Re: Exploitability of the integer overflows in djbdns 1.05?

[Georgi Guninski <gguninski () gmail com>]

Some potential bugs in djbdns 1.05, I didn't test them
on hardware.

in cdb_make.c:
cdb_make_finish:

    93      memsize = 1;
    94      for (i = 0;i < 256;++i) {
    95        u = c->count[i] * 2;
    96        if (u > memsize)
    97          memsize = u;
    98      }
    99
   100      memsize += c->numentries; /* no overflow possible up to now */
   101      u = (uint32) 0 - (uint32) 1;
   102      u /= sizeof(struct cdb_hp);
   103      if (memsize > u) { errno = error_nomem; return -1; }
   104
   105      c->split = (struct cdb_hp *) alloc(memsize * sizeof(struct cdb_hp));
   106      if (!c->split) return -1;
   107
   108      c->hash = c->split + c->numentries;
   109
   110      u = 0;
   111      for (i = 0;i < 256;++i) {
   112        u += c->count[i]; /* bounded by numentries, so no overflow */
   113        c->start[i] = u;
   114      }

Issue 1:  On line 105 alloc(-SMALL) overflows alloc() despite the check for
overflow (this might be mitigated by memory limits), e.g.
(memsize= (unsigned int) -1 )/sizeof(struct cdb_hp)).

In query.c:

Issue 2:  There are several usages:
   uint16_unpack_big(header + 8,&datalen);
   pos += datalen;

There appears no check if datalen doesn't overflow the buffer,
leading past the end.