CC: marketing@isc.org MIME-Version: 1.0 X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,BODY_8BITS, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY,RP_MATCHES_RCVD,UNPARSEABLE_RELAY autolearn=no autolearn_force=no version=3.4.0 X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/) Content-Type: text/html; charset=UTF-8 Message-ID: <13e97c4fd376ee719527a7c85178b77e@www.isc.org> Replied: Fri, 11 Jul 2014 10:01:03 +1000 Replied: Vasili Burdo Replied: security-officer@isc.org Replied: marketing@isc.org Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 6BE551A223FE for ; Fri, 11 Jul 2014 09:13:18 +1000 (EST) Received: from zimbra.isc.org [149.20.0.17] by rock.dv.isc.org with IMAP (fetchmail-6.3.22) for (single-drop); Fri, 11 Jul 2014 09:13:18 +1000 (EST) Received: from zmx1.isc.org (LHLO zmx1.isc.org) (149.20.0.20) by zmail1.isc.org with LMTP; Thu, 10 Jul 2014 16:43:25 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D619B160067; Thu, 10 Jul 2014 16:51:44 +0000 (UTC) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by zmx1.isc.org (Postfix) with ESMTPS id D0C2B160052 for ; Thu, 10 Jul 2014 16:51:44 +0000 (UTC) Received: from iscwebprod.isc.org (iscwebprod.isc.org [IPv6:2001:4f8:1:d::16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 1AFED3493B1 for ; Thu, 10 Jul 2014 16:43:25 +0000 (UTC) (envelope-from www@iscwebprod.isc.org) Received: from www (uid 80) (envelope-from www@iscwebprod.isc.org) id 7b7e66 by iscwebprod.isc.org (DragonFly Mail Agent v0.7); Thu, 10 Jul 2014 16:45:35 +0000 Delivered-To: marka@localhost.dv.isc.org Subject: BIND 9.9.2 - Bug in isc_print_vsnprintf() for '%llu' format Return-Path: X-Original-To: marka@localhost X-Priority: 3 Date: Thu, 10 Jul 2014 16:45:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org To: security-officer@isc.org Content-Transfer-Encoding: 8bit From: Vasili Burdo X-RT-Original-Encoding: utf-8 Content-Length: 2757

Bug Report from www.isc.org:

  • Name: Vasili Burdo
  • Email: vasili.burdo@infoblox.com
  • Software Version: BIND 9.9.2
  • OS: Linux
  • Subject:Bug in isc_print_vsnprintf() for '%llu' format

Bug Detail

Hi,

This bug reveals itself when I tried to printf() very large "long long" number in decimal – any number larger than 0xFFFFFFFF. It returns garbage, but does not crash.

This behavior is caused by incorrect buffer termination in file 'bind9/lib/isc/print.c' at line 320. Here:
—————————————————
file: lib/isc/print.c
299 case 'u':
300 if (q)
301 tmpui = va_arg(ap, isc_uint64_t);
302 else if (l)
303 tmpui = va_arg(ap, unsigned long int);
304 else
305 tmpui = va_arg(ap, unsigned int);
306 if (tmpui <= 0xffffffffU)
307 sprintf(buf, "%lu",
308 (unsigned long)tmpui);
309 else {
310 unsigned long mid;
311 unsigned long lo;
312 unsigned long hi;
313 lo = tmpui % 1000000000;
314 tmpui /= 1000000000;
315 mid = tmpui % 1000000000;
316 hi = tmpui / 1000000000;
317 if (hi != 0)
318 sprintf(buf, "%lu", hi);
319 else
320 buf[0] = '\n'; //<– BUG is HERE. To fix, replace '\n' with '\0'
321 sprintf(buf + strlen(buf), "%lu", mid);
322 sprintf(buf + strlen(buf), "%lu", lo);
323 }
324 goto printint;
—————————————————

As ,you see, this is buffer overrun, caused by incorrect buffer termination.

Please, let me know if you're going to fix it.
If I will not get an answer unitl Aug 1st, I'll report it elsewhere.

---

This email was received through isc.org Bug Submission Form

All information within this email is considered confidential and for internal use only.