[rbldnsd] bug and fix: use unititialized value in rbldnsd

Michael Tokarev mjt at tls.msk.ru
Sat Apr 16 01:45:25 MSD 2005 

I just discovered a bug in rbldnsd, in ip4set and ip4trie
datasets, where, provided the input data file is invalid,
it is possible to dereference uninitialized pointer.  The
problem occurs when the input data file has invalid A+TXT
template but valid IP address on the left -- in this case,
instead of skipping the line, rbldnsd adds the entry to
its data structure, leaving `rr' pointer uninitialized.

The patch below fixes the problem.  It is the same as at
http://www.corpit.ru/mjt/rbldnsd/rbldnsd-0.994-invval.patch

The problem exists in several recent versions of the code,
including last 0.994 release.

This bug isn't triggerable by (bad/invalid) queries, only
by bad input data file.  I don't think it is possible to
exploit the bug with result more serious than just plain
crash (giving denial of service) -- the pointer is only
dereferenced for reading, so the result of the bug is
either wrong/weird A+TXT DNS records for the entry in
question (unlikely) or instant SIGSEGV (more likely).

I will release corrected version (which will also include
another bugfix mentioned earlier) this weekend.

/mjt
-------------- next part --------------
This patch fixes a bug in rbldnsd (many versions prior to and
including 0.994) where, in case of bad input data (zone file),
rbldnsd instead of rejecting the line will add it to the dataset
but with uninitialized result pointer, which can lead to crash
(SIGSEGV).  The problem only happens with ip4set and ip4trie
dataset types (not with ip4tset), and only if the input data
line have valid ip address but wrong A+TXT template (eg, invalid
A value).  The problem is not exploitable (the memory referenced
for reading only), the only bad thing that can happen is crash
(ie, DoS).

/mjt

Index: rbldnsd_ip4set.c
===================================================================
RCS file: /ws/CVS/rbldnsd/rbldnsd_ip4set.c,v
retrieving revision 1.39
diff -u -u -p -r1.39 rbldnsd_ip4set.c
--- rbldnsd_ip4set.c	13 Dec 2004 01:22:31 -0000	1.39
+++ rbldnsd_ip4set.c	15 Apr 2005 21:43:12 -0000
@@ -128,7 +128,7 @@ ds_ip4set_line(struct dataset *ds, char 
     if (!*s || ISCOMMENT(*s))
       rr = dsd->def_rr;
     else if (!(rrl = parse_a_txt(s, &rr, dsd->def_rr, dsc)))
-      dswarn(dsc, "invalid value");
+      return 1;
     else if (!(rr = mp_dmemdup(ds->ds_mp, rr, rrl)))
       return 0;
   }
Index: rbldnsd_ip4trie.c
===================================================================
RCS file: /ws/CVS/rbldnsd/rbldnsd_ip4trie.c,v
retrieving revision 1.12
diff -u -u -p -r1.12 rbldnsd_ip4trie.c
--- rbldnsd_ip4trie.c	13 Dec 2004 01:22:31 -0000	1.12
+++ rbldnsd_ip4trie.c	15 Apr 2005 21:43:12 -0000
@@ -213,7 +213,7 @@ ds_ip4trie_line(struct dataset *ds, char
     if (!*s || ISCOMMENT(*s))
       rr = dsd->def_rr;
     else if (!(rrl = parse_a_txt(s, &rr, dsd->def_rr, dsc)))
-      dswarn(dsc, "invalid value");
+      return 1;
     else if (!(rr = mp_dmemdup(ds->ds_mp, rr, rrl)))
       return 0;
   }

More information about the rbldnsd mailing list