I found an interesting bug this morning in Apple’s mDNSResponder daemon. This is the Mac OS X daemon responsible for managing automatic network configuration and service discovery, basically the thingy that a Mac uses to tell you “there’s a printer on the network here that you could use”.
The bug is of the “malicious value injection” type: given a piece of code that expects certain inputs, what happens if you feed it something unexpected?
Apple has split its multicast DNS (aka mDNS) handling into two components. A client library is linked into every application that uses mDNS, and it communicates with a server daemon, of which one runs on every machine.
If the client submits a request to the server to enumerate all of the local domains, but asks for the server to list those available on a network interface that does not exist (the malicious value), the server correctly reports the error to the client. It does not give up, though it should; instead, it tries to continue processing the request, falls over, and dies.
I reported this bug to Apple this morning. It will be interesting to see how long they take to respond.