From owner-svn-src-user@freebsd.org  Mon Dec  5 22:26:50 2016
Return-Path: <owner-svn-src-user@freebsd.org>
Delivered-To: svn-src-user@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AC30C686E3
 for <svn-src-user@mailman.ysv.freebsd.org>;
 Mon,  5 Dec 2016 22:26:50 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 294C212D9;
 Mon,  5 Dec 2016 22:26:50 +0000 (UTC)
 (envelope-from glebius@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uB5MQn48021817;
 Mon, 5 Dec 2016 22:26:49 GMT (envelope-from glebius@FreeBSD.org)
Received: (from glebius@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uB5MQmdp021810;
 Mon, 5 Dec 2016 22:26:48 GMT (envelope-from glebius@FreeBSD.org)
Message-Id: <201612052226.uB5MQmdp021810@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: glebius set sender to
 glebius@FreeBSD.org using -f
From: Gleb Smirnoff <glebius@FreeBSD.org>
Date: Mon, 5 Dec 2016 22:26:48 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-user@freebsd.org
Subject: svn commit: r309565 - in user/cperciva/freebsd-update-build/patches:
 10.1-RELEASE 10.2-RELEASE 10.3-RELEASE 11.0-RELEASE 9.3-RELEASE
X-SVN-Group: user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-user@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the experimental &quot; user&quot;
 src tree" <svn-src-user.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-user/>
List-Post: <mailto:svn-src-user@freebsd.org>
List-Help: <mailto:svn-src-user-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-user>,
 <mailto:svn-src-user-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2016 22:26:50 -0000

Author: glebius
Date: Mon Dec  5 22:26:48 2016
New Revision: 309565
URL: https://svnweb.freebsd.org/changeset/base/309565

Log:
  Store SA-16:33-35 patches.

Added:
  user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl
  user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl
  user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh
  user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl
  user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh
  user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind
  user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl

Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/42-SA-16:35.openssl	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+         goto start;
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+                 /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+             return (ret);
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING                      366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
++# define SSL_R_TOO_MANY_WARN_ALERTS                       409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+     char is_probably_safari;
+ #   endif                       /* !OPENSSL_NO_EC */
+ #  endif                        /* !OPENSSL_NO_TLSEXT */
++    /* Count of the number of consecutive warning alerts received */
++    unsigned int alert_count;
+ } SSL3_STATE;
+ 
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+  */
+ # define SSL_MAX_DIGEST 6
+ 
++# define MAX_WARN_ALERT_COUNT    5
++
+ # define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
+ 
+ # define TLS1_PRF_DGST_SHIFT 10

Added: user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.2-RELEASE/25-SA-16:35.openssl	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+         goto start;
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+                 /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+             return (ret);
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING                      366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
++# define SSL_R_TOO_MANY_WARN_ALERTS                       409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+     char is_probably_safari;
+ #   endif                       /* !OPENSSL_NO_EC */
+ #  endif                        /* !OPENSSL_NO_TLSEXT */
++    /* Count of the number of consecutive warning alerts received */
++    unsigned int alert_count;
+ } SSL3_STATE;
+ 
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+  */
+ # define SSL_MAX_DIGEST 6
+ 
++# define MAX_WARN_ALERT_COUNT    5
++
+ # define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
+ 
+ # define TLS1_PRF_DGST_SHIFT 10

Added: user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:33.openssh	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,10 @@
+--- crypto/openssh/kex.c.orig
++++ crypto/openssh/kex.c
+@@ -468,6 +468,7 @@
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;

Added: user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.3-RELEASE/12-SA-16:35.openssl	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -924,6 +924,13 @@
+         goto start;
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1190,6 +1197,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+ #ifndef OPENSSL_NO_SCTP
+                 /*
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -1057,6 +1057,13 @@
+             return (ret);
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1271,6 +1278,14 @@
+ 
+         if (alert_level == SSL3_AL_WARNING) {
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2717,6 +2717,7 @@
+ # define SSL_R_TLS_HEARTBEAT_PENDING                      366
+ # define SSL_R_TLS_ILLEGAL_EXPORTER_LABEL                 367
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             157
++# define SSL_R_TOO_MANY_WARN_ALERTS                       409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -587,6 +587,8 @@
+     char is_probably_safari;
+ #   endif                       /* !OPENSSL_NO_EC */
+ #  endif                        /* !OPENSSL_NO_TLSEXT */
++    /* Count of the number of consecutive warning alerts received */
++    unsigned int alert_count;
+ } SSL3_STATE;
+ 
+ # endif
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -389,6 +389,8 @@
+  */
+ # define SSL_MAX_DIGEST 6
+ 
++# define MAX_WARN_ALERT_COUNT    5
++
+ # define TLS1_PRF_DGST_MASK      (0xff << TLS1_PRF_DGST_SHIFT)
+ 
+ # define TLS1_PRF_DGST_SHIFT 10

Added: user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/11.0-RELEASE/3-SA-16:33.openssh	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,10 @@
+--- crypto/openssh/kex.c.orig
++++ crypto/openssh/kex.c
+@@ -468,6 +468,7 @@
+ 	if (kex == NULL)
+ 		return SSH_ERR_INVALID_ARGUMENT;
+ 
++	ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ 	ptr = sshpkt_ptr(ssh, &dlen);
+ 	if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ 		return r;

Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:34.bind	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,184 @@
+--- contrib/bind9/lib/dns/resolver.c.orig
++++ contrib/bind9/lib/dns/resolver.c
+@@ -524,7 +524,9 @@
+ 	valarg->addrinfo = addrinfo;
+ 
+ 	if (!ISC_LIST_EMPTY(fctx->validators))
+-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++		valoptions |= DNS_VALIDATOR_DEFER;
++	else
++		valoptions &= ~DNS_VALIDATOR_DEFER;
+ 
+ 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ 				      sigrdataset, fctx->rmessage,
+@@ -4849,13 +4851,6 @@
+ 							   rdataset,
+ 							   sigrdataset,
+ 							   valoptions, task);
+-					/*
+-					 * Defer any further validations.
+-					 * This prevents multiple validators
+-					 * from manipulating fctx->rmessage
+-					 * simultaneously.
+-					 */
+-					valoptions |= DNS_VALIDATOR_DEFER;
+ 				}
+ 			} else if (CHAINING(rdataset)) {
+ 				if (rdataset->type == dns_rdatatype_cname)
+@@ -4961,6 +4956,11 @@
+ 				       eresult == DNS_R_NCACHENXRRSET);
+ 			}
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -5208,6 +5208,11 @@
+ 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ 		if (event != NULL) {
+ 			event->result = eresult;
++			if (adbp != NULL && *adbp != NULL) {
++				if (anodep != NULL && *anodep != NULL)
++					dns_db_detachnode(*adbp, anodep);
++				dns_db_detach(adbp);
++			}
+ 			dns_db_attach(fctx->cache, adbp);
+ 			dns_db_transfernode(fctx->cache, &node, anodep);
+ 			clone_results(fctx);
+@@ -6016,13 +6021,15 @@
+ answer_response(fetchctx_t *fctx) {
+ 	isc_result_t result;
+ 	dns_message_t *message;
+-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
++	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++	dns_name_t *cname = NULL;
+ 	dns_rdataset_t *rdataset, *ns_rdataset;
+ 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
+-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++	isc_boolean_t have_answer, found_cname, found_dname, found_type;
++	isc_boolean_t wanted_chaining;
+ 	unsigned int aflag;
+ 	dns_rdatatype_t type;
+-	dns_fixedname_t fdname, fqname;
++	dns_fixedname_t fdname, fqname, fqdname;
+ 	dns_view_t *view;
+ 
+ 	FCTXTRACE("answer_response");
+@@ -6036,6 +6043,7 @@
+ 
+ 	done = ISC_FALSE;
+ 	found_cname = ISC_FALSE;
++	found_dname = ISC_FALSE;
+ 	found_type = ISC_FALSE;
+ 	chaining = ISC_FALSE;
+ 	have_answer = ISC_FALSE;
+@@ -6045,12 +6053,13 @@
+ 		aa = ISC_TRUE;
+ 	else
+ 		aa = ISC_FALSE;
+-	qname = &fctx->name;
++	dqname = qname = &fctx->name;
+ 	type = fctx->type;
+ 	view = fctx->res->view;
++	dns_fixedname_init(&fqdname);
+ 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ 	while (!done && result == ISC_R_SUCCESS) {
+-		dns_namereln_t namereln;
++		dns_namereln_t namereln, dnamereln;
+ 		int order;
+ 		unsigned int nlabels;
+ 
+@@ -6058,6 +6067,8 @@
+ 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++		dnamereln = dns_name_fullcompare(dqname, name, &order,
++						 &nlabels);
+ 		if (namereln == dns_namereln_equal) {
+ 			wanted_chaining = ISC_FALSE;
+ 			for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6152,7 +6163,7 @@
+ 					}
+ 				} else if (rdataset->type == dns_rdatatype_rrsig
+ 					   && rdataset->covers ==
+-					   dns_rdatatype_cname
++					      dns_rdatatype_cname
+ 					   && !found_type) {
+ 					/*
+ 					 * We're looking for something else,
+@@ -6182,11 +6193,18 @@
+ 						 * a CNAME or DNAME).
+ 						 */
+ 						INSIST(!external);
+-						if (aflag ==
+-						    DNS_RDATASETATTR_ANSWER) {
++						if ((rdataset->type !=
++						     dns_rdatatype_cname) ||
++						    !found_dname ||
++						    (aflag ==
++						     DNS_RDATASETATTR_ANSWER))
++						{
+ 							have_answer = ISC_TRUE;
++							if (rdataset->type ==
++							    dns_rdatatype_cname)
++								cname = name;
+ 							name->attributes |=
+-								DNS_NAMEATTR_ANSWER;
++							    DNS_NAMEATTR_ANSWER;
+ 						}
+ 						rdataset->attributes |= aflag;
+ 						if (aa)
+@@ -6280,11 +6298,11 @@
+ 					return (DNS_R_FORMERR);
+ 				}
+ 
+-				if (namereln != dns_namereln_subdomain) {
++				if (dnamereln != dns_namereln_subdomain) {
+ 					char qbuf[DNS_NAME_FORMATSIZE];
+ 					char obuf[DNS_NAME_FORMATSIZE];
+ 
+-					dns_name_format(qname, qbuf,
++					dns_name_format(dqname, qbuf,
+ 							sizeof(qbuf));
+ 					dns_name_format(name, obuf,
+ 							sizeof(obuf));
+@@ -6299,7 +6317,7 @@
+ 					want_chaining = ISC_TRUE;
+ 					POST(want_chaining);
+ 					aflag = DNS_RDATASETATTR_ANSWER;
+-					result = dname_target(rdataset, qname,
++					result = dname_target(rdataset, dqname,
+ 							      nlabels, &fdname);
+ 					if (result == ISC_R_NOSPACE) {
+ 						/*
+@@ -6316,10 +6334,13 @@
+ 
+ 					dname = dns_fixedname_name(&fdname);
+ 					if (!is_answertarget_allowed(view,
+-							qname, rdataset->type,
+-							dname, &fctx->domain)) {
++						     dqname, rdataset->type,
++						     dname, &fctx->domain))
++					{
+ 						return (DNS_R_SERVFAIL);
+ 					}
++					dqname = dns_fixedname_name(&fqdname);
++					dns_name_copy(dname, dqname, NULL);
+ 				} else {
+ 					/*
+ 					 * We've found a signature that
+@@ -6344,6 +6365,10 @@
+ 					INSIST(!external);
+ 					if (aflag == DNS_RDATASETATTR_ANSWER) {
+ 						have_answer = ISC_TRUE;
++						found_dname = ISC_TRUE;
++						if (cname != NULL)
++							cname->attributes &=
++							   ~DNS_NAMEATTR_ANSWER;
+ 						name->attributes |=
+ 							DNS_NAMEATTR_ANSWER;
+ 					}

Added: user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/9.3-RELEASE/50-SA-16:35.openssl	Mon Dec  5 22:26:48 2016	(r309565)
@@ -0,0 +1,94 @@
+--- crypto/openssl/ssl/d1_pkt.c.orig
++++ crypto/openssl/ssl/d1_pkt.c
+@@ -820,6 +820,13 @@
+         goto start;
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1043,6 +1050,14 @@
+ 
+         if (alert_level == 1) { /* warning */
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+--- crypto/openssl/ssl/s3_pkt.c.orig
++++ crypto/openssl/ssl/s3_pkt.c
+@@ -922,6 +922,13 @@
+             return (ret);
+     }
+ 
++    /*
++     * Reset the count of consecutive warning alerts if we've got a non-empty
++     * record that isn't an alert.
++     */
++    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
++        s->s3->alert_count = 0;
++
+     /* we now have a packet which can be read and processed */
+ 
+     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
+@@ -1121,6 +1128,14 @@
+ 
+         if (alert_level == 1) { /* warning */
+             s->s3->warn_alert = alert_descr;
++
++            s->s3->alert_count++;
++            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
++                al = SSL_AD_UNEXPECTED_MESSAGE;
++                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
++                goto f_err;
++            }
++
+             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
+                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
+                 return (0);
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -2195,6 +2195,7 @@
+ # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION                1110
+ # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER       232
+ # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             227
++# define SSL_R_TOO_MANY_WARN_ALERTS                       409
+ # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
+ # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
+ # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235
+--- crypto/openssl/ssl/ssl3.h.orig
++++ crypto/openssl/ssl/ssl3.h
+@@ -491,6 +491,8 @@
+     char is_probably_safari;
+ #  endif                        /* !OPENSSL_NO_EC */
+ # endif                         /* !OPENSSL_NO_TLSEXT */
++    /* Count of the number of consecutive warning alerts received */
++    unsigned int alert_count;
+ } SSL3_STATE;
+ 
+ /* SSLv3 */
+--- crypto/openssl/ssl/ssl_locl.h.orig
++++ crypto/openssl/ssl/ssl_locl.h
+@@ -247,6 +247,8 @@
+ # define DEC32(a)        ((a)=((a)-1)&0xffffffffL)
+ # define MAX_MAC_SIZE    20     /* up from 16 for SSLv3 */
+ 
++# define MAX_WARN_ALERT_COUNT    5
++
+ /*
+  * Define the Bitmasks for SSL_CIPHER.algorithms.
+  * This bits are used packed as dense as possible. If new methods/ciphers