Subject: Re: [Patch] Security: BOF in ares_parse_ptr_reply

Re: [Patch] Security: BOF in ares_parse_ptr_reply

From: Gerald Combs <gerald_at_wireshark.org>
Date: Wed, 26 Nov 2008 10:56:02 -0800

Daniel Stenberg wrote:
> On Wed, 26 Nov 2008, Gerald Combs wrote:
>
>> Thanks! Is there any estimate on the next release?
>
> We tend to do releases on demand, when we think we have something
> particular that's enough to warrant one. You think we have enough
> reasons to make one?

Does a severe bug in ares_parse_ptr_reply count? For PTR replies containing 8 or
more responses, memory was reallocated in a way that made the second and
subsequent responses overwrite recently-freed memory. I'm not sure if it's
exploitable, but it can certainly cause a crash:

$ ahost 65.39.176.71
adserv2.bravenet.com 65.39.176.71
Segmentation fault (core dumped)

# ping -c 20 65.39.176.71 > /dev/null &
[1] 15734
# tshark -NnC icmp
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
98 0.000000 192.168.0.2 -> 65.39.176.71 ICMP Echo (ping) request
98 0.038700 65.39.176.71 -> 192.168.0.2 ICMP Echo (ping) reply
Segmentation fault (core dumped)

I'd like to get a fix included in the next development release of Wireshark, as
well as a project we're working on internally here at work.
Received on 2008-11-26