Vulnerability

    libc

Affected

    FreeBSD 4.x (all releases prior to 4.2), 4.1.1-STABLE prior to 2000/09/25

Description

    Following is based on a FreeBSD-SA-00:63 Security Advisory and  it
    was  found  originally  by  Pavel  Kankovsky.   The  getnameinfo()
    function is part of the protocol-independent resolver library from
    the KAME project.

    An  off-by-one  error  exists  in  the processing of DNS hostnames
    which  allows  a  long  DNS  hostname  to  crash the getnameinfo()
    function when an address  resolution of the hostname  is performed
    (e.g. in response to a connection to a service which makes use  of
    getnameinfo()).

    Under the following conditions, this  bug can be used as  a denial
    of service attack against vulnerable services:

        * The attacker must control their DNS server.
        * The service must be run as a persistent daemon (i.e. running
          "standalone",  not  spawned  as-needed  from  a   supervisor
          process such as inetd)
        * The daemon must perform the getnameinfo() call on the remote
          hostname  prior  to  forking  a  child process to handle the
          connection (otherwise  it is  just the  child process  which
          dies, and the parent remains running).
        * The daemon  is not automatically  restarted by a  "watchdog"
          process.

    All released versions of FreeBSD 4.x prior to the correction  date
    including 4.0, 4.1, and 4.1.1 are vulnerable to this problem,  but
    it was fixed  in the 4.1.1-STABLE  branch prior to  the release of
    FreeBSD 4.2-RELEASE.  The  FreeBSD 3.x branch is  unaffected since
    it does not include the KAME code.

    Note  that  this   vulnerability  is  not   believed  to  pose   a
    vulnerability for any servers included in the FreeBSD base system.
    It is  only a  potential problem  for certain  third party servers
    fulfilling  the  above  conditions  (none  of  which are currently
    known).   Therefore the  impact on  the vast  majority of  FreeBSD
    systems is expected to be nonexistent.

    Remote users may be  able to cause a  very small class of  network
    servers  to  terminate  abnormally,  causing  a  denial of service
    condition.

Solution

    1) Upgrade  your  vulnerable  FreeBSD  4.x system to  4.1.1-STABLE
       after the correction date.
    2) Apply the patch below and recompile the relevant files:
       Either save this advisory to a file, or download the patch  and
       detached PGP signature from the following locations, and verify
       the signature using your PGP utility.
       ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/getnameinfo.patch
       ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:63/getnameinfo.patch.asc

       Execute the following commands as root:
       # cd /usr/src/lib/libc
       # patch -p < /path/to/patch_or_advisory
       # make depend && make all install

    Patch for vulnerable systems:

    --- net/getnameinfo.c	2000/07/05 05:09:17	1.5
    +++ net/getnameinfo.c	2000/09/25 23:04:36	1.6
    @@ -154,12 +153,12 @@
 				    (flags & NI_DGRAM) ? "udp" : "tcp");
 		    }
 		    if (sp) {
    -			if (strlen(sp->s_name) > servlen)
    +			if (strlen(sp->s_name) + 1 > servlen)
 				    return ENI_MEMORY;
 			    strcpy(serv, sp->s_name);
 		    } else {
 			    snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
    -			if (strlen(numserv) > servlen)
    +			if (strlen(numserv) + 1 > servlen)
 				    return ENI_MEMORY;
 			    strcpy(serv, numserv);
 		    }
    @@ -253,7 +252,7 @@
 					    *p = '\0';
 			    }
     #endif
    -			if (strlen(hp->h_name) > hostlen) {
    +			if (strlen(hp->h_name) + 1 > hostlen) {
 				    freehostent(hp);
 				    return ENI_MEMORY;
 			    }