OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Bug, possible hole in nslookup, various operating systems
From: Kyle Bradley (primtechFONE.NET)
Date: Sat Dec 16 2000 - 16:33:04 CST


I don't think this is really a problem.

I'm looking at code for nslookup that came from bind-8.2.2_P5-9.src.rpm
with my Redhat 6.2 installation. In src/bin/nslookup/main.c:

static const char sccsid[] = "(#)main.c 5.42 (Berkeley) 3/3/91";
static const char rcsid[] = "$Id: main.c,v 8.13 1999/10/13 16:39:19
vixie Exp $";

It looks like the ^C is caught by the IntrHandler() routine (right at
the top of subr.c). According to the comments:

 * This routine is called whenever a control-C is typed.
 * It performs three main functions:
 * - closes an open socket connection,
 * - closes an open output file (used by LookupHost, et al.),
 * - jumps back to the main read-eval loop.

So, the ^C is hit during the main read-eval loop in interactive mode,
IntrHandler() is called, and yyrestart() is called again or longjmp()
jumps back to the last setjmp(). If longjmp() is called instead of
yyrestart(), the program resumes execution in main.c, line 358:

        /*
         * Setup the environment to allow the interrupt handler to
return here.
         */

        (void) setjmp(env);

which is right before the scanner code:

        printf("> ");
        fflush(stdout);
        while(yylex()) {
            printf("> ");
            fflush(stdout);
        }

The flex man page says:

       - flex scanners are not as reentrant as lex scanners.
              In particular, if you have an interactive scanner
              and an interrupt handler which long-jumps out of
              the scanner, and the scanner is subsequently called
              again, you may get the following message:

                  fatal flex scanner internal error--end of buffer
missed

              To reenter the scanner, first use

                  yyrestart( yyin );

So the error is that the SIGINT causes a longjmp() out of the
read-eval loop, which gets run again. flex isn't able to handle this,
so it spits out the error.

I don't see any security problem with this right offhand.

- Kyle

--
| "Words come from an ancestry, deeds from a mastery: when these are |
| unknown, so am I. In my obscurity is my value. That's why the wise |
| wear their jade under common clothes. - Lao Tzu"                   |
			   primtechfone.net