Actions
Bug #1227
closedFix potential heap overflow with DNS resolve result
Start date:
2026-06-19
Due date:
% Done:
0%
Estimated time:
Module:
dcmnet
Operating System:
Compiler:
Description
Bug reported by Dominik Blain:
An attacker controlling a PTR DNS record can overflow a 260-byte stack buffer on every incoming DICOM TCP connection (port 104).Remote, unauthenticated.
Details:
sscanf(client_dns_name, "%[^.]", node) writes into char node260 with no field-width limit. The reverse-DNS name (from getHostnameByAddress, which itself allows up to 511 chars) is attacker-influenced via a PTR record. If the component before the first . exceeds 259 chars, the stack buffer overflows. Reverse DNS is on by default.
Updated by Michael Onken 7 days ago
- Status changed from New to Closed
- Private changed from Yes to No
Actions