Bug 328 - nsd-checkconf overrun
nsd-checkconf overrun
Status: RESOLVED FIXED
Product: NSD
Classification: Unclassified
Component: NSD Code
3.2.x
Other All
: P2 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-23 21:27 CEST by Jakob Schlyter
Modified: 2010-09-24 09:42 CEST (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakob Schlyter 2010-09-23 21:27:56 CEST
From a fellow OpenBSD developer:


Error: Buffer overrun
  Buffer overflow (CWE 120): In array dereference of <unknown> with index 'i'
     Array size is 1024 bytes, i <= 1024
       at line 75 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.
       at line 77 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.
       at line 84 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.
  Buffer overflow (CWE 120): In array dereference of buf[i] with index 'i'
     Array size is 1024 bytes, i <= 1024
       at line 75 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.
       at line 77 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.
       at line 84 of /usr/src/usr.sbin/nsd/nsd-checkconf.c in function 'underscore'.

Index: nsd-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/nsd/nsd-checkconf.c,v
retrieving revision 1.1.1.2
diff -u -p -r1.1.1.2 nsd-checkconf.c
--- nsd-checkconf.c	15 Apr 2010 20:57:08 -0000	1.1.1.2
+++ nsd-checkconf.c	21 Sep 2010 23:04:34 -0000
@@ -77,7 +77,7 @@ underscore(const char *s) {
			buf[i++] = *j;
		}
		j++;
-		if (i > BUFSIZ) {
+		if (i >= BUFSIZ) {
			return NULL;
		}
	}
Comment 1 Matthijs Mekking 2010-09-24 09:42:55 CEST
Fixed in trunk r3076.

Thanks for the report!