#! /bin/sh /usr/share/dpatch/dpatch-run ## 04-update-smash-fix.dpatch by Philipp Kern ## ## DP: Prevent attackers to smash the heap on DNS updates and fix a ## DP: stack-based off-by-one overflow. @DPATCH@ diff -urNad mydns-1.1.0~/src/mydns/update.c mydns-1.1.0/src/mydns/update.c --- mydns-1.1.0~/src/mydns/update.c 2005-12-18 20:16:41.000000000 +0100 +++ mydns-1.1.0/src/mydns/update.c 2007-04-28 11:14:15.000000000 +0200 @@ -228,6 +228,9 @@ DNS_GET16(rr->class, src); DNS_GET32(rr->ttl, src); DNS_GET16(rr->rdlength, src); + if(rr->rdlength > sizeof rr->rdata) + rr->rdlength = sizeof rr->rdata; + memcpy(rr->rdata, src, rr->rdlength); src += rr->rdlength; @@ -328,19 +331,16 @@ { int n, x; /* Offset in 'data' */ - for (n = 0; src < end && n < datalen; ) + for (n = 0; src < end && n < datalen - 1; ) { int len = *src++; if (n) data[n++] = ' '; - for (x = 0; x < len && src < end && n < datalen; x++) + for (x = 0; x < len && src < end && n < datalen - 1; x++) data[n++] = *src++; if (one_word_only) - { - data[n] = '\0'; - return (src); - } + break; } data[n] = '\0'; return (src);