Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5
From: Olaf Kirch <okir () CALDERA DE>
Date: Thu, 9 Nov 2000 13:08:55 +0100
I think I found the bug... the problem seems to be that named sets a flag called STREAM_AXFRIXFR when it is about to send an AXFR. This flag (0x22) is just the same as setting the flags 0x20 (we have valid AXFR info, which is not true at this point), and 0x02 (we're selecting for write events, which isn't true either at this point). What happens is that in the normal AXFR case, it happens sooner or later that we _do_ want to select for a write, and assert the STREAM_WRITE_EV flag 0x2, and put a valid pointer in evID_w. Later, when the stream is closed, that pointer is freed properly. In the case of a ZXFR though, ns_xfr() jumps straight to a call to sq_remove(), which cleans the struct associated with this TCP stream. It comes across the flag that assert STREAM_WRITE_EV, and releases the pointer contained in evID_w, which is essentially garbage. The fix I implemented was to change the definition of STREAM_AXFRIXFR to 0x40, which doesn't conflict with any other flag. I am not a 100 % sure that this is correct; there may be some weird intended side effects why the bind implementers originally chose to make that flag conflict with other flags. However, AXFRs still seem to work, and ZXFRs still do not work, but have stopped crashing the server :-) The patch is attached. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers.
Attachment:
bind-8.2.2p5-zxfr.patch
Description:
Current thread:
- Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Tomasz Grabowski (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Guy Cohen (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Mariusz Marcinkiewicz (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 (my fault, sorry) Mariusz Marcinkiewicz (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Olaf Kirch (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- <Possible follow-ups>
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
(Thread continues...)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)