[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Tony Finch dot at dotat.at
Wed Feb 17 11:27:45 UTC 2016


Florian Weimer <fw at deneb.enyo.de> wrote:
>
> But it's certainly true there aren't any good network-side mitigation
> options.

It might be reasonable to limit the size of A and AAAA RRsets to somewhat
less than 2KB :-) But right now it's easier (with the software I'm
running) to fix glibc than add the necessary nameserver feature :-/

2KB is uncomfortably small for other RRsets - .gdn and .hiv have DNSKEY
RRsets which produce message sizes larger than 2KB.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Fitzroy, Sole: Southwesterly at first in southeast, otherwise northwesterly, 5
to 7 increasing gale 8 at times. Rough or very rough, occasionally high later
in northwest. Rain or showers. Good, occasionally poor.



More information about the dns-operations mailing list