Security Vulnerability Report: DNS Codec Input Validation Bypass in Netty (Encoder + Decoder)

1. Vulnerability Summary

| Field | Value | |-------|-------| | Product | Netty | | Version | 4.2.12.Final (and all prior versions with codec-dns) | | Component | io.netty.handler.codec.dns.DnsCodecUtil | | Vulnerability Type | CWE-20: Improper Input Validation / CWE-626: Null Byte Interaction Error / CWE-400: Uncontrolled Resource Consumption | | Impact | DNS Cache Poisoning / Domain Validation Bypass / Denial of Service / Malformed DNS Packets |

2. Affected Components

Both the encoder and decoder in the same file are affected:

• io.netty.handler.codec.dns.DnsCodecUtil — encodeDomainName() method (lines 31-51):

  • No null byte validation in domain name labels
  • No per-label length validation (RFC 1035 max: 63 bytes)
  • No total domain name length validation (RFC 1035 max: 255 bytes)
  • Empty labels silently truncate the domain name

• io.netty.handler.codec.dns.DnsCodecUtil — decodeDomainName() method (lines 53-118):

  • No per-label length validation (max 63)
  • No total domain name length validation (max 255)
  • Unbounded StringBuilder growth from attacker-controlled DNS responses

3. Vulnerability Description

Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder.

3.1 Encoder Side — Null Byte Injection (CWE-626)

A domain name containing a null byte (e.g., "evil\0.example.com") is encoded with the null byte embedded in the label data. This creates a domain name that different DNS implementations interpret differently:

• Java (full string): sees "evil\0.example.com" as a single label containing a null
• C/native DNS libraries: truncate at the null byte, seeing only "evil"
• DNS servers: may accept...