netbsd-bugs: Re: security/11459: possible fix for remote DoS attack in BIND-8.2.2-P5

Subject: Re: security/11459: possible fix for remote DoS attack in BIND-8.2.2-P5
To: None <itojun@iijlab.net>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 11/09/2000 22:10:17
[ On Friday, November 10, 2000 at 10:38:06 (+0900), itojun@iijlab.net wrote: ]
> Subject: Re: security/11459: possible fix for remote DoS attack in BIND-8.2.2-P5
>
> 	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=20546
> 	says that there will be 8.2.2P7 soon, and it has a different workaround
> 	than the attached one (change STREAM_AXFRIXFR).

Yes, the change given in RedHat's bugzilla to the value given to
STREAM_AXFRIXFR (in ns_defs.h) may be correct, at least assuming that
STREAM_AXFRIXFR isn't intended as a multi-purpose value specifying two
flags simultaneously (which would, IMHO, be bad programming anyway).


However either the patch I originally attached, or perhaps this more
generic and possibly more correct patch, is still absolutely necessary:


Index: src/bin/named/ns_xfr.c
===================================================================
RCS file: /cvs/misc/bind8/src/bin/named/ns_xfr.c,v
retrieving revision 1.1.1.3
diff -c -r1.1.1.3 ns_xfr.c
*** src/bin/named/ns_xfr.c	1999/11/11 06:06:09	1.1.1.3
--- src/bin/named/ns_xfr.c	2000/11/10 02:20:11
***************
*** 194,205 ****
  		else
  			type = ns_t_axfr;
  	}
! 		if (sx_pushlev(qsp, znp) < 0) {
   abort:
! 			(void) shutdown(qsp->s_rfd, 2);
! 			sq_remove(qsp);
! 			return;
! 		}
  	if (type != ns_t_ixfr) 
  		(void) sq_writeh(qsp, sx_sendsoa);
  	else 
--- 194,204 ----
  		else
  			type = ns_t_axfr;
  	}
! 	if (sx_pushlev(qsp, znp) < 0) {
   abort:
! 		(void) shutdown(qsp->s_rfd, 2);
! 		return;
! 	}
  	if (type != ns_t_ixfr) 
  		(void) sq_writeh(qsp, sx_sendsoa);
  	else 



With only the proposed change from the RedHat bugzilla report the
same crash still occurs, and from examination of the event loop in
ns_main.c it seems quite likely that freeing the stream structure at
that point because it's clearly referenced afterwards and seems to cause
corruption of the new data allocated to that storage place.

db_freedata: DB_F_FREE set
db_freedata: DB_F_FREE set

Program received signal SIGABRT, Aborted.
0x48154503 in kill ()
(gdb) where
#0  0x48154503 in kill ()
#1  0x48153c75 in abort ()
#2  0x8070f05 in ns_panic (category=0, dump_core=1, 
    format=0x80b6684 "db_freedata: %s set") at ns_glue.c:167
#3  0x8070f8a in panic (msg=0x80b6684 "db_freedata: %s set", arg=0x80b666e)
    at ns_glue.c:187
#4  0x8053381 in db_freedata (dp=0x81dabf4) at db_glue.c:482
#5  0x8056388 in rrset_free_partial (rrset=0x8148aa0, free_data=1, 
    start=0x81e62a0) at db_sec.c:764
#6  0x8056534 in rrset_db_update (rrset=0x8148aa0, flags=9, htpp=0x80c9ca4, 
    from={sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 13568, 
      sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, rrcount=0x0) at db_sec.c:892
#7  0x805693b in update_rrset_list (rrsets=0xbfbfb2a0, flags=9, 
    htpp=0x80c9ca4, from={sin_len = 16 '\020', sin_family = 2 '\002', 
      sin_port = 13568, sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, rrcount=0x0) at db_sec.c:1030
#8  0x8056a64 in db_set_update (name=0x0, dp=0x0, state=0xbfbfb2a0, flags=9, 
    htpp=0x80c9ca4, from={sin_len = 16 '\020', sin_family = 2 '\002', 
      sin_port = 13568, sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, rrcount=0x0, line=0, 
    file=0x0) at db_sec.c:1080
#9  0x806e797 in rrsetupdate (flushset=0x81e3000, flags=9, from={
      sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 13568, 
      sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, updatettl=0)
    at ns_resp.c:3651
#10 0x8069979 in ns_resp (msg=0xbfbfcb3c "qg\200", msglen=449, from={
      sin_len = 16 '\020', sin_family = 2 '\002', sin_port = 13568, 
      sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, qsp=0x0) at ns_resp.c:1081
#11 0x805fb02 in dispatch_message (msg=0xbfbfcb3c "qg\200", msglen=449, 
    buflen=512, qsp=0x0, from={sin_len = 16 '\020', sin_family = 2 '\002', 
      sin_port = 13568, sin_addr = {s_addr = 294921408}, 
      sin_zero = "\000\000\000\000\000\000\000"}, dfd=4, ifp=0x0)
    at ns_main.c:1057
#12 0x805fa18 in datagram_read (lev={opaque = 0x8135000}, uap=0x0, fd=4, 
    evmask=1) at ns_main.c:1014
#13 0x8088e29 in __evDispatch (opaqueCtx={opaque = 0x8135000}, opaqueEv={
      opaque = 0x8129c00}) at eventlib.c:484
#14 0x805ec1b in main (argc=6, argv=0xbfbfcf20, envp=0xbfbfcf24)
    at ns_main.c:535
#15 0x804ad89 in ___start ()


-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>