[ntp:security] [Bug 690] Buffer overflow in Windows when doing DNS Lookups

bugzilla at ntp.isc.org bugzilla at ntp.isc.org
Thu Aug 31 15:07:41 UTC 2006


http://bugs.ntp.isc.org/690


burnicki at ntp.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |


----------------------------------------------------------------------------
Additional Comments From burnicki at ntp.org (Martin Burnicki)
Submitted on 2006-08-31 15:07

Danny,

I've tested the patched version with Purify and now purify complains about a
different piece of code:

[E] BSR: Beyond stack read in do_nodename {1 occurrence}
        Reading 4 bytes from 0x0013def4 (top of stack is at 0x0013e784))
        Address 0x0013def4 points into a thread's stack 
        Address 0x0013def4 is 2436 bytes past the start of local variable 
          'errval' in do_nodename
        Thread ID: 0x108
        Error location
            do_nodename    [d:\ntp\bk\ntp-dev\libntp\ntp_rfc2553.c:417]
                    ai->ai_family = hp->h_addrtype;
                    ai->ai_addrlen = sizeof(struct sockaddr);
                    sockin = (struct sockaddr_in *)ai->ai_addr;
             =>     memcpy(&sockin->sin_addr, hp->h_addr, hp->h_length);
                    ai->ai_addr->sa_family = hp->h_addrtype;
                #ifdef HAVE_SA_LEN_IN_STRUCT_SOCKADDR
                    ai->ai_addr->sa_len = sizeof(struct sockaddr);
            getaddrinfo    [d:\ntp\bk\ntp-dev\libntp\ntp_rfc2553.c:222]
            getnetnum      [d:\ntp\bk\ntp-dev\ntpd\ntp_config.c:2244]
            getconfig      [d:\ntp\bk\ntp-dev\ntpd\ntp_config.c:651]
            ntpdmain       [d:\ntp\bk\ntp-dev\ntpd\ntpd.c:846]
            main           [d:\ntp\bk\ntp-dev\ports\winnt\ntpd\ntservice.c:86]
            mainCRTStartup [crtexe.c:338]

So it seems that hp->h_addr points beyond the stack pointer when memcpy() is called?

Martin

-- 
Martin Burnicki <burnicki at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list