ports/147007: mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd
Juli Mallett
jmallett at FreeBSD.org
Wed May 26 05:07:50 UTC 2010
>Number: 147007
>Category: ports
>Synopsis: mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed May 26 05:07:50 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Juli Mallett
>Release: 8-STABLE
>Organization:
>Environment:
N/A
>Description:
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf. The crash is because scanf is used with %10s for a buffer that is only 10 chars long. The buffer size needs increased to 11 chars to hold the trailing NUL. To fix the leak, an fclose needs added.
>How-To-Repeat:
Run mdnsd on an unlucky system.
>Fix:
Apply attached patch in mDNSPosix.
Patch attached with submission follows:
Index: mDNSPosix.c
===================================================================
--- mDNSPosix.c (revision 332)
+++ mDNSPosix.c (revision 333)
@@ -581,7 +581,7 @@
{
char line[256];
char nameserver[16];
- char keyword[10];
+ char keyword[11];
int numOfServers = 0;
FILE *fp = fopen(filePath, "r");
if (fp == NULL) return -1;
@@ -600,6 +600,7 @@
numOfServers++;
}
}
+ fclose(fp);
return (numOfServers > 0) ? 0 : -1;
}
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list