From owner-freebsd-bugs  Wed Feb 23 22:30: 5 2000
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0FEAA37BB1B
	for <freebsd-bugs@FreeBSD.org>; Wed, 23 Feb 2000 22:30:02 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA68805;
	Wed, 23 Feb 2000 22:30:01 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id EE6CC37BB26
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Feb 2000 22:24:59 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA68360;
	Wed, 23 Feb 2000 22:24:59 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200002240624.WAA68360@freefall.freebsd.org>
Date: Wed, 23 Feb 2000 22:24:59 -0800 (PST)
From: spock@techfour.net
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: bin/16953: [PATCH] Fix argument overflow in dnsquery
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         16953
>Category:       bin
>Synopsis:       [PATCH] Fix argument overflow in dnsquery
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 22:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
dnsquery doesn't check domain name length and will write past buffer.
>How-To-Repeat:
dnsquery -h [5120]
or dnsquery [5120]
>Fix:
Apply patch. Merged from OpenBSD.

Index: contrib/bind/bin/dnsquery/dnsquery.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/dnsquery/dnsquery.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 dnsquery.c
--- dnsquery.c  1999/11/30 02:42:02     1.1.1.2
+++ dnsquery.c  2000/02/24 06:09:09
@@ -80,7 +80,11 @@
                case 'p' :      res.retrans = atoi(optarg);
                                break;
 
-               case 'h' :      strcpy(name, optarg);
+               case 'h' :      if(strlcpy(name, optarg, sizeof(name)) >= sizeof(name)) {
+                                       fprintf(stderr,
+                                               "Domain name too long (%s)\n", optarg);
+                                       exit(-1);
+                               }
                                break;
 
                case 'c' : {
@@ -157,9 +161,14 @@
                                exit(-1);
                }
        }
-       if (optind < argc)
-               strcpy(name, argv[optind]);
-
+       if (optind < argc) {
+               if (strlcpy(name, argv[optind], sizeof(name)) >= sizeof(name)){
+                       fprintf(stderr,
+                               "Domain name too long (%s)\n", argv[optind]);
+                       exit(-1);
+               }
+       }
+
        len = sizeof(answer);
 
        if (!(res.options & RES_INIT))



>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message