Bug 125433

Summary: BIND: buffer overflow in inet_network()
Product: Ports & Packages Reporter: Dennis Yusupoff <denissia>
Component: Individual Port(s)Assignee: Doug Barton <dougb>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Dennis Yusupoff 2008-07-09 13:30:04 UTC 
Description:

An off-by-one error in the inet_network() function in libbind could lead to memory corruption with certain inputs. 

Impact:

Applications linked against libbind which call inet_network() with untrusted inputs could lead to a denial-of-service or potentially code execution.

http://www.isc.org/index.pl?/sw/bind/index.php

Fix: Solution:

Upgrade to 9.3.5, 9.4.3, 9.5.0b2 or later when released. 

Otherwise, apply the patch below to: 

BIND 9: lib/bind/inet/inet_network.c
BIND 8: lib/inet/inet_network.c 


Questions should be addressed to bind9-bugs@isc.org. 
Acknowledgements:
ISC would like to thank Nate Eldredge for reporting this.--It3NN9FVQ9tQbGnqHOC1TswlUGPxFGaFkpVSMkgouONadtYL
Content-Type: text/plain; name="file.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="file.diff"

Index: inet_network.c
diff -u inet_network.c:1.5 inet_network.c:1.6
--- inet_network.c:1.5	Wed Apr 27 04:56:21 2005
+++ inet_network.c	Tue Jan 15 04:02:01 2008
@@ -84,9 +84,9 @@
 	}
 	if (!digit)
 		return (INADDR_NONE);
+	if (pp >= parts + 4 || val > 0xffU)
+		return (INADDR_NONE);
 	if (*cp == '.') {
-		if (pp >= parts + 4 || val > 0xffU)
-			return (INADDR_NONE);
 		*pp++ = val, cp++;
 		goto again;
 	}
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2008-07-09 13:32:04 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->doughb

Over to maintainer
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2008-07-09 22:05:02 UTC 
Responsible Changed
From-To: doughb->dougb

Without an H
Comment 3 Doug Barton freebsd_committer freebsd_triage 2008-07-11 20:16:20 UTC 
State Changed
From-To: open->closed


The bind94 port does not install libbind, and none of the binaries 
that come with BIND link against it, so this issue is not relevant 
here. 

Also, for sake of completeness I want to note that this issue was 
addressed in the base libc in r175330, and we do not install 
libbind in the base either. 

In any case, thanks for this report, and your interest in 
keeping FreeBSD more secure.