FIXED: Out of bounds read #19

Closed
MegaManSec opened this Issue Aug 25, 2015 · 2 comments

Comments

Projects
None yet
2 participants
@MegaManSec

Hi.

In ParseMaraRc.c in the dvar_raw() function,

357 if(index < 0 || index > DKEYCOUNT)
358 return 0;
359 return dvar[index];

However, dvar is defined as
mhash *dvar[DKEYCOUNT];

Therefore, if index == DKEYCOUNT, a buffer overflow will happen.

samboy added a commit that referenced this issue Aug 26, 2015

Fixing two buffer overflows:
#19 is non-exploitable, since
index will never be DKEYCOUNT in production code

#20 would only be exploitable
if

1) An attacker controls one’s mararc file (at this point, the attacker
   would probably need to already be root)
2) The memory location two pointers below the beginning of dvar is set
   to zero

This is not serious enough for me to make a 2.0.13 MaraDNS release, but
2.0.13 will have the fix, along with a note that a minor security
problem has been fixed.

Thanks for the bug reports.
@samboy

This comment has been minimized.

Show comment
Hide comment
@samboy

samboy Aug 26, 2015

Owner

As it turns out, this buffer overflow is non-exploitable, but, of course, anything like this is worth fixing. Closing.

Owner

samboy commented Aug 26, 2015

As it turns out, this buffer overflow is non-exploitable, but, of course, anything like this is worth fixing. Closing.

@samboy samboy closed this Aug 26, 2015

@samboy

This comment has been minimized.

Show comment
Hide comment
@samboy

samboy Aug 26, 2015

Owner

In more detail: All of the functions which call dvar_raw in production code (not the tests which were only run by myself when I made this code back in 2001) use dq_keyword2n to determine the value to give the argument, and dq_keyword2n will never return DKEYCOUNT (it will return -2 or a number between 0 and DKEYCOUNT - 1)

Owner

samboy commented Aug 26, 2015

In more detail: All of the functions which call dvar_raw in production code (not the tests which were only run by myself when I made this code back in 2001) use dq_keyword2n to determine the value to give the argument, and dq_keyword2n will never return DKEYCOUNT (it will return -2 or a number between 0 and DKEYCOUNT - 1)

@samboy samboy changed the title from Out of bounds read to FIXED: Out of bounds read May 6, 2016

Repository owner locked and limited conversation to collaborators May 21, 2016

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.