[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Killing ircds via DNS
- To: ircd-users@xxxxxxx
- Subject: Re: Killing ircds via DNS
- From: Kurt Roeckx <Q@xxxxxxx>
- Date: Fri, 8 Dec 2000 01:06:21 +0100
- Cc: opers@xxxxxxxxxx
- Delivered-to: ircd-users-out@irc.org
- Delivered-to: ircd-users@irc.org
I was still waiting for Beeth to do this, but he seems to take
his time, so I'll do it.
This attached mail was on bugtraq yesterday.
The bug in question was fixed on Jun the 19th of 1997. It was
fixed in the 2.9.3 release.
I also checked other ircd's, to see if they still have the bug.
Neither hybrid, ircu, nor bahamut still has it. DreamForge, the
old ircd from DALnet, has it, so I suspect ircd's based on it to
have it too.
Kurt
--- Begin Message ---
It appears some people have discovered a bug in various IRCd's res.c.
proc_answer() in res.c:
struct in_addr dr, *adr;
-> dr is a 4-byte in_addr structure
dlen = (int)_getshort(cp);
-> get answer length from packet
switch(type)
{
case T_A :
hp->h_length = dlen;
if (ans == 1)
hp->h_addrtype = (class == C_IN) ?
AF_INET : AF_UNSPEC;
bcopy(cp, (char *)&dr, dlen);
-> goodbye stack if dlen > 4
The bug is triggered by returning a 128-byte answer to an A-record query, eg,
a 128-byte A-record response to a reverse DNS lookup on the client IP. The
fix should be self-evident.
David.
--
David Luyer Phone: +61 3 9674 7525
Senior Network Engineer P A C I F I C Fax: +61 3 9699 8693
Pacific Internet (Australia) I N T E R N E T Mobile: +61 4 1111 2983
http://www.pacific.net.au/ NASDAQ: PCNTF
--- End Message ---