Name Buffer Truncation
Summary
A truncation of the name of memory pools was found which might lead to unintended behavior or incorrect debugging output.
A memory pool structure isc_mempool
has a member field name with a capacity of 16 bytes as
shown in the following listing from file lib/isc/mem.c
:
struct isc_mempool {
/* always unlocked */
unsigned int magic;
isc_mem_t *mctx;
/*%< our memory context */
ISC_LINK(isc_mempool_t) link; /*%< next pool in this mem context */
element *items;
/*%< low water item list */
size_t size;
/*%< size of each item on this pool */
size_t allocated;
/*%< # of items currently given out */
size_t freecount;
/*%< # of items on reserved list */
size_t freemax;
/*%< # of items allowed on free list */
size_t fillcount;
/*%< # of items to fetch on each fill */
/*%< Stats only. */
size_t gets; /*%< # of requests to this pool */
/*%< Debugging only. */
char name[16]; /*%< printed name in stats reports */
};
In the function dns_zonemgr_create()
a string of size 16 without the terminating NUL byte is passed
on to function isc_mem_setname()
, leading to silent truncation of the last character in that string
as shown in the following listing:
for (size_t i = 0; i < zmgr->workers; i++) {
isc_mem_create(&zmgr->mctxpool[i]);
isc_mem_setname(zmgr->mctxpool[i], "zonemgr-mctxpool");
,→
// MARK truncation / off by one (namebuffer is 16 bytes only)
}
This issue is informational since the truncation has no security implications, but could lead to incorrect assumptions or functionality defects.
BIND version used
BIND 9.19.13 (Development Release) id:66a3c6b
Possible fixes
X41 recommends either increase the buffer size or shorten the name value, but to also add an
assertion to the isc_mem_create()
function that ensures the name size is larger than zero and less
than 16 bytes without the terminating NUL byte.