[17940] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Killing ircds via DNS

daemon@ATHENA.MIT.EDU (David Luyer)
Wed Dec 6 17:18:06 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id:  <200012060902.eB692xD09017@typhaon.pacific.net.au>
Date:         Wed, 6 Dec 2000 20:02:59 +1100
Reply-To: David Luyer <david_luyer@PACIFIC.NET.AU>
From: David Luyer <david_luyer@PACIFIC.NET.AU>
To: BUGTRAQ@SECURITYFOCUS.COM

It appears some people have discovered a bug in various IRCd's res.c.

proc_answer() in res.c:

        struct  in_addr dr, *adr;
          -> dr is a 4-byte in_addr structure

                dlen =  (int)_getshort(cp);
                   -> get answer length from packet

                switch(type)
                {
                case T_A :
                        hp->h_length = dlen;
                        if (ans == 1)
                                hp->h_addrtype =  (class == C_IN) ?
                                                        AF_INET : AF_UNSPEC;
                        bcopy(cp, (char *)&dr, dlen);
                             -> goodbye stack if dlen > 4

The bug is triggered by returning a 128-byte answer to an A-record query, eg,
a 128-byte A-record response to a reverse DNS lookup on the client IP.  The
fix should be self-evident.

David.
--
David Luyer                                        Phone:   +61 3 9674 7525
Senior Network Engineer        P A C I F I C       Fax:     +61 3 9699 8693
Pacific Internet (Australia)  I N T E R N E T      Mobile:  +61 4 1111 2983
http://www.pacific.net.au/                         NASDAQ:  PCNTF

home	help	back	first	fref	pref	prev	next	nref	lref	last	post