Re: Possible DOS in Bind 8.2.2-P5

[Paul A Vixie <vixie () MFNX NET>]

that's part of it, sure.  p7 will be out shortly.

> Date: Thu, 9 Nov 2000 13:08:55 +0100
> From: Olaf Kirch <okir () caldera de>
> To: VULN-DEV () SECURITYFOCUS COM
> Cc: bind-bugs () isc org
> Subject: Re: Possible DOS in Bind 8.2.2-P5
> Message-Id: <20001109130855.S5711 () monad caldera de>
> References: <Pine.LNX.4.30.0011071957001.3275-100000 () naif inet it> <Pine.LNX.4.21.0011081255380.16213-100000 () 
> mystique agsmedia pl>
> Mime-Version: 1.0
> Content-Type: multipart/mixed; boundary="bAmEntskrkuBymla"
> Content-Disposition: inline
> User-Agent: Mutt/1.2.5i
> In-Reply-To: <Pine.LNX.4.21.0011081255380.16213-100000 () mystique agsmedia pl>; from tmogg () AGSMEDIA PL on Wed, 
> Nov 08, 2000 at 01:02:43PM +0100
> X-Dcc-Maps-Metrics: isrv3.isc.org 666; IP=0/0 env_From=0/0 From=0/0
>         Subject=0/2 Message-Id=0/0 Received=0/0 Body=0/0 Fuz1=0/0
>
>
> --bAmEntskrkuBymla
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
>
> I think I found the bug... the problem seems to be that named
> sets a flag called STREAM_AXFRIXFR when it is about to send an AXFR.
> This flag (0x22) is just the same as setting the flags 0x20
> (we have valid AXFR info, which is not true at this point), and
> 0x02 (we're selecting for write events, which isn't true either at
> this point).
>
> What happens is that in the normal AXFR case, it happens sooner or
> later that we _do_ want to select for a write, and assert the
> STREAM_WRITE_EV flag 0x2, and put a valid pointer in evID_w.
> Later, when the stream is closed, that pointer is freed properly.
>
> In the case of a ZXFR though, ns_xfr() jumps straight to a call to
> sq_remove(), which cleans the struct associated with this TCP stream.
> It comes across the flag that assert STREAM_WRITE_EV, and releases
> the pointer contained in evID_w, which is essentially garbage.
>
> The fix I implemented was to change the definition of STREAM_AXFRIXFR
> to 0x40, which doesn't conflict with any other flag. I am not
> a 100 % sure that this is correct; there may be some weird intended
> side effects why the bind implementers originally chose to make
> that flag conflict with other flags. However, AXFRs still seem to work,
> and ZXFRs still do not work, but have stopped crashing the server :-)
>
> The patch is attached.
>
> Olaf
> --
> Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
> okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
> okir () caldera de    +-------------------- Why Not?! -----------------------
>          UNIX, n.: Spanish manufacturer of fire extinguishers.
>
> --bAmEntskrkuBymla
> Content-Type: application/x-patch
> Content-Disposition: attachment; filename="bind-8.2.2p5-zxfr.patch"
>
> --- bind-8.2.2p5/src/bin/named/ns_defs.h.zxfr Thu Nov  9 12:41:43 2000
> +++ bind-8.2.2p5/src/bin/named/ns_defs.h      Thu Nov  9 12:41:55 2000
> @@ -602,7 +602,7 @@
>  #define STREAM_CONNECT_EV    0x08
>  #define STREAM_DONE_CLOSE    0x10
>  #define STREAM_AXFR          0x20
> -#define STREAM_AXFRIXFR              0x22
> +#define STREAM_AXFRIXFR              0x40
>
>  #define ALLOW_NETS   0x0001
>  #define      ALLOW_HOSTS     0x0002
>
> --bAmEntskrkuBymla--