| Patrick Williams | f1e5d69 | 2016-03-30 15:21:19 -0500 | [diff] [blame^] | 1 | a buffer size check can cause denial of service under certain circumstances |
| 2 | |
| 3 | [security] |
| 4 | The following flaw in BIND was reported by ISC: |
| 5 | |
| 6 | A buffer size check used to guard against overflow could cause named to exit with an INSIST failure In apl_42.c. |
| 7 | |
| 8 | A server could exit due to an INSIST failure in apl_42.c when performing certain string formatting operations. |
| 9 | |
| 10 | Upstream-Status: Backport |
| 11 | CVE: CVE-2015-8704 |
| 12 | |
| 13 | [The patch is taken from BIND 9.10.3: |
| 14 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8704] |
| 15 | |
| 16 | Signed-off-by: Derek Straka <derek@asterius.io> |
| 17 | diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c |
| 18 | index bedd38e..28eb7f2 100644 |
| 19 | --- a/lib/dns/rdata/in_1/apl_42.c |
| 20 | +++ b/lib/dns/rdata/in_1/apl_42.c |
| 21 | @@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) { |
| 22 | isc_uint8_t len; |
| 23 | isc_boolean_t neg; |
| 24 | unsigned char buf[16]; |
| 25 | - char txt[sizeof(" !64000")]; |
| 26 | + char txt[sizeof(" !64000:")]; |
| 27 | const char *sep = ""; |
| 28 | int n; |