Re: SNI-12: BIND Vulnerabilities and Solutions

Peter Koch (pk@TECHFAK.UNI-BIELEFELD.DE)
Wed, 23 Apr 1997 09:14:23 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul A Vixie: "Re: SNI-12: BIND Vulnerabilities and Solutions"
Previous message: Theo de Raadt: "Re: SNI-12: BIND Vulnerabilities and Solutions"
Maybe in reply to: Oliver Friedrichs: "SNI-12: BIND Vulnerabilities and Solutions"
Next in thread: Paul A Vixie: "Re: SNI-12: BIND Vulnerabilities and Solutions"

> BIND allows passing of hostnames larger than MAXHOSTNAMELEN in size to
> programs. As many programs utilize buffers of size MAXHOSTNAMELEN and
> copy the results from a query into these buffers, an overflow can occur.
> This can allow an attacker to execute arbitrary commands on a remote
> server in a worst case scenario.

You are fixing the wrong problem here. MAXHOSTNAMELEN MUST NOT be used to
estimate the length of a domain name returned by gethostby*(). Its sole
purpose is to give the size of gethostname()'s return buffer.

MAXHOSTNAMELEN is OS dependent, while the maximum length of a domain name
(and yes, also a host name) is set to 255 per RFC 1123, section 2.1:

Host software MUST handle host names of up to 63 characters and
SHOULD handle host names of up to 255 characters.

DO NOT destroy the resolver by applying this patch. There are some systems,
e.g. AIX 3.2.5, which still have MAXHOSTNAMELEN at 32, so even if it works it
will do more harm than good.

-Peter

Next message: Paul A Vixie: "Re: SNI-12: BIND Vulnerabilities and Solutions"
Previous message: Theo de Raadt: "Re: SNI-12: BIND Vulnerabilities and Solutions"
Maybe in reply to: Oliver Friedrichs: "SNI-12: BIND Vulnerabilities and Solutions"
Next in thread: Paul A Vixie: "Re: SNI-12: BIND Vulnerabilities and Solutions"