Bug 761513 - Segmentation fault due to buffer overrun in the adnsresfilter program from the adns-progs package
Summary: Segmentation fault due to buffer overrun in the adnsresfilter program from th...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: adns
Version: 15
Hardware: i686
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Adam Tkac
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-08 14:02 UTC by Paul Blankenbaker
Modified: 2013-04-30 23:50 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-02 03:55:33 UTC
Type: ---

Attachments (Terms of Use)
Patch for RPM build of adns-1.4.tar.gz to fix error in adnsresfilter.c (535 bytes, application/octet-stream)
2011-12-08 14:02 UTC, Paul Blankenbaker 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Paul Blankenbaker 2011-12-08 14:02:48 UTC 
Created attachment 542548 [details]
Patch for RPM build of adns-1.4.tar.gz to fix error in adnsresfilter.c

Description of problem:

The adnsresfilter program will core dump on 32 bit Fedora 15 when run with the "--brackets" option and fed a IP address of 15 characters enclosed in brackets.

Version-Release number of selected component (if applicable):


How reproducible:

Alwas reproducable


Steps to Reproduce:

1. Boot Fedora 15 (32 bit)

2. Install ands-progs package

  yum install adns-progs

3. Feed a string containing a 15 character IP address within brackets into the adnsresfilter program with the --brackets option:

  echo "[255.255.255.255]" | adnsresfilter --unchecked --timeout 1000 --brackets
  
Actual results:

[root@probe-p3p1 ~]# echo "[255.255.255.255]" | adnsresfilter --unchecked --timeout 1000 --brackets
Segmentation fault
[root@probe-p3p1 ~]# 

Expected results:

[root@dev15-32 ~]# echo "[255.255.255.255]" | adnsresfilter --unchecked --timeout 1000 --brackets
[255.255.255.255]
[root@dev15-32 ~]# 

Additional info:

This appears to be a buffer overrun issue in the "client/adnsresfilter.c" source file. The addrtextbuf buffer is used to hold the IP address (and bracket characters) and is declared as:

static char addrtextbuf[14];

However, a IP address like 255.255.255.255 is 15 characters long. When you add brackets it becomes 17 characters long. I fixed the segmentation fault in my local build by allocating 18 bytes (in case a null string terminator might be appended somewhere in the code). Hence to avoid the segmentation fault, I changed the above declaration to:

static char addrtextbuf[18];

I've attached the "patch" file I created to apply this patch to build my own version of the RPM
Comment 1 Adam Tkac 2012-05-22 07:57:50 UTC 
Your patch is correct, thanks for it.

Currently I'm going to patch only Fedora 17 and rawhide, please let me know if you would like to have the patch also in older distributions.
Comment 2 Fedora Update System 2012-05-22 08:07:51 UTC 
adns-1.4-12.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/adns-1.4-12.fc17
Comment 3 Fedora Update System 2012-05-22 15:52:45 UTC 
Package adns-1.4-12.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing adns-1.4-12.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-8240/adns-1.4-12.fc17
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-06-02 03:55:33 UTC 
adns-1.4-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.