ports/125433: BIND: buffer overflow in inet_network()
Dennis Yusupoff
denissia at mail.ru
Wed Jul 9 12:30:05 UTC 2008
>Number: 125433
>Category: ports
>Synopsis: BIND: buffer overflow in inet_network()
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 09 12:30:04 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Dennis Yusupoff
>Release: No matter
>Organization:
Ozerki.Net ISP
>Environment:
No matter
>Description:
Description:
An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs.
Impact:
Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution.
http://www.isc.org/index.pl?/sw/bind/index.php
>How-To-Repeat:
>Fix:
Solution:
Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released.
Otherwise, apply the patch below to:
BIND 9: lib/bind/inet/inet_network.c
BIND 8: lib/inet/inet_network.c
Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5 Wed Apr 27 04:56:21 2005
+++ inet_network.c Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
}
if (!digit)
return (INADDR_NONE);
+ if (pp >= parts + 4 || val > 0xffU)
+ return (INADDR_NONE);
if (*cp == '.') {
- if (pp >= parts + 4 || val > 0xffU)
- return (INADDR_NONE);
*pp++ = val, cp++;
goto again;
}
Questions should be addressed to bind9-bugs at isc.org.
Acknowledgements:
ISC would like to thank Nate Eldredge for reporting this.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list