Bug 578

Summary: Zonec crashes when compiling TXT RR's with string lengths > 255 characters
Product: NSD Reporter: gary.obrien
Component: Zonec CodeAssignee: NSD team <nsd-team>
Status: NEW ---    
Severity: normal    
Priority: P5    
Version: 3.2.x   
Hardware: All   
OS: Linux   
Attachments: Patch to fix issue (patch is against 3.2.16)

Description gary.obrien 2014-05-12 20:09:49 CEST
Created attachment 255 [details]
Patch to fix issue (patch is against 3.2.16)

Issues were discovered within the code introduced in 3.2.7 to handle TXT records with a large number of individual strings.

1) Encountering a string with > 255 characters results in zparser_conv_text returning a NULL pointer, which is then passed to zadd_data_txt_wireformat.  No check is made for a NULL pointer resulting in the system crashing when it attempts to dereference the pointer.

2) Adding a check for a NULL data pointer to zadd_rdata_wireformat while necessary and correct, is NOT sufficient.  If the first string encountered is > 255 characters and only a NULL pointer check is performed, then rd->data is left unallocated (and possibly uninitialized).  Subsequent calls to zadd_rdata_txt_wireformat have the possibility of crashing (NULL or unallocated memory dereference) or worse (writing the content of the user provided string to the memory location pointed to by the uninitialized rd->data.  Likewise, the call to zadd_rdata_txt_clean_wireformat has the possibility of crashing or copying the content from the location pointed to by the previously uninitialized rd->data into the TXT RR rdata atom.