Some potential security bugs in djbdns 1.05
Some potential security bugs in djbdns 1.05, we didn't test them
on hardware.
djbdns [1] is an "ancient" dns server.
It still have $1K bounty for an exploit [2].
Are these bugs vulnerabilities?
in cdb_make.c:
cdb_make_finish:
100 memsize += c->numentries; /* no overflow possible up to now */
101 u = (uint32) 0 - (uint32) 1;
102 u /= sizeof(struct cdb_hp);
103 if (memsize > u) { errno = error_nomem; return -1; }
104
105 c->split = (struct cdb_hp *) alloc(memsize * sizeof(struct cdb_hp));
106 if (!c->split) return -1;
107
108 c->hash = c->split + c->numentries;
109
110 u = 0;
111 for (i = 0;i < 256;++i) {
112 u += c->count[i]; /* bounded by numentries, so no overflow */
113 c->start[i] = u;
114 }
Issue 1: On line 105 alloc(-SMALL) overflows alloc() despite the check for
overflow on 103, e.g.
memsize= ((unsigned int) -1 )/sizeof(struct cdb_hp))
In alloc.c:
/*@null@*//*@out@*/char *alloc(n)
unsigned int n;
{
char *x;
[A] n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */
if (n <= avail) { avail -= n; return space + avail; }
[A] overflows at least for -16 <= n <= -1.
This integer overflow might be mitigated by memory limits.
In query.c:
Issue 2: There are several usages:
uint16_unpack_big(header + 8,&datalen);
pos += datalen;
There appears no check if datalen doesn't overflow the buffer,
leading past the end.
[1] https://cr.yp.to/djbdns.html
[2] https://cr.yp.to/djbdns/guarantee.html
Reply to: