[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Doug Barton
dougb at dougbarton.email
Tue Feb 23 17:48:18 UTC 2016
On 02/17/2016 11:05 AM, Florian Weimer wrote:
> * Robert Edmonds:
>> Is Unbound's "msg-buffer-size: 2047" an effective workaround? :-) :-(
>
> I didn't realize this option existed. I'm not sure about the exact
> value to use there, but something like that should be an effective
> mitigation (if the limit really applies to all responses, including
> the last-resort handler).
It's doubtful this would help, since in almost all cases the
vulnerability depends on doing a retry to trigger the pathological
heap/stack switch. Or put more simply, Just one response is probably not
sufficient.
Doug
More information about the dns-operations
mailing list