From nobody@FreeBSD.org  Wed Feb 23 22:25:00 2000
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id EE6CC37BB26
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 23 Feb 2000 22:24:59 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id WAA68360;
	Wed, 23 Feb 2000 22:24:59 -0800 (PST)
	(envelope-from nobody@FreeBSD.org)
Message-Id: <200002240624.WAA68360@freefall.freebsd.org>
Date: Wed, 23 Feb 2000 22:24:59 -0800 (PST)
From: spock@techfour.net
Sender: nobody@FreeBSD.org
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] Fix argument overflow in dnsquery
X-Send-Pr-Version: www-1.0

>Number:         16953
>Category:       bin
>Synopsis:       [PATCH] Fix argument overflow in dnsquery
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kris
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Feb 23 22:30:01 PST 2000
>Closed-Date:    Wed Aug 23 02:27:20 PDT 2000
>Last-Modified:  Wed Aug 23 02:28:23 PDT 2000
>Originator:     Mike Heffner
>Release:        4.0-current
>Organization:
>Environment:
FreeBSD 4.0-CURRENT #0: Sat Feb 19 20:05:45 EST 2000
>Description:
dnsquery doesn't check domain name length and will write past buffer.
>How-To-Repeat:
dnsquery -h [5120]
or dnsquery [5120]
>Fix:
Apply patch. Merged from OpenBSD.

Index: contrib/bind/bin/dnsquery/dnsquery.c
===================================================================
RCS file: /home/ncvs/src/contrib/bind/bin/dnsquery/dnsquery.c,v
retrieving revision 1.1.1.2
diff -u -r1.1.1.2 dnsquery.c
--- dnsquery.c  1999/11/30 02:42:02     1.1.1.2
+++ dnsquery.c  2000/02/24 06:09:09
@@ -80,7 +80,11 @@
                case 'p' :      res.retrans = atoi(optarg);
                                break;
 
-               case 'h' :      strcpy(name, optarg);
+               case 'h' :      if(strlcpy(name, optarg, sizeof(name)) >= sizeof(name)) {
+                                       fprintf(stderr,
+                                               "Domain name too long (%s)\n", optarg);
+                                       exit(-1);
+                               }
                                break;
 
                case 'c' : {
@@ -157,9 +161,14 @@
                                exit(-1);
                }
        }
-       if (optind < argc)
-               strcpy(name, argv[optind]);
-
+       if (optind < argc) {
+               if (strlcpy(name, argv[optind], sizeof(name)) >= sizeof(name)){
+                       fprintf(stderr,
+                               "Domain name too long (%s)\n", argv[optind]);
+                       exit(-1);
+               }
+       }
+
        len = sizeof(answer);
 
        if (!(res.options & RES_INIT))



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->kris 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Aug 4 15:57:59 PDT 2000 
Responsible-Changed-Why:  
I'll take this one. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16953 
State-Changed-From-To: open->analyzed 
State-Changed-By: kris 
State-Changed-When: Fri Aug 4 15:58:27 PDT 2000 
State-Changed-Why:  
I've submitted a derived patch back to the ISC for incorporation 
into the vendor code. Basically instead of using strlcpy() which 
is non-portable I check the strlen first and then use strcpy() if 
it's safe. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16953 
State-Changed-From-To: analyzed->closed 
State-Changed-By: kris 
State-Changed-When: Wed Aug 23 02:27:20 PDT 2000 
State-Changed-Why:  
The modified patch has been accepted by the ISC for 
inclusion in BIND 8.2.3, and has been imported into 
FreeBSD 5.0-CURRENT. I will merge it to 4.1-STABLE 
in a few days. 

Thanks for the patch! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=16953 
>Unformatted:
