Date: Tue, 9 Dec 2014 08:54:15 +0100 From: Peter van Dijk <peter.van.dijk@...herlabs.nl> To: oss-security@...ts.openwall.com Subject: Re: PowerDNS Security Advisory 2014-02 Hello, On 09 Dec 2014, at 8:16 , Peter van Dijk <peter.van.dijk@...herlabs.nl> wrote: > Somebody asked me to (help him) check djbdns today, which we’ll do. Any other implementations you are interested in? Vanilla djbdns 1.05 manages a counter called ‘loop’ (look for ‘z->loop’ in the code); if this counter hits 100, it simply aborts the current query. This is similar to the fixes now present in PowerDNS, BIND and Unbound. Breakpoint 4, doit (z=0x611660 <u>, state=1) at query.c:452 452 if (++z->loop == 100) goto DIE; 1: z->loop = 99 (gdb) cont Continuing. It then logs 'drop 1 input/output error’ and aborts resolution of this query. Note that it actually drops the query, the client will eventually timeout; PowerDNS Recursor sends a SERVFAIL, and I presume so do BIND and Unbound. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/ Download attachment "signature.asc" of type "application/pgp-signature" (842 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.