Re: buffer overflow in nslookup?

From: Theo de Raadt (deraadtat_private)
Date: Mon Aug 31 1998 - 00:17:40 PDT

Next message: Tristan Horn: "Re: FreeBSD's RST validation"

Previous message: Benjamin J Stassart: "Re: buffer overflow in nslookup?"
Maybe in reply to: Peter van Dijk: "buffer overflow in nslookup?"
Next in thread: Uwe Ohse: "Re: buffer overflow in nslookup?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> If your nslookup's main.c includes:
>
>     sscanf(string, " %s", host);        /* removes white space */
>
> (at line 681 in 4.9.7-REL and at line 684 in 8.1.2) and it does not
> check the length of 'string', then you are vulnerable.

Nearly all the sscanf's parsing for some varient of %s are possible
vulnerabilities.

The same applies to "dig".

They must all be fixed.

Next message: Tristan Horn: "Re: FreeBSD's RST validation"
Previous message: Benjamin J Stassart: "Re: buffer overflow in nslookup?"
Maybe in reply to: Peter van Dijk: "buffer overflow in nslookup?"
Next in thread: Uwe Ohse: "Re: buffer overflow in nslookup?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:09 PDT