|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Bug, possible hole in nslookup, various operating systems
From: Kyle Bradley (primtech
FONE.NET)Date: Sat Dec 16 2000 - 16:33:04 CST
- Next message: Michal Zalewski: "Re: cross site exploits"
- Previous message: SSecurity: "Re: Bug, possible hole in nslookup, various operating systems"
- Maybe in reply to: Gunnar Wolf: "Bug, possible hole in nslookup, various operating systems"
- Maybe reply: Kyle Bradley: "Re: Bug, possible hole in nslookup, various operating systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't think this is really a problem.
I'm looking at code for nslookup that came from bind-8.2.2_P5-9.src.rpm
with my Redhat 6.2 installation. In src/bin/nslookup/main.c:
static const char sccsid[] = "(#)main.c 5.42 (Berkeley) 3/3/91";
static const char rcsid[] = "$Id: main.c,v 8.13 1999/10/13 16:39:19
vixie Exp $";
It looks like the ^C is caught by the IntrHandler() routine (right at
the top of subr.c). According to the comments:
* This routine is called whenever a control-C is typed.
* It performs three main functions:
* - closes an open socket connection,
* - closes an open output file (used by LookupHost, et al.),
* - jumps back to the main read-eval loop.
So, the ^C is hit during the main read-eval loop in interactive mode,
IntrHandler() is called, and yyrestart() is called again or longjmp()
jumps back to the last setjmp(). If longjmp() is called instead of
yyrestart(), the program resumes execution in main.c, line 358:
/*
* Setup the environment to allow the interrupt handler to
return here.
*/
(void) setjmp(env);
which is right before the scanner code:
printf("> ");
fflush(stdout);
while(yylex()) {
printf("> ");
fflush(stdout);
}
The flex man page says:
- flex scanners are not as reentrant as lex scanners.
In particular, if you have an interactive scanner
and an interrupt handler which long-jumps out of
the scanner, and the scanner is subsequently called
again, you may get the following message:
fatal flex scanner internal error--end of buffer
missed
To reenter the scanner, first use
yyrestart( yyin );
So the error is that the SIGINT causes a longjmp() out of the
read-eval loop, which gets run again. flex isn't able to handle this,
so it spits out the error.
I don't see any security problem with this right offhand.
- Kyle
-- | "Words come from an ancestry, deeds from a mastery: when these are | | unknown, so am I. In my obscurity is my value. That's why the wise | | wear their jade under common clothes. - Lao Tzu" | primtech
- Next message: Michal Zalewski: "Re: cross site exploits"
- Previous message: SSecurity: "Re: Bug, possible hole in nslookup, various operating systems"
- Maybe in reply to: Gunnar Wolf: "Bug, possible hole in nslookup, various operating systems"
- Maybe reply: Kyle Bradley: "Re: Bug, possible hole in nslookup, various operating systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]