Date: Fri, 18 Mar 2011 12:11:15 -0600 From: Vincent Danen <vdanen@...hat.com> To: oss-security@...ts.openwall.com Cc: list@...adns.org, 610834@...s.debian.org, geissert@...ian.org, atomo64@...il.com, bressers@...hat.com, coley@...re.org Subject: Re: MaraDNS 1.4.06 and 1.3.07.11 released * [2011-01-29 22:21:08 -0700] Sam Trenholme wrote: >In 2002, when I rewrote the compression code for MaraDNS for the first >time, I made a mistake in allocating an array of integers, allocating >it in bytes instead of sizeof(int) units. The resulted in a buffer >being too small, allowing it to be overwritten. > >The impact of this programming error is that MaraDNS can be crashed by >sending MaraDNS a single "packet of death". Since the data placed in >the overwritten array can not be remotely controlled (it is a list of >increasing integers), there is no way to increase privileges >exploiting this bug. > >The attached patch resolves this issue by allocating in sizeof(int) >units instead of byte-sized units for an integer array. In addition, >it uses a smaller array because a DNS name can only have, at most, 128 >labels. Was a CVE name ever assigned to this issue? -- Vincent Danen / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.