[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Dominic Hargreaves dom at earth.li
Thu Feb 18 11:40:44 UTC 2016

On Wed, Feb 17, 2016 at 08:05:15PM +0100, Florian Weimer wrote:
> * Robert Edmonds:

> > Is Unbound's "msg-buffer-size: 2047" an effective workaround? :-) :-(
> I didn't realize this option existed.  I'm not sure about the exact
> value to use there, but something like that should be an effective
> mitigation (if the limit really applies to all responses, including
> the last-resort handler).
> EDNS0 buffer sizes only affect UDP responses and are therefore not
> completely effective.

I tried this (with 1500 bytes), but it doesn't work without
recompilation: the minimum size the server will allow is 4096 bytes
(Debian 1.4.22-3).


More information about the dns-operations mailing list