nsd
nsd copied to clipboard
NLnetLabs
Buffer overflow in the dname_to_string() function
Hi,
While fuzzing nsd-checkzone in NSD 4.2.4 (and git nighly build (revision: a1879fb4363cb0ad1fa85ef9a11499c7e3d95540)), I found a buffer overflow in the dname_to_string() function, in dname.c.
Attaching a reproducer (zipped so GitHub accepts it): input_test0.zip
Issue can be reproduced by running:
nsd-checkzone all.rr input_test0
=================================================================
==2301135==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000f7e91b at pc 0x00000043bb11 bp 0x7ffe3f9c8c20 sp 0x7ffe3f9c83b8
WRITE of size 5 at 0x000000f7e91b thread T0
#0 0x43bb10 in vsnprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10)
#1 0x43d060 in snprintf (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43d060)
#2 0x4e421f in dname_to_string /src/nsd-NSD_4_2_4_REL/dname.c:423:5
#3 0x61ff60 in domain_to_string /src/nsd-NSD_4_2_4_REL/./namedb.h:315:10
#4 0x61e335 in process_rr /src/nsd-NSD_4_2_4_REL/zonec.c:1435:79
#5 0x623f0f in yyparse /src/nsd-NSD_4_2_4_REL/./zparser.y:125:8
#6 0x620ce6 in zonec_read /src/nsd-NSD_4_2_4_REL/zonec.c:1627:2
#7 0x63ffff in check_zone /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:61:11
#8 0x63fc79 in main /src/nsd-NSD_4_2_4_REL/nsd-checkzone.c:131:2
#9 0x7feb592d60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#10 0x41da0d in _start (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x41da0d)
0x000000f7e91b is located 0 bytes to the right of global variable 'buf' defined in 'dname.c:391:14' (0xf7e420) of size 1275
SUMMARY: AddressSanitizer: global-buffer-overflow (/src/nsd-NSD_4_2_4_REL/nsd-checkzone+0x43bb10) in vsnprintf
Shadow bytes around the buggy address:
0x0000801e7cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000801e7d20: 00 00 00[03]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801e7d30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000801e7d40: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0000801e7d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000801e7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2301135==ABORTING
Thanks, I have confirmed that the https://github.com/NLnetLabs/nsd/commit/23d6248fecd15758b227e119bfa1cf9c27cfa4db fixed the issue. No, information is needed from my side. Please let me know so we can close the issue.
Hi @bsdb0y! It seems this issue can be closed as the fix is merged. If you have any questions, feel free to reopen. Thanks for reporting!
