Project

General

Profile

Actions

Bug #1227

closed

Fix potential heap overflow with DNS resolve result

Added by Michael Onken 14 days ago. Updated 7 days ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Library
Target version:
-
Start date:
2026-06-19
Due date:
% Done:

0%

Estimated time:
Module:
dcmnet
Operating System:
Compiler:

Description

Bug reported by Dominik Blain:

An attacker controlling a PTR DNS record can overflow a 260-byte stack buffer on every incoming DICOM TCP connection (port 104).Remote, unauthenticated.

Details:

sscanf(client_dns_name, "%[^.]", node) writes into char node260 with no field-width limit. The reverse-DNS name (from getHostnameByAddress, which itself allows up to 511 chars) is attacker-influenced via a PTR record. If the component before the first . exceeds 259 chars, the stack buffer overflows. Reverse DNS is on by default.

Actions #1

Updated by Michael Onken 14 days ago

Fixed with commit 63b0ba.

Actions #2

Updated by Michael Onken 7 days ago

  • Status changed from New to Closed
  • Private changed from Yes to No
Actions

Also available in: Atom PDF