Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: nslookup issues

From: peak () kerberos troja mff cuni cz (Pavel Kankovsky)
Date: Wed, 2 Sep 1998 11:43:38 +0200

BTW: nslookup can't grok big DNS responses and often crashes when it
gets one because it *reads* (1) beyond the end of its buffer.

Just a little funny excerpt from GetAnswer (getinfo.c):

    status = SendRequest(nsAddrPtr, msg, msglen, (char *) &answer,
                            sizeof(answer), &n);
    ...
    eom = (u_char *) &answer + n;

(n is the FULL size of the response, n > sizeof(answer) if the response
was truncated because it did not fit into the buffer, which is 1kB long
in nslookup)

Moreover, a lot of code in getinfo.c and debug.c does not care much
about the end of the buffer (even if it gets it right). Check the diffs
between bind 4.9.6 and bind 4.9.7 and you'll see they have fixed lots
of bugs of this kind in named. (Hmm, I should look at bind 8.)

This is the software supposed to keep Internet running.
It's scary.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"You can't be truly paranoid unless you're sure they have already got you."


(1) I don't guarantee it is impossible to abuse it
Previous By Date Next
Previous By Thread Next

Current thread: