[rbldnsd] bug and fix: use unititialized value in rbldnsd

Doc Schneider maddoc at maddoc.net
Sat Apr 16 03:01:50 MSD 2005 

Michael Tokarev wrote:
> I just discovered a bug in rbldnsd, in ip4set and ip4trie
> datasets, where, provided the input data file is invalid,
> it is possible to dereference uninitialized pointer.  The
> problem occurs when the input data file has invalid A+TXT
> template but valid IP address on the left -- in this case,
> instead of skipping the line, rbldnsd adds the entry to
> its data structure, leaving `rr' pointer uninitialized.
> 
> The patch below fixes the problem.  It is the same as at
> http://www.corpit.ru/mjt/rbldnsd/rbldnsd-0.994-invval.patch
> 
> The problem exists in several recent versions of the code,
> including last 0.994 release.
> 
> This bug isn't triggerable by (bad/invalid) queries, only
> by bad input data file.  I don't think it is possible to
> exploit the bug with result more serious than just plain
> crash (giving denial of service) -- the pointer is only
> dereferenced for reading, so the result of the bug is
> either wrong/weird A+TXT DNS records for the entry in
> question (unlikely) or instant SIGSEGV (more likely).
> 
> I will release corrected version (which will also include
> another bugfix mentioned earlier) this weekend.
> 
> /mjt
> 
> 
> ------------------------------------------------------------------------
> 
> This patch fixes a bug in rbldnsd (many versions prior to and
> including 0.994) where, in case of bad input data (zone file),
> rbldnsd instead of rejecting the line will add it to the dataset
> but with uninitialized result pointer, which can lead to crash
> (SIGSEGV).  The problem only happens with ip4set and ip4trie
> dataset types (not with ip4tset), and only if the input data
> line have valid ip address but wrong A+TXT template (eg, invalid
> A value).  The problem is not exploitable (the memory referenced
> for reading only), the only bad thing that can happen is crash
> (ie, DoS).
> 
> /mjt
> 
> Index: rbldnsd_ip4set.c
> ===================================================================
> RCS file: /ws/CVS/rbldnsd/rbldnsd_ip4set.c,v
> retrieving revision 1.39
> diff -u -u -p -r1.39 rbldnsd_ip4set.c
> --- rbldnsd_ip4set.c	13 Dec 2004 01:22:31 -0000	1.39
> +++ rbldnsd_ip4set.c	15 Apr 2005 21:43:12 -0000
> @@ -128,7 +128,7 @@ ds_ip4set_line(struct dataset *ds, char 
>      if (!*s || ISCOMMENT(*s))
>        rr = dsd->def_rr;
>      else if (!(rrl = parse_a_txt(s, &rr, dsd->def_rr, dsc)))
> -      dswarn(dsc, "invalid value");
> +      return 1;
>      else if (!(rr = mp_dmemdup(ds->ds_mp, rr, rrl)))
>        return 0;
>    }
> Index: rbldnsd_ip4trie.c
> ===================================================================
> RCS file: /ws/CVS/rbldnsd/rbldnsd_ip4trie.c,v
> retrieving revision 1.12
> diff -u -u -p -r1.12 rbldnsd_ip4trie.c
> --- rbldnsd_ip4trie.c	13 Dec 2004 01:22:31 -0000	1.12
> +++ rbldnsd_ip4trie.c	15 Apr 2005 21:43:12 -0000
> @@ -213,7 +213,7 @@ ds_ip4trie_line(struct dataset *ds, char
>      if (!*s || ISCOMMENT(*s))
>        rr = dsd->def_rr;
>      else if (!(rrl = parse_a_txt(s, &rr, dsd->def_rr, dsc)))
> -      dswarn(dsc, "invalid value");
> +      return 1;
>      else if (!(rr = mp_dmemdup(ds->ds_mp, rr, rrl)))
>        return 0;
>    }
> 

Michael,

I tried to apply this patch but it fails.

patch -p0 < *.patch

patching file `rbldnsd_ip4set.c'
Hunk #1 FAILED at 128.
1 out of 1 hunk FAILED -- saving rejects to rbldnsd_ip4set.c.rej
patching file `rbldnsd_ip4trie.c'
Hunk #1 FAILED at 213.
1 out of 1 hunk FAILED -- saving rejects to rbldnsd_ip4trie.c.rej

Did I do this incorrectly?

-Doc (Who loves rbldnsd and uses it a lot!)

More information about the rbldnsd mailing list