Bug 578 - Zonec crashes when compiling TXT RR's with string lengths > 255 characters
Zonec crashes when compiling TXT RR's with string lengths > 255 characters
Status: NEW
Product: NSD
Classification: Unclassified
Component: Zonec Code
3.2.x
All Linux
: P5 normal
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-12 20:09 CEST by gary.obrien
Modified: 2014-05-12 20:09 CEST (History)
0 users

See Also:


Attachments
Patch to fix issue (patch is against 3.2.16) (2.09 KB, application/octet-stream)
2014-05-12 20:09 CEST, gary.obrien
Details

Note You need to log in before you can comment on or make changes to this bug.
Description gary.obrien 2014-05-12 20:09:49 CEST
Created attachment 255 [details]
Patch to fix issue (patch is against 3.2.16)

Issues were discovered within the code introduced in 3.2.7 to handle TXT records with a large number of individual strings.

1) Encountering a string with > 255 characters results in zparser_conv_text returning a NULL pointer, which is then passed to zadd_data_txt_wireformat.  No check is made for a NULL pointer resulting in the system crashing when it attempts to dereference the pointer.

2) Adding a check for a NULL data pointer to zadd_rdata_wireformat while necessary and correct, is NOT sufficient.  If the first string encountered is > 255 characters and only a NULL pointer check is performed, then rd->data is left unallocated (and possibly uninitialized).  Subsequent calls to zadd_rdata_txt_wireformat have the possibility of crashing (NULL or unallocated memory dereference) or worse (writing the content of the user provided string to the memory location pointed to by the uninitialized rd->data.  Likewise, the call to zadd_rdata_txt_clean_wireformat has the possibility of crashing or copying the content from the location pointed to by the previously uninitialized rd->data into the TXT RR rdata atom.