Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
FIXED: Incorrect error checking (negative array read) #20
added a commit
Aug 26, 2015
The exploit vector requires the attacker to control a mararc file, a file usually only edited by root, and requires whatever memory location two pointers before the beginning of dvar to be precisely zero, which should be unlikely.
I’ve fixed this, but this isn’t serious enough for me to waste two to three hours making a new MaraDNS release, especially since I just made a release last week.
I just checked, and, yes, MaraDNS 1.0.00 from 2002 has this particular bug. Most of the things like this people are finding these days come from the 2001-2002 codebase; I wrote too much code too quickly because there was a hurry to have an open-source DNS server that wasn’t BIND at the time.