Buffer overflow in the dname_to_string() function

[bsdb0y]

Hi,

While fuzzing nsd-checkzone in NSD 4.2.4 (and git nighly build (revision: a1879fb)), I found a buffer overflow in the dname_to_string() function, in dname.c.

Attaching a reproducer (zipped so GitHub accepts it): input_test0.zip

Issue can be reproduced by running:

nsd-checkzone all.rr input_test0

=================================================================
==2301135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f7e91b at pc 0x00000043bb11 bp 0x7ffe3f9c8c20 sp 0x7ffe3f9c83b8
WRITE of size 5 at 0x000000f7e91b thread T0
    #0 0x43bb10 in vsnprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10)
    #1 0x43d060 in snprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43d060)
    #2 0x4e421f in dname_to_string /src/nsd-NSD_4_2_4_REL/dname.c:423:5
    #3 0x61ff60 in domain_to_string /src/nsd-NSD_4_2_4_REL/./namedb.h:315:10
    #4 0x61e335 in process_rr /src/nsd-NSD_4_2_4_REL/zonec.c:1435:79
    #5 0x623f0f in yyparse /src/nsd-NSD_4_2_4_REL/./zparser.y:125:8
    #6 0x620ce6 in zonec_read /src/nsd-NSD_4_2_4_REL/zonec.c:1627:2
    #7 0x63ffff in check_zone /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:61:11
    #8 0x63fc79 in main /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:131:2
    #9 0x7feb592d60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #10 0x41da0d in _start (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x41da0d)

0x000000f7e91b is located 0 bytes to the right of global variable 'buf' defined in 'dname.c:391:14' (0xf7e420) of size 1275
SUMMARY: AddressSanitizer: global-buffer-overflow (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10) in vsnprintf
Shadow bytes around the buggy address:
  0x0000801e7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801e7d20: 00 00 00[03]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801e7d30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000801e7d40: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000801e7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801e7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2301135==ABORTING

[bsdb0y]

Thanks, I have confirmed that the 23d6248 fixed the issue.
No, information is needed from my side.
Please let me know so we can close the issue.

[k0ekk0ek]

Hi @bsdb0y! It seems this issue can be closed as the fix is merged. If you have any questions, feel free to reopen. Thanks for reporting!