Bugtraq mailing list archives
Killing ircds via DNS
From: David Luyer <david_luyer () PACIFIC NET AU>
Date: Wed, 6 Dec 2000 20:02:59 +1100
It appears some people have discovered a bug in various IRCd's res.c. proc_answer() in res.c: struct in_addr dr, *adr; -> dr is a 4-byte in_addr structure dlen = (int)_getshort(cp); -> get answer length from packet switch(type) { case T_A : hp->h_length = dlen; if (ans == 1) hp->h_addrtype = (class == C_IN) ? AF_INET : AF_UNSPEC; bcopy(cp, (char *)&dr, dlen); -> goodbye stack if dlen > 4 The bug is triggered by returning a 128-byte answer to an A-record query, eg, a 128-byte A-record response to a reverse DNS lookup on the client IP. The fix should be self-evident. David. -- David Luyer Phone: +61 3 9674 7525 Senior Network Engineer P A C I F I C Fax: +61 3 9699 8693 Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983 http://www.pacific.net.au/ NASDAQ: PCNTF
Current thread:
- Killing ircds via DNS David Luyer (Dec 07)
- Re: Killing ircds via DNS van der Kooij, Hugo (Dec 08)
- Re: Killing ircds via DNS David Luyer (Dec 11)
- Re: Killing ircds via DNS Adam J Herscher (Dec 11)
- Re: Killing ircds via DNS Robert Feldbauer (Dec 11)
- Re: Killing ircds via DNS Piotr Kucharski (Dec 11)
- Re: Killing ircds via DNS David Luyer (Dec 12)
- Re: Killing ircds via DNS Darren Reed (Dec 13)
- Re: Killing ircds via DNS Chris Mason (Dec 12)
- Security Advisory: Subscribe Me Lite 1.0 - 2.0 Unix or 1.0 - 2.0 NT and below. Tom Pickles (Dec 13)
- Re: Killing ircds via DNS Sean Kelly (Dec 13)
- Re: Killing ircds via DNS David Luyer (Dec 12)
- Re: Killing ircds via DNS van der Kooij, Hugo (Dec 08)