ports/147007: mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd

[Juli Mallett]

>Number:         147007
>Category:       ports
>Synopsis:       mDNSResponder resolv.conf parsing has a buffer overflow, also leaks fd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 26 05:07:50 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Juli Mallett
>Release:        8-STABLE
>Organization:
>Environment:
N/A
>Description:
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf.  The crash is because scanf is used with %10s for a buffer that is only 10 chars long.  The buffer size needs increased to 11 chars to hold the trailing NUL.  To fix the leak, an fclose needs added.
>How-To-Repeat:
Run mdnsd on an unlucky system.
>Fix:
Apply attached patch in mDNSPosix.

Patch attached with submission follows:

Index: mDNSPosix.c
===================================================================
--- mDNSPosix.c	(revision 332)
+++ mDNSPosix.c	(revision 333)
@@ -581,7 +581,7 @@
 	{
 	char line[256];
 	char nameserver[16];
-	char keyword[10];
+	char keyword[11];
 	int  numOfServers = 0;
 	FILE *fp = fopen(filePath, "r");
 	if (fp == NULL) return -1;
@@ -600,6 +600,7 @@
 			numOfServers++;
 			}
 		}  
+	fclose(fp);
 	return (numOfServers > 0) ? 0 : -1;
 	}
 


>Release-Note:
>Audit-Trail:
>Unformatted: