142 lines
4.9 KiB
Diff
142 lines
4.9 KiB
Diff
bind_Fix_for_CVE-2012-4244
|
|
|
|
Upstream-Status: Backport
|
|
|
|
Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit
|
|
|
|
ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3,
|
|
and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to
|
|
cause a denial of service (assertion failure and named daemon exit) via
|
|
a query for a long resource record.
|
|
|
|
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
|
|
|
|
diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
|
|
--- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800
|
|
+++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800
|
|
@@ -147,6 +147,17 @@ struct dns_rdata {
|
|
(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
|
|
|
|
/*
|
|
+ * The maximum length of a RDATA that can be sent on the wire.
|
|
+ * Max packet size (65535) less header (12), less name (1), type (2),
|
|
+ * class (2), ttl(4), length (2).
|
|
+ *
|
|
+ * None of the defined types that support name compression can exceed
|
|
+ * this and all new types are to be sent uncompressed.
|
|
+ */
|
|
+
|
|
+#define DNS_RDATA_MAXLENGTH 65512U
|
|
+
|
|
+/*
|
|
* Flags affecting rdata formatting style. Flags 0xFFFF0000
|
|
* are used by masterfile-level formatting and defined elsewhere.
|
|
* See additional comments at dns_rdata_tofmttext().
|
|
diff -urpN a/lib/dns/master.c b/lib/dns/master.c
|
|
--- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800
|
|
+++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800
|
|
@@ -75,7 +75,7 @@
|
|
/*%
|
|
* max message size - header - root - type - class - ttl - rdlen
|
|
*/
|
|
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
|
|
+#define MINTSIZ DNS_RDATA_MAXLENGTH
|
|
/*%
|
|
* Size for tokens in the presentation format,
|
|
* The largest tokens are the base64 blocks in KEY and CERT records,
|
|
diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c
|
|
--- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800
|
|
+++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800
|
|
@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
|
|
isc_buffer_t st;
|
|
isc_boolean_t use_default = ISC_FALSE;
|
|
isc_uint32_t activelength;
|
|
+ size_t length;
|
|
|
|
REQUIRE(dctx != NULL);
|
|
if (rdata != NULL) {
|
|
@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
|
|
}
|
|
|
|
/*
|
|
+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
|
|
+ * as we cannot transmit it.
|
|
+ */
|
|
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
|
|
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
|
|
+ result = DNS_R_FORMERR;
|
|
+
|
|
+ /*
|
|
* We should have consumed all of our buffer.
|
|
*/
|
|
if (result == ISC_R_SUCCESS && !buffer_empty(source))
|
|
@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
|
|
|
|
if (rdata != NULL && result == ISC_R_SUCCESS) {
|
|
region.base = isc_buffer_used(&st);
|
|
- region.length = isc_buffer_usedlength(target) -
|
|
- isc_buffer_usedlength(&st);
|
|
+ region.length = length;
|
|
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
|
|
}
|
|
|
|
@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
|
|
unsigned long line;
|
|
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
|
|
isc_result_t tresult;
|
|
+ size_t length;
|
|
|
|
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
|
|
if (rdata != NULL) {
|
|
@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
|
|
}
|
|
} while (1);
|
|
|
|
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
|
|
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
|
|
+ result = ISC_R_NOSPACE;
|
|
+
|
|
if (rdata != NULL && result == ISC_R_SUCCESS) {
|
|
region.base = isc_buffer_used(&st);
|
|
- region.length = isc_buffer_usedlength(target) -
|
|
- isc_buffer_usedlength(&st);
|
|
+ region.length = length;
|
|
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
|
|
}
|
|
if (result != ISC_R_SUCCESS) {
|
|
@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
|
|
isc_buffer_t st;
|
|
isc_region_t region;
|
|
isc_boolean_t use_default = ISC_FALSE;
|
|
+ size_t length;
|
|
|
|
REQUIRE(source != NULL);
|
|
if (rdata != NULL) {
|
|
@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
|
|
if (use_default)
|
|
(void)NULL;
|
|
|
|
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
|
|
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
|
|
+ result = ISC_R_NOSPACE;
|
|
+
|
|
if (rdata != NULL && result == ISC_R_SUCCESS) {
|
|
region.base = isc_buffer_used(&st);
|
|
- region.length = isc_buffer_usedlength(target) -
|
|
- isc_buffer_usedlength(&st);
|
|
+ region.length = length;
|
|
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
|
|
}
|
|
if (result != ISC_R_SUCCESS)
|
|
diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
|
--- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800
|
|
+++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800
|
|
@@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_
|
|
length = x[i].rdata.length;
|
|
if (rdataset->type == dns_rdatatype_rrsig)
|
|
length++;
|
|
+ INSIST(length <= 0xffff);
|
|
*rawbuf++ = (length & 0xff00) >> 8;
|
|
*rawbuf++ = (length & 0x00ff);
|
|
#if DNS_RDATASET_FIXED
|