Report information
The Basics
Id:
47086
Status:
resolved
Priority:
Low/Low
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Mark Andrews <marka@isc.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
9.9.12, 9.9.12(sub), 9.10.7, 9.10.7(sub), 9.11.3, 9.12.1, 9.13.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
bug
Dates
Created:Mon, 29 Jan 2018 18:54:09 -0500
Updated:Tue, 30 Jan 2018 12:27:41 -0500
Closed:Tue, 30 Jan 2018 12:27:41 -0500

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Mon, 29 Jan 2018 18:54:09 -0500 Mark Andrews <marka@isc.org> - Ticket created
From: marka@isc.org
To: bind9-public@isc.org
Date: Mon, 29 Jan 2018 13:54:09 -1000
Subject: dns_rdata_caa:value_len is too small

dns_rdata_caa:value_len is currently defined as an isc_uint8_t value: typedef struct dns_rdata_caa { dns_rdatacommon_t common; isc_mem_t * mctx; isc_uint8_t flags; unsigned char * tag; isc_uint8_t tag_len; unsigned char *value; isc_uint8_t value_len; } dns_rdata_caa_t; but it can actually be much larger than 255 ('value' can be as long as it fits the RDATA), and (just from code inspection, I've not tested it with code) it could cause overflow in tostruct_caa(): /* * Value */ caa->value_len = sr.length; Right now no BIND 9 code uses this structure other than in the caa_257 implementation, so BIND 9 apps won't be affected in practice. But it's still better fixed, of course.
Mon, 29 Jan 2018 19:02:42 -0500 Mark Andrews <marka@isc.org> - Severity S2 Normal added
Mon, 29 Jan 2018 19:02:42 -0500 Mark Andrews <marka@isc.org> - Version Fixed 9.9.12, 9.9.12(sub), 9.10.7, 9.10.7(sub), 9.11.3, 9.12.1, 9.13.0 added
Mon, 29 Jan 2018 19:02:42 -0500 Mark Andrews <marka@isc.org> - Priority P2 Normal added
Mon, 29 Jan 2018 19:02:42 -0500 Mark Andrews <marka@isc.org> - Area feature changed to bug
  Mon, 29 Jan 2018 19:02:42 -0500 Mark Andrews <marka@isc.org> - Correspondence added

4879. [bug] dns_rdata_caa:value_len is was small. [RT #47086]
Mon, 29 Jan 2018 19:02:43 -0500 Mark Andrews <marka@isc.org> - Status changed from 'open' to 'resolved'
Mon, 29 Jan 2018 19:02:43 -0500 Mark Andrews <marka@isc.org> - Untaken
Tue, 30 Jan 2018 07:12:41 -0500 Cathy Almond <cathya@isc.org> - Reference to https://support.isc.org/Ticket/Display.html?id=12317 added
  Tue, 30 Jan 2018 11:02:24 -0500 Cathy Almond <cathya@isc.org> - Correspondence added

On Tue Jan 30 00:02:42 2018, marka wrote: > 4879. [bug] dns_rdata_caa:value_len is was small. [RT #47086] Can we correct the slight typo above please.
Tue, 30 Jan 2018 11:02:25 -0500 The RT System itself - Status changed from 'resolved' to 'open'
  Tue, 30 Jan 2018 12:27:40 -0500 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

> Can we correct the slight typo above please. Done.
Tue, 30 Jan 2018 12:27:41 -0500 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'