Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNI-12: BIND Vulnerabilities and Solutions

From: pk () TECHFAK UNI-BIELEFELD DE (Peter Koch)
Date: Wed, 23 Apr 1997 09:14:23 +0200


BIND allows passing of hostnames larger than MAXHOSTNAMELEN in size to
programs.  As many programs utilize buffers of size MAXHOSTNAMELEN and
copy the results from a query into these buffers, an overflow can occur.
This can allow an attacker to execute arbitrary commands on a remote
server in a worst case scenario.


You are fixing the wrong problem here. MAXHOSTNAMELEN MUST NOT be used to
estimate the length of a domain name returned by gethostby*(). Its sole
purpose is to give the size of gethostname()'s return buffer.

MAXHOSTNAMELEN is OS dependent, while the maximum length of a domain name
(and yes, also a host name) is set to 255 per RFC 1123, section 2.1:

      Host software MUST handle host names of up to 63 characters and
      SHOULD handle host names of up to 255 characters.

DO NOT destroy the resolver by applying this patch. There are some systems,
e.g. AIX 3.2.5, which still have MAXHOSTNAMELEN at 32, so even if it works it
will do more harm than good.

-Peter
Previous By Date Next
Previous By Thread Next

Current thread: