Date: Thu, 13 Feb 1997 16:03:20 -0700 From: Warner Losh <imp@village.org> To: Julian Assange <proff@iq.org> Cc: security@freebsd.org Subject: Re: trusting dns addresses Message-ID: <E0vvABU-0001Vm-00@rover.village.org> In-Reply-To: Your message of "Fri, 14 Feb 1997 09:37:31 %2B1100." <199702132237.JAA00545@profane.iq.org> References: <199702132237.JAA00545@profane.iq.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199702132237.JAA00545@profane.iq.org> Julian Assange writes: : > This attack requires there to be a bug in the resolver in order to even : > have a chance of succeeding. If that were the case, better to fix the : > resolver than to fix all places in the source tree where it returns : > data. : : I strongly disagree with this view. The problem should be fixed in : both places. Trusting a protocol independent resolver to always : return 4 byte addresses is nothing but bad programming. In fact, at : the moment, despite the additional length checks, it can return 16 byte : ipv6 addresses. No doubt as other protocols are added in the future : we will see other lengths. This was the point that I missed. I didn't think it was possible to have anything but a 4 byte quantity in an A record which is returned. Are you saying that gethostbyname will return AA records as well as A records? Wow, that sounds like a bug to me. However, that's the sort of thing that attackers might take advantage of... : It's bad. Its shoddy. It is a security hole now and likely one into : the future and across domains. It breaks encapsulation. It needs : be addressed. This is more of a defensive programming issue rather than a known hole exploit fix. the current sockaddr_in structure has 8 bytes of padding on the end, which will cause at most 4 extra bytes to be written outside of the buffer. I have trouble seeing how one would exploit that. Wouldn't be be better to issue a diagnostic and halt (for programs) or return -1/NULL (for libs) than to truncate the reply and keep going? In any event, it is sloppy and wouldn't hurt to fix, especially given the patches that you've submitted. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0vvABU-0001Vm-00>