Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 23 Feb 2000 22:24:59 -0800 (PST)
From:      spock@techfour.net
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   bin/16953: [PATCH] Fix argument overflow in dnsquery
Message-ID:  <200002240624.WAA68360@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         16953
>Category:       bin
>Synopsis:       [PATCH] Fix argument overflow in dnsquery
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 22:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
dnsquery doesn't check domain name length and will write past buffer.
>How-To-Repeat:
dnsquery -h [5120]
or dnsquery [5120]
>Fix:
Apply patch. Merged from OpenBSD.

Index: contrib/bind/bin/dnsquery/dnsquery.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/dnsquery/dnsquery.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 dnsquery.c
--- dnsquery.c  1999/11/30 02:42:02     1.1.1.2
+++ dnsquery.c  2000/02/24 06:09:09
@@ -80,7 +80,11 @@
                case 'p' :      res.retrans = atoi(optarg);
                                break;
 
-               case 'h' :      strcpy(name, optarg);
+               case 'h' :      if(strlcpy(name, optarg, sizeof(name)) >= sizeof(name)) {
+                                       fprintf(stderr,
+                                               "Domain name too long (%s)\n", optarg);
+                                       exit(-1);
+                               }
                                break;
 
                case 'c' : {
@@ -157,9 +161,14 @@
                                exit(-1);
                }
        }
-       if (optind < argc)
-               strcpy(name, argv[optind]);
-
+       if (optind < argc) {
+               if (strlcpy(name, argv[optind], sizeof(name)) >= sizeof(name)){
+                       fprintf(stderr,
+                               "Domain name too long (%s)\n", argv[optind]);
+                       exit(-1);
+               }
+       }
+
        len = sizeof(answer);
 
        if (!(res.options & RES_INIT))



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200002240624.WAA68360>