Bugzilla – Bug 232
possible security relevant buffer overflow in ldns_rr_new_frm_str_internal
Last modified: 2009-02-04 10:49:51 CET
It is possible to overwrite arbitrary memory and crash applications using ldns due to a programming error in ldns_rr_new_frm_str_internal. This this is caused by insufficient input validation done on string input.
it is possible to overwrite the clas variable with arbitrary input causing at least a segmentation fault in the library tried to report LDNS_STATUS_SYNTAX_CLASS_ERR by free'ing the wrong memory.
A simple testcase to demonstrate the issue can be built by using "examples/ldns-signzone.c" and an zonefile just containing the following line:
kaltenbrunner.cc. 3600 this.does.not.exist.kaltenbrunner.cc. stefan.kaltenbrunner.cc.
due to the missing CLASS/TYPE definitions ldns_rr_new_frm_str_internal() happily writes beyond the 11 byte allocation of the "clas" variable causing memory corruption and depending on the operating system a crash.
on a recent Linux box this results in:
./ldns-signzone test2.c test.key
*** glibc detected *** free(): invalid next size (fast): 0x0804e628 ***
Created attachment 96 [details]
patch for memory allocation in string rr parser
Actually, i think it is not so much the validation per se, but the tokenizer memory limit was set higher than the allocated memory. Trunk rev. 2846 should fix this. Could you please try that (or this patch)?
upon quick inspection this patch seems to fix at least the test cases I have but I'm not sure if there might not be other similar issues elsewhere.
Thank you for reporting and testing the patch.