[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Florian Weimer fw at deneb.enyo.de
Wed Feb 17 19:05:15 UTC 2016


* Robert Edmonds:

> Florian Weimer wrote:
>> * Stephane Bortzmeyer:
>> 
>> > On Tue, Feb 16, 2016 at 03:49:18PM +0000,
>> >  Tony Finch <dot at dotat.at> wrote 
>> >  a message of 41 lines which said:
>> >
>> >> Technical analysis and patch:
>> >> 
>> >>  https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
>> >
>> > And a lot of stupid advice (limiting answers to 512 bytes in the
>> > firewall),
>> 
>> Which is fine for a default configuration because the glibc stub
>> resolver does not enable EDNS0, so a compliant recursor will not send
>> larger responses anyway.
>
> There is some speculation that this isn't exploitable in default
> configurations [0] or that disabling EDNS0 on the server side can
> mitigate the problem [1].

Yes, that's exactly what I thought when reading the original bug
report.  It is the main reason why I de-prioritized it.  I finally got
around writing a reproducer for the UDP case, and Carlos noticed the
TCP vector while fixing the UDP bug.

> This is not the case, right? The vulnerable code can still be
> reached via TCP?

Yes, the vulnerability in the TCP code can be reached over TCP.  They
are distinct vulnerabilities in similar, but separate code.

> Is Unbound's "msg-buffer-size: 2047" an effective workaround? :-) :-(

I didn't realize this option existed.  I'm not sure about the exact
value to use there, but something like that should be an effective
mitigation (if the limit really applies to all responses, including
the last-resort handler).

EDNS0 buffer sizes only affect UDP responses and are therefore not
completely effective.




More information about the dns-operations mailing list