Date: Wed, 9 Jul 2008 12:26:18 GMT From: Dennis Yusupoff <denissia@mail.ru> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/125433: BIND: buffer overflow in inet_network() Message-ID: <200807091226.m69CQIua070380@www.freebsd.org> Resent-Message-ID: <200807091230.m69CU4Jh027983@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 125433 >Category: ports >Synopsis: BIND: buffer overflow in inet_network() >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 09 12:30:04 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Dennis Yusupoff >Release: No matter >Organization: Ozerki.Net ISP >Environment: No matter >Description: Description: An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs. Impact: Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution. http://www.isc.org/index.pl?/sw/bind/index.php >How-To-Repeat: >Fix: Solution: Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released. Otherwise, apply the patch below to: BIND 9: lib/bind/inet/inet_network.c BIND 8: lib/inet/inet_network.c Index: inet_network.c diff -u inet_network.c:1.5 inet_network.c:1.6 --- inet_network.c:1.5 Wed Apr 27 04:56:21 2005 +++ inet_network.c Tue Jan 15 04:02:01 2008 @@ -84,9 +84,9 @@ } if (!digit) return (INADDR_NONE); + if (pp >= parts + 4 || val > 0xffU) + return (INADDR_NONE); if (*cp == '.') { - if (pp >= parts + 4 || val > 0xffU) - return (INADDR_NONE); *pp++ = val, cp++; goto again; } Questions should be addressed to bind9-bugs@isc.org. Acknowledgements: ISC would like to thank Nate Eldredge for reporting this. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200807091226.m69CQIua070380>