc/inet/resolv.c`. The functions `__dns_lookup`, `gethostbyaddr_r`, and related resolver functions (`gethostbyname`, `getaddrinfo`, `gethostbyaddr`, `getnameinfo`) lacked validation of special characters in domain names returned by DNS servers. The patch introduces a new validation function `__hnbad` and adds checks at multiple points in the answer processing path.

The patch adds a new function `__hnbad` that validates a dotted DNS name against strict character and label rules: each character must be printable ASCII (0x21–0x7E), each label must be ≤63 octets and contain only `[0-9a-zA-Z_-]`, and the first label must not begin with `-`. This function is called after decoding each answer in `__dns_lookup` and after decoding CNAME/PTR records in `gethostbyaddr_r`. If any answer fails validation, the resolver breaks out of the answer loop and, if no valid answers remain, returns `NO_RECOVERY` instead of passing the malformed name to the application [ref_id=1].