CVE-2011-1922 VU#531342 Unbound empty error packet handling assertion failure NLnet Labs was notified of an error in Unbound's code-path for error replies which is triggered under special conditions. The error causes the program to abort. The error can only be triggered when Unbound is configured with assertions (--enable-checking or --enable-debug) and has the option interface-automatic turned on. Versions in which this error occurs: Unbound 1.0 up to and including Unbound 1.4.9 Fixed version : Unbound 1.4.10 and above. FreeBSD ports for Unbound are not susceptible by default, as it does not enable assertions. RHEL/Fedora systems do compile Unbound with --enable-checking but do not set automatic-interface:yes per default Debian/Ubuntu Unbound packages do not compile with assertions by default. Vulnerability information: The Unbound daemon stops with an assertion failure, this creates a denial of service condition. Vulnerability Details: Certain types of DNS queries may cause Unbound to respond with a DNS error message. The code generating this error message contains an error whereby Unbound constructs an empty UDP message. That empty UDP message triggers an assertion failsafe in the part of Unbound that is invoked when the interface-automatic option is set. In the case that the interface-automatic option was not set or assertion failsafe is not configured the empty packets would be sent, which is not harmful. Patch: Index: daemon/worker.c =================================================================== --- daemon/worker.c (revision 2416) +++ daemon/worker.c (working copy) @@ -779,6 +779,7 @@ qinfo.qtype == LDNS_RR_TYPE_IXFR) { verbose(VERB_ALGO, "worker request: refused zone transfer."); log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + ldns_buffer_rewind(c->buffer); LDNS_QR_SET(ldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), LDNS_RCODE_REFUSED); Full release: The latest unbound release which fixes the issue can be found at: http://unbound.net/downloads/unbound-latest.tar.gz Credit: This vulnerability was found by Christopher Olah (chris@xelerance.com). About Unbound (http://unbound.net): Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. The source code is under a BSD License. About NLnet Labs (http://nlnetlabs.nl): NLnet Labs is a research and development group that focuses on those developments in Internet technology where bridges between theory and practical deployment need to be built; areas where engineering and standardization takes place. It is our goal to play an active and relevant role in these areas through the development of open source software, through participating in development of open standards, and through the dissemination of knowledge. All our deliverables are targeted to enhance the open, secure, and innovative nature of the Internet for all.