Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIXED: Out of bounds read #19

MegaManSec opened this issue Aug 25, 2015 · 2 comments

FIXED: Out of bounds read #19

MegaManSec opened this issue Aug 25, 2015 · 2 comments


Copy link

@MegaManSec MegaManSec commented Aug 25, 2015


In ParseMaraRc.c in the dvar_raw() function,

357 if(index < 0 || index > DKEYCOUNT)
358 return 0;
359 return dvar[index];

However, dvar is defined as
mhash *dvar[DKEYCOUNT];

Therefore, if index == DKEYCOUNT, a buffer overflow will happen.

samboy added a commit that referenced this issue Aug 26, 2015
#19 is non-exploitable, since
index will never be DKEYCOUNT in production code

#20 would only be exploitable

1) An attacker controls one’s mararc file (at this point, the attacker
   would probably need to already be root)
2) The memory location two pointers below the beginning of dvar is set
   to zero

This is not serious enough for me to make a 2.0.13 MaraDNS release, but
2.0.13 will have the fix, along with a note that a minor security
problem has been fixed.

Thanks for the bug reports.
Copy link

@samboy samboy commented Aug 26, 2015

As it turns out, this buffer overflow is non-exploitable, but, of course, anything like this is worth fixing. Closing.

@samboy samboy closed this Aug 26, 2015
Copy link

@samboy samboy commented Aug 26, 2015

In more detail: All of the functions which call dvar_raw in production code (not the tests which were only run by myself when I made this code back in 2001) use dq_keyword2n to determine the value to give the argument, and dq_keyword2n will never return DKEYCOUNT (it will return -2 or a number between 0 and DKEYCOUNT - 1)

@samboy samboy changed the title Out of bounds read FIXED: Out of bounds read May 6, 2016
Repository owner locked and limited conversation to collaborators May 21, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.