-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Greetings,
The CERT/CC is tracking this as VR-554, please retain VR-554 in the subject of
future replies related to this issue.
Considering the issue and CVE IDs are already being publicly discussed, we are
unlikely to take further action at this time. Any and all CVE disputes should
be directed to MITRE (c...@mitre.org or their CVE form).
Regards,
Joel Land
Vulnerability Analysis Team
==============================
CERT Coordination Center
www.cert.org / c...@cert.org
==============================
Sam Trenholme <mara...@gmail.com> writes:
>CVE-2016-9300, CVE-2016-9301, and CVE-2016-9302 are *NOT* valid bug reports.
>
>Hereâs the deal: The reporter had to patch MaraDNS before he was able
>to crash her.
>
>The patch, however, treats MaraDNSâ special buffer-overflow-resistant
>âjs_stringâ as if it were an ordinary string â but itâs not. Hereâs
>the offending code patched in to MaraDNS from the reporterâs âbug
>reportâ:
>
>sock_num = read(0, incoming, 512);
>
>As per the man page for read:
>
>ssize_t read(int fd, void *buf, size_t count);
>
>DESCRIPTION
> read() attempts to read up to count bytes from file descriptor fd into
> the buffer starting at buf.
>
>However, incoming is not a raw string buffer: Itâs a special js_string
>object which MaraDNS uses to be buffer overflow resistant, as can be
>seen here in server/MaraDNS.c:
>
>int main(int argc, char **argv) {
>
> js_string *mararc_loc = 0, *errors = 0,
> *bind_address = 0, *ipv6_bind_address = 0,
> *csv2_synthip_address = 0,
> *ipv4_bind_address = 0, *incoming = 0,
> *uncomp = 0, *verbstr = 0;
>
>The js_string structure (I guess I would call it an object here in
>2016) is defined in libs/JsStr.h:
>
>typedef struct {
> unsigned char *string; /* Actual physical string */
> unsigned int unit_size; /* The size of a single character in the string */
> unsigned int unit_count; /* The length of the string, in units */
> unsigned int max_count; /* The maximum allowable size of the string,
> also in units */
> int encoding; /* The type of language/encoding the string is in */
> int is_good; /* This is checked to make sure the data structure is
> sane */
> } js_string;
>
>Point being, if we patch MaraDNS to treat this structure as a raw
>buffer instead of a structure, we will be able to crash MaraDNS â but
>that doesnât mean we have found a UDP packet of death which will crash
>unpatched MaraDNS 2.0.13.
>
>I appreciate that people are performing security research with
>MaraDNS, and the fact that researchers need to resort to patching
>MaraDNS before crashing her indicates that, a decade and a half later
>MaraDNS is still a usable DNS server with a strong security record.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJYRakeAAoJEOaVDwyMMQJnHSMP/jSEFU9QxktXE+iZR0eaIgBE
/KBiSXAr6MoyIqBhlbaGtg/8aAdrxAP9U6XGvH7ntU/yuy04vOhVbl5rYVsOarg8
1mQWZ48L79ek+P5DBprnbTpoJYoscNIv6FBEH1JM3uXdK80FGajMPf7MOyJsZpPu
/Xcv0cEqrRdJClggQhEoKyz4h8EiT12yl4CvWfVRzX8TFtKGjLh0QIbeLo3OknJZ
dRYylBEf4Z+iD2C3EM8QpjuQfMYGT2YDfc6rjgNuuOl2SBliGMoH6FKXiCNAsn5Q
tfCNFNYP+6On8wfP9hRqPLfQWgxd12bWCWeFEKd0LSsxEvaFpdlwQmLshzxiRDxU
3QYw7azzzFTA6RoBgMOblravwkXY4Gi+vTQqsBqkgCdqNI1i3z6VGGn3xQAfeDFi
lAze+1S7EiEMK96uWygTjCtonoBZdZyuP3J0hQloozxV4+2njSN+H/HosEyirhwe
DVkS2excLG22+K8+PSPkKQZnPMVZQwHH6SkXyGI1uPq9PTLM1cpyqFCT1iI4tRep
3VeMkMwts0NEyRAuvXRhYnKQid71NsWBnNN4OgMtCOxU+JIWHjZzpDOamD99fvZg
/OBdCMvfQcW0YLcMRVV1hznhzfSL9+nL90FpLeeSJ6eszCM5EiAQ+mOGG3/p2t7h
f/0gUgTFaN/A9J+yvUpN
=q4mi
-----END PGP SIGNATURE-----
