[ntp:security] [Bug 690] Buffer overflow in Windows when doing DNS Lookups

bugzilla at ntp.isc.org bugzilla at ntp.isc.org
Mon Aug 21 08:45:37 UTC 2006


Additional Comments From burnicki at ntp.org (Martin Burnicki)
Submitted on 2006-08-21 08:45


(In reply to comment #2)
> It turns out that I didn't do this. The code has been this way for a long 
> and was always wrong. This line in do_nodename in ntp_rfc2553.c should be
> changed from
> memcpy(&sockin->sin_addr, hp->h_addr, hp->h_length);
> to
> memcpy(&sockin->sin_addr, hp->h_addr, sizeof(struct in_addr));

The hp->h_length field is also set up in dnslookup.c::DNSlookup_name(166):

addr->h_length = (short) results->lpcsaBuffer->RemoteAddr.iSockAddrLength;

This is the only place in the code where the h_length field is _not_ set to 
sizeof(struct inaddr), so I assume this is the real location of the bug.

Wouldn't it be preferable to fix this one so that the h_length field has the 
correct value, and then leave ntp_rfc2553.c unchanged?

The h_length field could possibly also be used by some other code, which would 
also fail if it contains a wrong value.


Martin Burnicki <burnicki at ntp.org>

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

More information about the security mailing list