Software Engineering Institute

Version 8.2.2 of BIND includes some checks for the correct format of a signature record in DNSSEC that previous versions did not. Specifically, in the file ns_resp.c, there is a routine called 'rrextract'. (rr = "resource record"). rrextract contains a large switch block that converts resource records from the network format to the database format, doing different things depending on the type of record received. For case T_SIG, it decodes the signature records. When it gets to the name of the signing domain, there is the following block of code:

/* then the signer's name */
n = dn_expand(msg, eom, cp, (char *)cp1, (sizeof data) - 18);
if (n < 0 || n + NS_SIG_SIGNER > dlen) {
hp->rcode = FORMERR;
return (-1);
}

Slightly later, there is code that reads:

n = dlen - (NS_SIG_SIGNER + n);

and then...

memcpy(cp1, cp, n);

If an intruder can cause n to be large, the third argument to the memcpy will be negative. The third argument is an unsigned int, so it will be interpreted as a large positive. Thus you can indeed overflow a buffer, but it is a very, very large (~4GB on a 32-bit machine); it may not be possible to use this overflow to execute code.

dn_expand is a routine that actually converts the resource record from the wire format to the database format. It returns -1 if there is an error in decoding the resource record.

NS_SIG_SIGNER is defined in nameser.h as follows:

/* Offsets into SIG record rdata to find various values */

#define NS_SIG_SIGNER 18 /* Domain name of who signed it */

Previous versions of bind do not include the checks related to NS_SIG_SIGNER, only a check for a negative value returned from dn_expand (an error). Without this check it appear that if a nameserver returns a malformed value, that bind will crash

Intruders may be able to interrupt the normal operations of your nameserver.

Upgrade to BIND 8.2.2 patch level 5 or later.