Vulnerability Development mailing list archives
Re: Possible DOS in Bind 8.2.2-P5
From: Paul A Vixie <vixie () MFNX NET>
Date: Thu, 9 Nov 2000 09:06:26 -0800
that's part of it, sure. p7 will be out shortly.
Date: Thu, 9 Nov 2000 13:08:55 +0100 From: Olaf Kirch <okir () caldera de> To: VULN-DEV () SECURITYFOCUS COM Cc: bind-bugs () isc org Subject: Re: Possible DOS in Bind 8.2.2-P5 Message-Id: <20001109130855.S5711 () monad caldera de> References: <Pine.LNX.4.30.0011071957001.3275-100000 () naif inet it> <Pine.LNX.4.21.0011081255380.16213-100000 () mystique agsmedia pl> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="bAmEntskrkuBymla" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <Pine.LNX.4.21.0011081255380.16213-100000 () mystique agsmedia pl>; from tmogg () AGSMEDIA PL on Wed, Nov 08, 2000 at 01:02:43PM +0100 X-Dcc-Maps-Metrics: isrv3.isc.org 666; IP=0/0 env_From=0/0 From=0/0 Subject=0/2 Message-Id=0/0 Received=0/0 Body=0/0 Fuz1=0/0 --bAmEntskrkuBymla Content-Type: text/plain; charset=us-ascii Content-Disposition: inline I think I found the bug... the problem seems to be that named sets a flag called STREAM_AXFRIXFR when it is about to send an AXFR. This flag (0x22) is just the same as setting the flags 0x20 (we have valid AXFR info, which is not true at this point), and 0x02 (we're selecting for write events, which isn't true either at this point). What happens is that in the normal AXFR case, it happens sooner or later that we _do_ want to select for a write, and assert the STREAM_WRITE_EV flag 0x2, and put a valid pointer in evID_w. Later, when the stream is closed, that pointer is freed properly. In the case of a ZXFR though, ns_xfr() jumps straight to a call to sq_remove(), which cleans the struct associated with this TCP stream. It comes across the flag that assert STREAM_WRITE_EV, and releases the pointer contained in evID_w, which is essentially garbage. The fix I implemented was to change the definition of STREAM_AXFRIXFR to 0x40, which doesn't conflict with any other flag. I am not a 100 % sure that this is correct; there may be some weird intended side effects why the bind implementers originally chose to make that flag conflict with other flags. However, AXFRs still seem to work, and ZXFRs still do not work, but have stopped crashing the server :-) The patch is attached. Olaf -- Olaf Kirch | --- o --- Nous sommes du soleil we love when we play okir () monad swb de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax okir () caldera de +-------------------- Why Not?! ----------------------- UNIX, n.: Spanish manufacturer of fire extinguishers. --bAmEntskrkuBymla Content-Type: application/x-patch Content-Disposition: attachment; filename="bind-8.2.2p5-zxfr.patch" --- bind-8.2.2p5/src/bin/named/ns_defs.h.zxfr Thu Nov 9 12:41:43 2000 +++ bind-8.2.2p5/src/bin/named/ns_defs.h Thu Nov 9 12:41:55 2000 @@ -602,7 +602,7 @@ #define STREAM_CONNECT_EV 0x08 #define STREAM_DONE_CLOSE 0x10 #define STREAM_AXFR 0x20 -#define STREAM_AXFRIXFR 0x22 +#define STREAM_AXFRIXFR 0x40 #define ALLOW_NETS 0x0001 #define ALLOW_HOSTS 0x0002 --bAmEntskrkuBymla--
Current thread:
- Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)
- Re: Possible DOS in Bind 8.2.2-P5 Fabio Pietrosanti (naif) (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Tomasz Grabowski (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Guy Cohen (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Mariusz Marcinkiewicz (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 (my fault, sorry) Mariusz Marcinkiewicz (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Olaf Kirch (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Paul A Vixie (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Daniel Roesen (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 fire-eyes (Nov 14)
- <Possible follow-ups>
- Re: Possible DOS in Bind 8.2.2-P5 Fernando Cardoso (Nov 09)
- Re: Possible DOS in Bind 8.2.2-P5 Luke Dudney (Nov 10)
- Re: Possible DOS in Bind 8.2.2-P5 Jonatan Sarba (Nov 14)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Johnson, Jeremiah (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Matt Zimmerman (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Peter Pentchev (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Paul Pot (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Chris Tobkin (Nov 15)
- Re: Possible DOS in Bind 8.2.2-P5 Przemyslaw Frasunek (Nov 08)