Skip to content

libevent dns remote stack overread vulnerability #317

Closed
@asn-d6

Description

@asn-d6

Hello,

the name_parse() function in libevent's DNS code is vulnerable to a buffer overread.

971         if (cp != name_out) {
972             if (cp + 1 >= end) return -1;
973             *cp++ = '.';
974         }
975         if (cp + label_len >= end) return -1;
976         memcpy(cp, packet + j, label_len);
977         cp += label_len;
978         j += label_len;

No check is made against length before the memcpy occurs.

This was found through the Tor bug bounty program and the discovery should be credited to 'Guido Vranken'.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions