Does the CVE-2011-1910 vulnerability affect the BIND 9.7.0-P2?
Adam Tkac
atkac at redhat.com
Fri Jun 10 12:23:13 UTC 2011
On 06/10/2011 01:45 PM, Chris Thompson wrote:
> On Jun 10 2011, Mark Andrews wrote:
>
>> In message <201106100709.QAA04566 at osspc4.sra.co.jp>, YABUKI Youichi
>> writes:
>>> The BIND security advisory for CVE-2011-1910 does not mention
>>> about versions 9.7.0, 9.7.0-P1 and 9.7.0-P2.
>>> Does the CVE-2011-1910 vulnerability affect these versions?
>>
>> No, they are not affected.
>
> Then the advice I got from someone else at ISC, that if
> if (r.length < 2)
> return (ISC_R_NOSPACE);
>
> occurs c. line 188 in lib/dns/ncache.c (as opposed to "r.length < 3"),
> then the version is vulnerable, was not complete? Because the 9.7.0*
> versions certainly have that code.
>
Hello Chris,
that was too short cut from ncache.c.
9.7.0* contains:
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 2)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
/*
* Copy the rdataset into the
buffer.
*/
which is correct, you checked there are at least two bytes in the buffer
and then copy uint16 (which has 2 bytes) there.
However affected 9.7.3 contains:
/*
* Copy the type to the buffer.
*/
isc_buffer_availableregion(&buffer,
&r);
if (r.length < 2)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
(unsigned
char)rdataset->trust);
/*
* Copy the rdataset into the
buffer.
*/
Notice that now you are copying three bytes (uint16 + uint8) but you
only checked there is place for two bytes, which is the bug.
Regards, Adam
More information about the bind-users
mailing list