[17979] in bugtraq
Re: Killing ircds via DNS
daemon@ATHENA.MIT.EDU (David Luyer)
Sun Dec 10 16:44:02 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <200012081239.eB8CdLD26914@typhaon.pacific.net.au>
Date: Fri, 8 Dec 2000 23:39:21 +1100
Reply-To: David Luyer <david_luyer@PACIFIC.NET.AU>
From: David Luyer <david_luyer@PACIFIC.NET.AU>
X-To: Hugo.van.der.Kooij@CAIW.NL
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from "van der Kooij, Hugo"
<Hugo.van.der.Kooij@CAIW.NL> of "Wed, 06 Dec 2000 22:12:09 BST."
<Pine.LNX.4.30.0012062210081.21805-100000@bastion.hugo.vanderkooij.org>
Hugo van der Kooij wrote:
> On Wed, 6 Dec 2000, David Luyer wrote:
>
> > The bug is triggered by returning a 128-byte answer to an A-record query, eg,
> > a 128-byte A-record response to a reverse DNS lookup on the client IP. The
> > fix should be self-evident.
>
> I'm not that good in coding.
>
> But isn't requesting an A record a normal DNS request? (Get an IP address
> by the given name.) A reverse DNS query would be for a PTR record.
> (Getting the name by an IP address.)
Sure. But the routine parses the returned packet, it doesn't matter what the
query was. So even if it's a PTR query, an A response is still parsed and
still overflows the reply buffer.
David.
--
David Luyer Phone: +61 3 9674 7525
Senior Network Engineer P A C I F I C Fax: +61 3 9699 8693
Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983
http://www.pacific.net.au/ NASDAQ: PCNTF
