Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple NULL pointer dereferences #73

Open
fcambus opened this issue May 17, 2019 · 0 comments
Open

Multiple NULL pointer dereferences #73

fcambus opened this issue May 17, 2019 · 0 comments

Comments

@fcambus
Copy link

@fcambus fcambus commented May 17, 2019

I found two occurences of NULL pointer dereferences when fuzzing validns with American Fuzzy Lop.

  1. The first occurence happens in the name2findable_name() function, and can be triggered with the following input:
arpa                    86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2019021500 1800 900 604800 86400
arpa.                   86400   IN      RRSIG   SOA 8 1 86400 20190228000000 20190214230000 49906 arpa. Qot7qHAA2QhNmAz3oJUIGmxGJrKnWsIzEvZ92R+LV03K7YTFozio2U7Z534RZBhc0UJvlF1YenrbM6ugmF0z55CJD9JY7cFicalFPOkIuWslSl62vuIWHLwN5sA7VZ0ooVN2ptQpPHDa3W/9OPJRF0YqjBBBwD7IiL7V560rbXM=

With the above input, the following call to strlen(3) in rr.c L137 results in a NULL pointer dereference because 's' ends up being NULL:

static unsigned char *name2findable_name(char *s)
{
    int l = strlen(s);
  1. The second occurence happens in the nsec_validate_pass2() function, and can be triggered with the following input:
arpa.                   86400   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2019021500 1800 900 604800 86400
arpa.                   86400   IN      NSEC    a

With the above input, the following call to strcasecmp(3) in rr.c L788 results in a NULL pointer dereference because 'rr->next_domain' ends up being NULL:

if (strcasecmp(rr->next_domain, zone_apex) == 0) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.