Killing ircds via DNS

[David Luyer <david_luyer () PACIFIC NET AU>]

It appears some people have discovered a bug in various IRCd's res.c.

proc_answer() in res.c:

        struct  in_addr dr, *adr;
          -> dr is a 4-byte in_addr structure

                dlen =  (int)_getshort(cp);
                   -> get answer length from packet

                switch(type)
                {
                case T_A :
                        hp->h_length = dlen;
                        if (ans == 1)
                                hp->h_addrtype =  (class == C_IN) ?
                                                        AF_INET : AF_UNSPEC;
                        bcopy(cp, (char *)&dr, dlen);
                             -> goodbye stack if dlen > 4

The bug is triggered by returning a 128-byte answer to an A-record query, eg,
a 128-byte A-record response to a reverse DNS lookup on the client IP.  The
fix should be self-evident.

David.
--
David Luyer                                        Phone:   +61 3 9674 7525
Senior Network Engineer        P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF