COMMAND

    BIND

SYSTEMS AFFECTED

    Systems running BIND-4.9.5-P1

PROBLEM

    Irwin Tillman  ran into  what looks  like a  bug in BIND-4.9.5-P1.
    With this it could be done denial of service attack, as well as  a
    way to cause performance problems on hosts running named.

    From a SunOS  client, he telnetted  to port 53  of a host  running
    BIND-4.9.5-P1.   Once the  connection was  open, entered "foobar",
    hit    return,     then    closed     the    telnet     connection
    (control-rightbracket 'quit').

    The symptoms you see  on the server is  that named will no  longer
    accept any TCP connections  (zone transfers from the  server fail,
    as well as simple TCP-based queries).  The named process may  also
    consume lots of CPU now, affecting the rest of the system.

    Tracing the named process shows  that when it receives this  bogus
    message,  it  tries  (and  keeps  trying)  to  read and write this
    socket,  first  resulting  in  a  ECONNRESET,  and  then result in
    repeated  EPIPE.   It  appears  to  be  in  a  pretty  tight loop,
    presumably accounting for the system-wide impact.

    Irwin tested this on the following platform:

	Sun SPARCstation 5 running SunOS 4.1.4
	BIND-4.9.5-P1
	Default options.h file
	Default Makefile, with the standard sunos4.1.x section in  the
	Makefile uncommented, using /usr/bin/cc, and not building  the
	shared library version  of libresolv.
	(Also tested on Solaris 2.5.1 with gcc.)

SOLUTION

    BIND-4.9.3-P1  doesn't  have  this  problem.   It  just closed the
    socket and went back to the main polling loop.

    Apply the following  patch. This is  from inspection of  the code.
    If the socket  has a non  blocking error or  EOF is detected  just
    close rather than  trying to send  a error message  on the socket.
    This patch was posted by Mark Andrews.

    *** ns_main.c.001       Tue Jan  7 15:06:17 1997
    --- ns_main.c   Sun Mar  9 16:46:53 1997
    ***************
    *** 866,871 ****
    --- 866,877 ----
				    sp->s_bufp += n;
				    sp->s_size -= n;
					}
    +                       if ((n == -1) && (errno == PORT_WOULDBLK))
    +                               continue;
    +                       if (n <= 0) {
    +                               sqrm(sp);
    +                               continue;
    +                       }
			    /*
			     * we don't have enough memory for the query.
			     * if we have a query id, then we will send an
    ***************
    *** 909,920 ****
						    HFIXEDSZ);
				}
				continue;
    -                       }
    -                       if ((n == -1) && (errno == PORT_WOULDBLK))
    -                               continue;
    -                       if (n <= 0) {
    -                               sqrm(sp);
    -                               continue;
				}
				/*
			     * Consult database to get the answer.
    --- 915,920 ----