Does the CVE-2011-1910 vulnerability affect the BIND 9.7.0-P2?
Chris Thompson
cet1 at cam.ac.uk
Fri Jun 10 14:40:49 UTC 2011
On Jun 10 2011, Adam Tkac wrote:
>Hello Chris,
>
>that was too short cut from ncache.c.
>
>9.7.0* contains:
>
> /*
> * Copy the type to the buffer.
> */
> isc_buffer_availableregion(&buffer,
> &r);
> if (r.length < 2)
> return (ISC_R_NOSPACE);
> isc_buffer_putuint16(&buffer,
> rdataset->type);
> /*
> * Copy the rdataset into the buffer.
> */
>
>which is correct, you checked there are at least two bytes in the buffer
>and then copy uint16 (which has 2 bytes) there.
>
>However affected 9.7.3 contains:
>
> /*
> * Copy the type to the buffer.
> */
> isc_buffer_availableregion(&buffer,
> &r);
> if (r.length < 2)
> return (ISC_R_NOSPACE);
> isc_buffer_putuint16(&buffer,
> rdataset->type);
> isc_buffer_putuint8(&buffer,
> (unsigned char)rdataset->trust);
> /*
> * Copy the rdataset into the buffer.
> */
>
>Notice that now you are copying three bytes (uint16 + uint8) but you
>only checked there is place for two bytes, which is the bug.
Yes - I really should have seen that! And of course, when I look back
at what my source at ISC (sorry, Evan) *actually* said, those lines
*were* all included.
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list