On Jun 10 2011, Adam Tkac wrote:
Hello Chris,that was too short cut from ncache.c. 9.7.0* contains: /* * Copy the type to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 2) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); /* * Copy the rdataset into the buffer. */ which is correct, you checked there are at least two bytes in the buffer and then copy uint16 (which has 2 bytes) there. However affected 9.7.3 contains: /* * Copy the type to the buffer. */ isc_buffer_availableregion(&buffer, &r); if (r.length < 2) return (ISC_R_NOSPACE); isc_buffer_putuint16(&buffer, rdataset->type); isc_buffer_putuint8(&buffer, (unsigned char)rdataset->trust); /* * Copy the rdataset into the buffer. */ Notice that now you are copying three bytes (uint16 + uint8) but you only checked there is place for two bytes, which is the bug.
Yes - I really should have seen that! And of course, when I look back at what my source at ISC (sorry, Evan) *actually* said, those lines *were* all included. -- Chris Thompson Email: [email protected] _______________________________________________ bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
