oss-sec mailing list archives
Re: Exploitability of the integer overflows in djbdns 1.05?
From: Georgi Guninski <gguninski () gmail com>
Date: Wed, 3 Jun 2020 19:49:00 +0300
Some potential bugs in djbdns 1.05, I didn't test them on hardware. in cdb_make.c: cdb_make_finish: 93 memsize = 1; 94 for (i = 0;i < 256;++i) { 95 u = c->count[i] * 2; 96 if (u > memsize) 97 memsize = u; 98 } 99 100 memsize += c->numentries; /* no overflow possible up to now */ 101 u = (uint32) 0 - (uint32) 1; 102 u /= sizeof(struct cdb_hp); 103 if (memsize > u) { errno = error_nomem; return -1; } 104 105 c->split = (struct cdb_hp *) alloc(memsize * sizeof(struct cdb_hp)); 106 if (!c->split) return -1; 107 108 c->hash = c->split + c->numentries; 109 110 u = 0; 111 for (i = 0;i < 256;++i) { 112 u += c->count[i]; /* bounded by numentries, so no overflow */ 113 c->start[i] = u; 114 } Issue 1: On line 105 alloc(-SMALL) overflows alloc() despite the check for overflow (this might be mitigated by memory limits), e.g. (memsize= (unsigned int) -1 )/sizeof(struct cdb_hp)). In query.c: Issue 2: There are several usages: uint16_unpack_big(header + 8,&datalen); pos += datalen; There appears no check if datalen doesn't overflow the buffer, leading past the end.
Current thread:
- Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski (Jun 01)
- Re: Exploitability of the integer overflows in djbdns 1.05? Solar Designer (Jun 01)
- Re: Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski (Jun 02)
- Re: Exploitability of the integer overflows in djbdns 1.05? Georgi Guninski (Jun 03)
- Re: Exploitability of the integer overflows in djbdns 1.05? Solar Designer (Jun 01)