oss-sec mailing list archives

Re: MaraDNS 1.4.06 and 1.3.07.11 released

From: Vincent Danen <vdanen () redhat com>
Date: Fri, 18 Mar 2011 12:11:15 -0600

* [2011-01-29 22:21:08 -0700] Sam Trenholme wrote:

In 2002, when I rewrote the compression code for MaraDNS for the first
time, I made a mistake in allocating an array of integers, allocating
it in bytes instead of sizeof(int) units.  The resulted in a buffer
being too small, allowing it to be overwritten.

The impact of this programming error is that MaraDNS can be crashed by
sending MaraDNS a single "packet of death".  Since the data placed in
the overwritten array can not be remotely controlled (it is a list of
increasing integers), there is no way to increase privileges
exploiting this bug.

The attached patch resolves this issue by allocating in sizeof(int)
units instead of byte-sized units for an integer array.  In addition,
it uses a smaller array because a DNS name can only have, at most, 128
labels.


Was a CVE name ever assigned to this issue?

--

Vincent Danen / Red Hat Security Response Team

Current thread:

MaraDNS 1.4.06 and 1.3.07.11 released Sam Trenholme (Jan 29)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Tomas Hoger (Jan 31)
- Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)
  - Re: MaraDNS 1.4.06 and 1.3.07.11 released Raphael Geissert (Mar 18)
    - Re: MaraDNS 1.4.06 and 1.3.07.11 released Vincent Danen (Mar 18)