Hi,
Please ignore my bug report. The bug was fixed in glibc 2.5.1.
regards,
Martin
Martin Waite wrote:
Hi,
I'm using a debian Etch system with glibc-2.3.6 installed.
Our application is a daemon process that forks a new process to handle
incoming connections. We have found that the DNS transaction-id for
the first DNS query issued by each child process has the same DNS
transaction-id. This poses a minor security problem for naive forking
applications (like ours) in that an attacker can accurately guess what
the first transaction-id will be following a fork.
In function res_nmkquery, the following code generates the
transaction-id:
hp = (HEADER *) buf;
/* We randomize the IDs every time. The old code just
incremented by one after the initial randomization which
still predictable if the application does multiple
requests. */
#if 0
hp->id = htons(++statp->id);
#else
hp->id = htons(statp->id);
int randombits;
do
{
#ifdef RANDOM_BITS
RANDOM_BITS (randombits);
#else
struct timeval tv;
__gettimeofday (&tv, NULL);
randombits = (tv.tv_sec << 8) ^ tv.tv_usec;
#endif
}
while ((randombits & 0xffff) == 0);
statp->id = (statp->id + randombits) & 0xffff;
#endif
hp->opcode = op;
The line "hp->id = htons(statp->id);" consumes the
transaction-id before generating a new one for the next call.
A better solution would be if the transaction-id was consumed after a
new one is generated, ie. just after the assignment to statp->id
after the while loop. This would be more in the spirit of the old
behaviour where the transaction-id is incremented and then used -
"hp->id = htons(++statp->id);
".
In short, I suggest that the code is changed to the following:
hp = (HEADER *) buf;
/* We randomize the IDs every time. The old code just
incremented by one after the initial randomization which
still predictable if the application does multiple
requests. */
#if 0
hp->id = htons(++statp->id);
#else
int randombits;
do
{
#ifdef RANDOM_BITS
RANDOM_BITS (randombits);
#else
struct timeval tv;
__gettimeofday (&tv, NULL);
randombits = (tv.tv_sec << 8) ^ tv.tv_usec;
#endif
}
while ((randombits & 0xffff) == 0);
statp->id = (statp->id + randombits) & 0xffff;
hp->id = htons(statp->id);
#endif
hp->opcode = op;
--
Martin Waite
Solutions Architect
DataCash
Tel (Direct): +44 (0)131 538 8431
Mobile: +44 (0)7866 750509
DataCash Ltd, Suite 3/1 Great Michael House,
14 Links Place, Edinburgh, EH6 7EZ, United Kingdom.
Tel: +44 (0)870 7274 762
Fax: +44 (0)870 7274 782
www.datacash.com
DISCLAIMER: This email and any files transmitted with it are
confidential to DataCash Group plc and its group companies. It is
intended only for the person to whom it is addressed. If you have
received this email in error, please forward it to [EMAIL PROTECTED]
with the
subject line "Received in Error". If you are not the intended
recipient you must not use, disclose, copy, print, distribute or rely
on this email or any transmitted files. DataCash Ltd is registered in
England and Wales no. 3430157. DataCash Ltd is part of the DataCash
Group plc. DataCash Group plc is registered in England and Wales
no. 3168091. DataCash Ltd and DataCash Group plc registered address is
Descartes House, 8 Gate Street, London, WC2A 3HP, United Kingdom.
Save a tree...Please only print this page if essential
--
Martin Waite
Solutions Architect
DataCash
Tel (Direct): +44 (0)131 538 8431
Mobile: +44 (0)7866 750509
DataCash Ltd, Suite 3/1 Great Michael House,
14 Links Place, Edinburgh, EH6 7EZ, United Kingdom.
Tel: +44 (0)870 7274 762
Fax: +44 (0)870 7274 782
www.datacash.com
DISCLAIMER: This email and any files transmitted with it are
confidential to DataCash Group plc and its group companies. It is
intended only for the person to whom it is addressed. If you have
received this email in error, please forward it to [EMAIL PROTECTED]
with the
subject line "Received in Error". If you are not the intended
recipient you must not use, disclose, copy, print, distribute or rely
on this email or any transmitted files. DataCash Ltd is registered in
England and Wales no. 3430157. DataCash Ltd is part of the DataCash
Group plc. DataCash Group plc is registered in England and Wales
no. 3168091. DataCash Ltd and DataCash Group plc registered address is
Descartes House, 8 Gate Street, London, WC2A 3HP, United Kingdom.
Save a tree...Please only print this page if essential
|
