You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While fuzzing nsd-checkzone in NSD 4.2.4 (and git nighly build (revision: a1879fb)), I found a buffer overflow in the dname_to_string() function, in dname.c.
Attaching a reproducer (zipped so GitHub accepts it): input_test0.zip
Issue can be reproduced by running:
nsd-checkzone all.rr input_test0
=================================================================
==2301135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f7e91b at pc 0x00000043bb11 bp 0x7ffe3f9c8c20 sp 0x7ffe3f9c83b8
WRITE of size 5 at 0x000000f7e91b thread T0
#0 0x43bb10 in vsnprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10)
#1 0x43d060 in snprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43d060)
#2 0x4e421f in dname_to_string /src/nsd-NSD_4_2_4_REL/dname.c:423:5
#3 0x61ff60 in domain_to_string /src/nsd-NSD_4_2_4_REL/./namedb.h:315:10
#4 0x61e335 in process_rr /src/nsd-NSD_4_2_4_REL/zonec.c:1435:79
#5 0x623f0f in yyparse /src/nsd-NSD_4_2_4_REL/./zparser.y:125:8
#6 0x620ce6 in zonec_read /src/nsd-NSD_4_2_4_REL/zonec.c:1627:2
#7 0x63ffff in check_zone /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:61:11
#8 0x63fc79 in main /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:131:2
#9 0x7feb592d60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#10 0x41da0d in _start (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x41da0d)
0x000000f7e91b is located 0 bytes to the right of global variable 'buf' defined in 'dname.c:391:14' (0xf7e420) of size 1275
SUMMARY: AddressSanitizer: global-buffer-overflow (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10) in vsnprintf
Shadow bytes around the buggy address:
0x0000801e7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801e7d20: 00 00 00[03]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801e7d30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801e7d40: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000801e7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2301135==ABORTING
The text was updated successfully, but these errors were encountered:
Hi,
While fuzzing nsd-checkzone in NSD 4.2.4 (and git nighly build (revision: a1879fb)), I found a buffer overflow in the dname_to_string() function, in dname.c.
Attaching a reproducer (zipped so GitHub accepts it): input_test0.zip
Issue can be reproduced by running:
nsd-checkzone all.rr input_test0
The text was updated successfully, but these errors were encountered: