Does the CVE-2011-1910 vulnerability affect the BIND 9.7.0-P2?

Chris Thompson cet1 at cam.ac.uk
Fri Jun 10 14:40:49 UTC 2011


On Jun 10 2011, Adam Tkac wrote:

>Hello Chris,
>
>that was too short cut from ncache.c.
>
>9.7.0* contains:
>
>          /*
>           * Copy the type to the buffer.
>           */
>          isc_buffer_availableregion(&buffer,
>                                     &r);
>          if (r.length < 2)
>                  return (ISC_R_NOSPACE);
>          isc_buffer_putuint16(&buffer,
>                               rdataset->type);
>          /*
>           * Copy the rdataset into the buffer.
>           */
>
>which is correct, you checked there are at least two bytes in the buffer
>and then copy uint16 (which has 2 bytes) there.
>
>However affected 9.7.3 contains:
>
>          /*
>           * Copy the type to the buffer.
>           */
>          isc_buffer_availableregion(&buffer,
>                                     &r);
>          if (r.length < 2)
>                  return (ISC_R_NOSPACE);
>          isc_buffer_putuint16(&buffer,
>                               rdataset->type);
>          isc_buffer_putuint8(&buffer,
>                 (unsigned char)rdataset->trust);
>          /*
>           * Copy the rdataset into the buffer.
>           */
>
>Notice that now you are copying three bytes (uint16 + uint8) but you
>only checked there is place for two bytes, which is the bug.

Yes - I really should have seen that! And of course, when I look back
at what my source at ISC (sorry, Evan) *actually* said, those lines
*were* all included.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk



More information about the bind-users mailing list