Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap Out-of-bound Read vulnerability #51

Closed
pokerfacett opened this issue Sep 26, 2019 · 4 comments
Closed

Heap Out-of-bound Read vulnerability #51

pokerfacett opened this issue Sep 26, 2019 · 4 comments

Comments

@pokerfacett
Copy link

pokerfacett commented Sep 26, 2019

Description:

When the zone file is parsed, the function ldns_nsec3_salt_data is too trusted for the length value obtained from the zone file. When the memcpy is copied, the 0xfe - ldns_rdf_size(salt_rdf) byte data can be copied, causing heap information leakage.
Vulnerability location:
image

fuzz log:

INFO-w100wcrash.docx

fuzz payload:

w100wcrash-8f078e69e2781bbc4811a12d51df1c8674672306.txt

Repaire Suggestion:

image

wcawijngaards added a commit that referenced this issue Sep 26, 2019
  ldns_nsec3_salt_data reported by pokerfacett.
@wcawijngaards
Copy link
Member

Thanks! I applied your suggestion (with a cast to size_t to make the 255 case and also compiler signedness warnings work).

@pokerfacett
Copy link
Author

Thanks! I applied your suggestion (with a cast to size_t to make the 255 case and also compiler signedness warnings work).

hi ,could you report this in security advisory and help to request a CVE for us:https://help.github.com/cn/github/managing-security-vulnerabilities/publishing-a-security-advisory

@wtoorop
Copy link
Member

wtoorop commented Jun 8, 2020

Hi @pokerfacett , we don't think a CVE is necessary, but we will work to a release with the issue fixed on a short term.

@pokerfacett
Copy link
Author

CVE-2020-19861 was assigned for this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants