Some potential security bugs in djbdns 1.05, we didn't test them
on hardware.

djbdns [1] is an "ancient" dns server.

It still have $1K bounty for an exploit [2].

Are these bugs vulnerabilities?

in cdb_make.c:
cdb_make_finish:

100 memsize += c->numentries; /* no overflow possible up to now */
101 u = (uint32) 0 - (uint32) 1;
102 u /= sizeof(struct cdb_hp);
103 if (memsize > u) { errno = error_nomem; return -1; }
104
105 c->split = (struct cdb_hp *) alloc(memsize * sizeof(struct cdb_hp));
106 if (!c->split) return -1;
107
108 c->hash = c->split + c->numentries;
109
110 u = 0;
111 for (i = 0;i < 256;++i) {
112 u += c->count[i]; /* bounded by numentries, so no overflow */
113 c->start[i] = u;
114 }

Issue 1: On line 105 alloc(-SMALL) overflows alloc() despite the check for overflow on 103, e.g.
memsize= ((unsigned int) -1 )/sizeof(struct cdb_hp))

In alloc.c:
/*@null@*//*@out@*/char *alloc(n)
unsigned int n;
{
char *x;
[A] n = ALIGNMENT + n - (n & (ALIGNMENT - 1)); /* XXX: could overflow */
if (n <= avail) { avail -= n; return space + avail; }

[A] overflows at least for -16 <= n <= -1.

This integer overflow might be mitigated by memory limits.

In query.c:

Issue 2: There are several usages:
uint16_unpack_big(header + 8,&datalen);
pos += datalen;

There appears no check if datalen doesn't overflow the buffer,
leading past the end.

[1] https://cr.yp.to/djbdns.html
[2] https://cr.yp.to/djbdns/guarantee.html

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)