Report information
The Basics
Id:
43459
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Thomas Markwalder <tmark@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.9.10, 9.9.10-S1, 9.10.5, 9.10.5(sub), 9.11.1, 9.12.0
Version Found:
9.9.9-P3
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P1 High
Severity:
S1 High
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Common
Area:
bug
Dates
Created:Thu, 20 Oct 2016 07:08:53 -0400
Updated:Wed, 26 Jul 2017 02:22:33 -0400
Closed:Wed, 26 Oct 2016 22:23:36 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Thu, 20 Oct 2016 07:08:53 -0400 Thomas Markwalder <tmark@isc.org> - Ticket created
Subject: resolv.conf parsing crashes when parsing sortlist entries

resconf.c:irs_resconf_load() should initialize conf->sortlistnxt to zero. The value left uniitialized results in invalid writes: ==71351== Memcheck, a memory error detector ==71351== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==71351== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==71351== Command: dhcp-4.3.5/server/dhcpd -d -cf /home/iscdhcp/toms/toms.conf -lf /home/iscdhcp/toms/dhcpd.leases -T em0 ==71351== Internet Systems Consortium DHCP Server 4.3.5 Copyright 2004-2016 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ ==71351== Invalid write of size 4 ==71351== at 0x4C99CE: create_addr (resconf.c:264) ==71351== by 0x4C99CE: resconf_parsesortlist (resconf.c:406) ==71351== by 0x4C99CE: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4ec8 is 35,704 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== ==71351== Invalid write of size 4 ==71351== at 0x4C99DB: create_addr (resconf.c:265) ==71351== by 0x4C99DB: resconf_parsesortlist (resconf.c:406) ==71351== by 0x4C99DB: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4ecc is 35,708 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== ==71351== Invalid write of size 4 ==71351== at 0x4C99E3: create_addr (resconf.c:266) ==71351== by 0x4C99E3: resconf_parsesortlist (resconf.c:406) ==71351== by 0x4C99E3: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4f34 is 35,812 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== ==71351== Invalid write of size 4 ==71351== at 0x4C9A64: create_addr (resconf.c:264) ==71351== by 0x4C9A64: resconf_parsesortlist (resconf.c:411) ==71351== by 0x4C9A64: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4f38 is 35,816 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== ==71351== Invalid write of size 4 ==71351== at 0x4C9A71: create_addr (resconf.c:265) ==71351== by 0x4C9A71: resconf_parsesortlist (resconf.c:411) ==71351== by 0x4C9A71: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4f3c is 35,820 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== ==71351== Invalid write of size 4 ==71351== at 0x4C9A79: create_addr (resconf.c:270) ==71351== by 0x4C9A79: resconf_parsesortlist (resconf.c:411) ==71351== by 0x4C9A79: irs_resconf_load (resconf.c:529) ==71351== by 0x4C84A1: dhcp_dns_client_setservers (isclib.c:52) ==71351== by 0x4C8A7F: dhcp_context_create (isclib.c:263) ==71351== by 0x40685C: postconf_initialization (dhcpd.c:1145) ==71351== by 0x404EA6: main (dhcpd.c:711) ==71351== Address 0x59e4fa4 is 35,924 bytes inside an unallocated block of size 146,576 in arena "client" ==71351== Config file: /home/iscdhcp/toms/toms.conf Database file: /home/iscdhcp/toms/dhcpd.leases PID file: dhcpd.pid ==71351== ==71351== HEAP SUMMARY: ==71351== in use at exit: 7,036,654 bytes in 463 blocks ==71351== total heap usage: 545 allocs, 82 frees, 7,162,594 bytes allocated ==71351== ==71351== LEAK SUMMARY: ==71351== definitely lost: 2,384 bytes in 1 blocks ==71351== indirectly lost: 0 bytes in 0 blocks ==71351== possibly lost: 4,064 bytes in 1 blocks ==71351== still reachable: 7,030,206 bytes in 461 blocks ==71351== suppressed: 0 bytes in 0 blocks ==71351== Rerun with --leak-check=full to see details of leaked memory ==71351== ==71351== For counts of detected and suppressed errors, rerun with: -v ==71351== ERROR SUMMARY: 18 errors from 6 contexts (suppressed: 39 from 5)
Thu, 20 Oct 2016 07:09:25 -0400 Thomas Markwalder <tmark@isc.org> - Reference to #43425: added
Thu, 20 Oct 2016 07:10:16 -0400 Thomas Markwalder <tmark@isc.org> - Reference by #43425: added
Mon, 24 Oct 2016 01:13:59 -0400 Mark Andrews <marka@isc.org> - Taken
Mon, 24 Oct 2016 02:45:34 -0400 Mark Andrews <marka@isc.org> - Status changed from 'new' to 'open'
Mon, 24 Oct 2016 02:45:34 -0400 Mark Andrews <marka@isc.org> - Queue changed from #6 to #7
Mon, 24 Oct 2016 02:45:34 -0400 Mark Andrews <marka@isc.org> - Untaken
Wed, 26 Oct 2016 02:15:17 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
Wed, 26 Oct 2016 19:44:26 -0400 Mark Andrews <marka@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
Wed, 26 Oct 2016 22:00:12 -0400 Evan Hunt <Evan_Hunt@isc.org> - Given to Mark Andrews <marka@isc.org>
Wed, 26 Oct 2016 22:23:35 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.9.10,9.9.10(sub),9.10.5,9.10.5(sub),9.11.1,9.12.0 added
Wed, 26 Oct 2016 22:23:36 -0400 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'
Wed, 26 Oct 2016 22:23:36 -0400 Mark Andrews <marka@isc.org> - Queue changed from #7 to #30
Wed, 26 Oct 2016 22:23:36 -0400 Mark Andrews <marka@isc.org> - Untaken
Fri, 03 Mar 2017 10:36:49 -0500 Thomas Markwalder <tmark@isc.org> - Dependency by #44786: added
Wed, 21 Jun 2017 14:37:17 -0400 Brian Conry <bconry@isc.org> - Queue changed from #30 to #6
Wed, 26 Jul 2017 02:22:32 -0400 Mark Andrews <marka@isc.org> - Queue changed from #6 to bind9-public
Wed, 26 Jul 2017 02:22:33 -0400 Mark Andrews <marka@isc.org> - Version Fixed 9.9.10,9.9.10(sub),9.10.5,9.10.5(sub),9.11.1,9.12.0 changed to 9.9.10, 9.9.10-S1, 9.10.5, 9.10.5(sub), 9.11.1, 9.12.0