On 06/10/2011 01:45 PM, Chris Thompson wrote: > On Jun 10 2011, Mark Andrews wrote: > >> In message <201106100709.qaa04...@osspc4.sra.co.jp>, YABUKI Youichi >> writes: >>> The BIND security advisory for CVE-2011-1910 does not mention >>> about versions 9.7.0, 9.7.0-P1 and 9.7.0-P2. >>> Does the CVE-2011-1910 vulnerability affect these versions? >> >> No, they are not affected. > > Then the advice I got from someone else at ISC, that if > if (r.length < 2) > return (ISC_R_NOSPACE); > > occurs c. line 188 in lib/dns/ncache.c (as opposed to "r.length < 3"), > then the version is vulnerable, was not complete? Because the 9.7.0* > versions certainly have that code. > Hello Chris,
that was too short cut from ncache.c. 9.7.0* contains: /* * Copy the type to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 2) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); /* * Copy the rdataset into the buffer. */ which is correct, you checked there are at least two bytes in the buffer and then copy uint16 (which has 2 bytes) there. However affected 9.7.3 contains: /* * Copy the type to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 2) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); isc_buffer_putuint8(&buffer, (unsigned char)rdataset->trust); /* * Copy the rdataset into the buffer. */ Notice that now you are copying three bytes (uint16 + uint8) but you only checked there is place for two bytes, which is the bug. Regards, Adam _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users