This text is on http://www.nlnetlabs.nl/downloads/CVE-2012-2978.txt

Subject: NSD denial of service vulnerability from non-standard DNS packet
	 from any host on the internet. [ VU#624931 CVE-2012-2978 ]

== Description

It is possible to crash (SIGSEGV) a NSD child server process by sending
it a non-standard DNS packet from any host on the internet. A crashed
child process will automatically be restarted by the parent process, but
an attacker may keep the NSD server occupied restarting child processes
by sending it a stream of such packets effectively preventing the NSD
server to serve.

All NSD 3 versions are vulnerable to this attack. (NSD 3.0.0-3.0.8,
3.1.0-3.1.1, and 3.2.0-3.2.11). So is the NSD 4 development branch.


== Remote Exploit.

The problem packet causes NSD to dereference a null pointer. Most
operating systems map the null pointer's address such that accessing it
causes a segmentation fault, ruling out the possibility for remote exploit.


== Work around

No workaround is possible.


== Solution

Download patched version of NSD, or apply the patch manually.

+ Downloading Patched Versions

* 3.2.12 is released with the patch
http://www.nlnetlabs.nl/downloads/nsd/nsd-3.2.12.tar.gz
sha1 dd8606a05525f6a493dfacb7ddfa7e1fa3c6a85b

+ Applying the Patch manually

The patch to apply is verbatim included at the end of this description and
can also be downloaded here:

http://www.nlnetlabs.nl/downloads/CVE-2012-2978/patch.diff

Apply the attached patch in the NSD source directory with

	'patch -p0 <patch.diff'

then run 'make install' to reinstall NSD.

The patch applies to all NSD 3 versions and to the NSD 4 production branch.

The patch is created for the NSD 3.2.11 release but applies to the other
versions as well on different offsets. Below the positions (and offsets)
where the patch succeeds for the different NSD versions.

For NSD 3.0.0 at 1320 (offset -59 lines).
For NSD 3.0.1 at 1320 (offset -59 lines).
For NSD 3.0.2 at 1333 (offset -46 lines).
For NSD 3.0.3 at 1333 (offset -46 lines).
For NSD 3.0.4 at 1329 (offset -50 lines).
For NSD 3.0.5 at 1333 (offset -46 lines).
For NSD 3.0.6 at 1333 (offset -46 lines).
For NSD 3.0.7 at 1333 (offset -46 lines).
For NSD 3.0.8 at 1337 (offset -42 lines).
For NSD 3.1.0 at 1341 (offset -38 lines).
For NSD 3.1.1 at 1341 (offset -38 lines).
For NSD 3.2.0 at 1341 (offset -38 lines).
For NSD 3.2.1 at 1341 (offset -38 lines).
For NSD 3.2.2 at 1349 (offset -30 lines).
For NSD 3.2.3 at 1364 (offset -15 lines).
For NSD 3.2.4 at 1372 (offset -7 lines).
For NSD 3.2.5 at 1372 (offset -7 lines).
For NSD 3.2.6 at 1356 (offset -23 lines).
For NSD 3.2.7 at 1358 (offset -21 lines).
For NSD 3.2.8 at 1364 (offset -15 lines).
For NSD 3.2.9 at 1378 (offset -1 lines).
For NSD 3.2.10 at 1378 (offset -1 lines).
For the NSD 4 development branch at 1363 (offset -16 lines).


== Acknowledgements

The bug was discovered by Marek Vavrusa and Lubos Slovak
from CZ.NIC Labs


== Patch

--- query.c	(revision 3609)
+++ query.c	(working copy)
@@ -1379,6 +1379,9 @@
 		edns = &nsd->edns_ipv6;
 	}
 #endif
+	if (RCODE(q->packet) == RCODE_FORMAT) {
+		return;
+	}
 	switch (q->edns.status) {
 	case EDNS_NOT_PRESENT:
 		break;