[7855] in bugtraq
Re: nslookup issues
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Wed Sep 2 11:04:38 1998
Date: Wed, 2 Sep 1998 11:43:38 +0200
Reply-To: peak@kerberos.troja.mff.cuni.cz
From: Pavel Kankovsky <peak@KERBEROS.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199809011909.NAA02012@cvs.openbsd.org>
BTW: nslookup can't grok big DNS responses and often crashes when it
gets one because it *reads* (1) beyond the end of its buffer.
Just a little funny excerpt from GetAnswer (getinfo.c):
status = SendRequest(nsAddrPtr, msg, msglen, (char *) &answer,
sizeof(answer), &n);
...
eom = (u_char *) &answer + n;
(n is the FULL size of the response, n > sizeof(answer) if the response
was truncated because it did not fit into the buffer, which is 1kB long
in nslookup)
Moreover, a lot of code in getinfo.c and debug.c does not care much
about the end of the buffer (even if it gets it right). Check the diffs
between bind 4.9.6 and bind 4.9.7 and you'll see they have fixed lots
of bugs of this kind in named. (Hmm, I should look at bind 8.)
This is the software supposed to keep Internet running.
It's scary.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."
(1) I don't guarantee it is impossible to abuse it
