Re: Stack overflow in dns-zone-transfer.nse

[David Fifield <david () bamsoftware com>]

On Fri, Feb 06, 2009 at 12:36:37PM -0700, David Fifield wrote:
> We have a perfectly good DNS parser in dns.lua, so there's no reason to
> have a duplicate in dns-zone-transfer.nse. Does anyone want to try to
> fix this? The only tricky part is that the script's parser is set up to
> deal with the two-byte length prefix mentioned in
> http://seclists.org/nmap-dev/2009/q1/0316.html and dns.lua's is not. So
> the first step is to change responses_iter in dns-zone-transfer.nse to
> strip the length prefixes. After that it should be possible to drop in
> the dns.lua replacement.

I found and fixed another bug in the dns-zone-transfer.nse DNS parser,
another good argument for no code duplication. This bug transformed all
'0' characters (ASCII 48, not NUL) to '.', so the name
net360.example.com would become net36..example.com. The problem was in
the last line, which was probably written for an older design and not
updated:

    return offset+1, string.gsub(strbuf.dump(record), 0, '.')

The string.gsub call means to turn every 0 in the record into '.'. 0 is
not a string, so this doesn't make sense, except that number to string
is one of the few (only?) implicit type conversions Lua will do. So 0 is
turned into '0' and the replacement happens. My best guess for what was
meant is

    return offset+1, string.gsub(strbuf.dump(record), string.char(0), '.')

which would replace NUL bytes with '.'. But the dots are already added
in another part of the code, so I changed it to simply

    return offset+1, strbuf.dump(record)

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org