From owner-freebsd-security  Sun Apr 27 18:11:26 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id SAA09945
          for security-outgoing; Sun, 27 Apr 1997 18:11:26 -0700 (PDT)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id SAA09940
          for <freebsd-security@freebsd.org>; Sun, 27 Apr 1997 18:11:21 -0700 (PDT)
Received: from rover.village.org [127.0.0.1] 
	by rover.village.org with esmtp (Exim 1.60 #1)
	id 0wLexe-0006zz-00; Sun, 27 Apr 1997 19:10:34 -0600
To: The Code Warrior <jbowie@bsdnet.org>
Subject: Re: SNI-12: BIND Vulnerabilities and Solutions (fwd) 
Cc: Dmitry Valdov <dv@kis.ru>, freebsd-security@freebsd.org
In-reply-to: Your message of "Wed, 23 Apr 1997 10:15:30 -0000."
		<Pine.BSF.3.96.970423100818.1014A-100000@utopia.nh.ultranet.com> 
References: <Pine.BSF.3.96.970423100818.1014A-100000@utopia.nh.ultranet.com>  
Date: Sun, 27 Apr 1997 19:10:33 -0600
From: Warner Losh <imp@village.org>
Message-Id: <E0wLexe-0006zz-00@rover.village.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

In message <Pine.BSF.3.96.970423100818.1014A-100000@utopia.nh.ultranet.com> The Code Warrior writes:
I haven't checked the gethostby* libs, so I'm not sure if the 
: resolver does internal bounds checking, rather than just letting you overflow 
: the stack with a spoofed DNS name.

I have.  There are some, but not a lot.  I've been trying to plug them
as I find them.  Most of them have long ago been plugged.

And the name doesn't need to be spoofed either.  You just need control
over the in-addr.arpa domain for the IP numbers that you claim to be
coming from for this attack to work.

Warner