DHCPD contains C Includes that sometimes defines vsnprintf() as vsprintf()
ISC DHCP makes use of the vsnprintf() function for writing various log file strings. For systems that do not support vsnprintf(), a C include file was created that defines the vsnprintf() function to vsprintf() as such:
#define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list)
vsprintf() is a function that does not check bounds, therefore the size is discarded creating the potential for a buffer overflow when client provided data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. This means that VU#317350 would be triggered prior to these potential buffer overflows, unless a client could specify content to a vsnprintf() statement not associated with logging. It is believed that there aren't any other vsnprintf() statements vulnerable to this type of exploitation.
Upgrade to a released version of ISC DHCPD.
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC