Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
#19 is non-exploitable, since index will never be DKEYCOUNT in production code #20 would only be exploitable if 1) An attacker controls one’s mararc file (at this point, the attacker would probably need to already be root) 2) The memory location two pointers below the beginning of dvar is set to zero This is not serious enough for me to make a 2.0.13 MaraDNS release, but 2.0.13 will have the fix, along with a note that a minor security problem has been fixed. Thanks for the bug reports.
In more detail: All of the functions which call dvar_raw in production code (not the tests which were only run by myself when I made this code back in 2001) use dq_keyword2n to determine the value to give the argument, and dq_keyword2n will never return DKEYCOUNT (it will return -2 or a number between 0 and DKEYCOUNT - 1)