Re: Possible DOS in Bind 8.2.2-P5

[Olaf Kirch <okir () CALDERA DE>]

I think I found the bug... the problem seems to be that named
sets a flag called STREAM_AXFRIXFR when it is about to send an AXFR.
This flag (0x22) is just the same as setting the flags 0x20
(we have valid AXFR info, which is not true at this point), and
0x02 (we're selecting for write events, which isn't true either at
this point).

What happens is that in the normal AXFR case, it happens sooner or
later that we _do_ want to select for a write, and assert the
STREAM_WRITE_EV flag 0x2, and put a valid pointer in evID_w.
Later, when the stream is closed, that pointer is freed properly.

In the case of a ZXFR though, ns_xfr() jumps straight to a call to
sq_remove(), which cleans the struct associated with this TCP stream.
It comes across the flag that assert STREAM_WRITE_EV, and releases
the pointer contained in evID_w, which is essentially garbage.

The fix I implemented was to change the definition of STREAM_AXFRIXFR
to 0x40, which doesn't conflict with any other flag. I am not
a 100 % sure that this is correct; there may be some weird intended
side effects why the bind implementers originally chose to make
that flag conflict with other flags. However, AXFRs still seem to work,
and ZXFRs still do not work, but have stopped crashing the server :-)

The patch is attached.

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.

Attachment: bind-8.2.2p5-zxfr.patch
Description: