Bug 232 - possible security relevant buffer overflow in ldns_rr_new_frm_str_internal
possible security relevant buffer overflow in ldns_rr_new_frm_str_internal
Status: RESOLVED FIXED
Product: ldns
Classification: Unclassified
Component: library
1.4.x
All All
: P1 critical
Assigned To: LDNS dev team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-02 17:47 CET by Stefan Kaltenbrunner
Modified: 2009-02-04 10:49 CET (History)
1 user (show)

See Also:


Attachments
patch for memory allocation in string rr parser (518 bytes, patch)
2009-02-03 10:49 CET, Jelte Jansen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Kaltenbrunner 2009-02-02 17:47:20 CET
It is possible to overwrite arbitrary memory and crash applications using ldns due to a programming error in ldns_rr_new_frm_str_internal. This this is caused by insufficient input validation done on string input.

it is possible to overwrite the clas variable with arbitrary input causing at least a segmentation fault in the library tried to report LDNS_STATUS_SYNTAX_CLASS_ERR by free'ing the wrong memory.

A simple testcase to demonstrate the issue can be built by using "examples/ldns-signzone.c" and an zonefile just containing the following line:

kaltenbrunner.cc.        3600  this.does.not.exist.kaltenbrunner.cc. stefan.kaltenbrunner.cc.

due to the missing CLASS/TYPE definitions ldns_rr_new_frm_str_internal() happily writes beyond the 11 byte allocation of the "clas" variable causing memory corruption and depending on the operating system a crash.

on a recent Linux box this results in:

./ldns-signzone test2.c test.key
*** glibc detected *** free(): invalid next size (fast): 0x0804e628 ***
Aborted
Comment 1 Jelte Jansen 2009-02-03 10:49:06 CET
Created attachment 96 [details]
patch for memory allocation in string rr parser
Comment 2 Jelte Jansen 2009-02-03 10:49:51 CET
Actually, i think it is not so much the validation per se, but the tokenizer memory limit was set higher than the allocated memory. Trunk rev. 2846 should fix this. Could you please try that (or this patch)?
Comment 3 Stefan Kaltenbrunner 2009-02-03 12:47:41 CET
upon quick inspection this patch seems to fix at least the test cases I have but I'm not sure if there might not be other similar issues elsewhere.
Comment 4 Jelte Jansen 2009-02-04 10:49:51 CET
Thank you for reporting and testing the patch.