From owner-svn-src-releng@FreeBSD.ORG Thu Nov 22 22:52:17 2012 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 19E68100; Thu, 22 Nov 2012 22:52:17 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id EF58C8FC18; Thu, 22 Nov 2012 22:52:16 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAMMqGC0080215; Thu, 22 Nov 2012 22:52:16 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAMMqG3o080186; Thu, 22 Nov 2012 22:52:16 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201211222252.qAMMqG3o080186@svn.freebsd.org> From: "Simon L. Nielsen" Date: Thu, 22 Nov 2012 22:52:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r243417 - releng/7.4 releng/7.4/contrib/bind9/bin/named releng/7.4/contrib/bind9/lib/dns releng/7.4/contrib/bind9/lib/dns/include/dns releng/7.4/sys/compat/linux releng/7.4/sys/conf rel... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 22:52:17 -0000 Author: simon Date: Thu Nov 22 22:52:15 2012 New Revision: 243417 URL: http://svnweb.freebsd.org/changeset/base/243417 Log: Fix multiple Denial of Service vulnerabilities with named(8). Fix insufficient message length validation for EAP-TLS messages. Fix Linux compatibility layer input validation error. Security: FreeBSD-SA-12:06.bind Security: FreeBSD-SA-12:07.hostapd Security: FreeBSD-SA-12:08.linux Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576 Approved by: re Approved by: security-officer Modified: releng/7.4/UPDATING releng/7.4/contrib/bind9/bin/named/query.c releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h releng/7.4/contrib/bind9/lib/dns/master.c releng/7.4/contrib/bind9/lib/dns/rdata.c releng/7.4/sys/compat/linux/linux_ioctl.c releng/7.4/sys/conf/newvers.sh releng/8.3/UPDATING releng/8.3/contrib/bind9/bin/named/query.c releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h releng/8.3/contrib/bind9/lib/dns/master.c releng/8.3/contrib/bind9/lib/dns/rdata.c releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c releng/8.3/sys/compat/linux/linux_ioctl.c releng/8.3/sys/conf/newvers.sh releng/9.0/UPDATING releng/9.0/contrib/bind9/bin/named/query.c releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h releng/9.0/contrib/bind9/lib/dns/master.c releng/9.0/contrib/bind9/lib/dns/rdata.c releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c releng/9.0/sys/compat/linux/linux_ioctl.c releng/9.0/sys/conf/newvers.sh releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c releng/9.1/sys/compat/linux/linux_ioctl.c Changes in other areas also in this revision: Modified: stable/8/contrib/wpa/src/eap_server/eap_tls_common.c stable/8/sys/compat/linux/linux_ioctl.c stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c stable/9/sys/compat/linux/linux_ioctl.c Modified: releng/7.4/UPDATING ============================================================================== --- releng/7.4/UPDATING Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/UPDATING Thu Nov 22 22:52:15 2012 (r243417) @@ -8,6 +8,11 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20121122: p11 FreeBSD-SA-12:06.bind FreeBSD-SA-12:08.linux + Fix multiple Denial of Service vulnerabilities with named(8). + + Fix Linux compatibility layer input validation error. + 20120806: p10 FreeBSD-SA-12:05.bind Fix named(8) DNSSEC validation Denial of Service. Modified: releng/7.4/contrib/bind9/bin/named/query.c ============================================================================== --- releng/7.4/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012 (r243417) @@ -999,13 +999,6 @@ query_isduplicate(ns_client_t *client, d mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1199,6 +1192,7 @@ query_addadditional(void *arg, dns_name_ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1259,11 +1253,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1302,11 +1298,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1817,6 +1815,7 @@ query_addadditional2(void *arg, dns_name crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { + if (mname != fname) { if (mname != NULL) { /* * A different type of this name is @@ -1833,6 +1832,7 @@ query_addadditional2(void *arg, dns_name mname0 = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; Modified: releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h ============================================================================== --- releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:52:15 2012 (r243417) @@ -127,6 +127,17 @@ struct dns_rdata { #define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record */ /* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + +/* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. * See additional comments at dns_rdata_tofmttext(). Modified: releng/7.4/contrib/bind9/lib/dns/master.c ============================================================================== --- releng/7.4/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012 (r243417) @@ -75,7 +75,7 @@ /*% * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /*% * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, Modified: releng/7.4/contrib/bind9/lib/dns/rdata.c ============================================================================== --- releng/7.4/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012 (r243417) @@ -403,6 +403,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -433,6 +434,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d } /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + + /* * We should have consumed all of our buffer. */ if (result == ISC_R_SUCCESS && !buffer_empty(source)) @@ -440,8 +449,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -576,6 +584,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -648,10 +657,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -758,6 +770,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -772,10 +785,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) Modified: releng/7.4/sys/compat/linux/linux_ioctl.c ============================================================================== --- releng/7.4/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012 (r243417) @@ -2207,8 +2207,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); return (error); Modified: releng/7.4/sys/conf/newvers.sh ============================================================================== --- releng/7.4/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012 (r243416) +++ releng/7.4/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012 (r243417) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.4" -BRANCH="RELEASE-p10" +BRANCH="RELEASE-p11" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.3/UPDATING ============================================================================== --- releng/8.3/UPDATING Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/UPDATING Thu Nov 22 22:52:15 2012 (r243417) @@ -15,6 +15,14 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd + FreeBSD-SA-12:08.linux + Fix multiple Denial of Service vulnerabilities with named(8). + + Fix insufficient message length validation for EAP-TLS messages. + + Fix Linux compatibility layer input validation error. + 20120806: p4 FreeBSD-SA-12:05.bind Fix named(8) DNSSEC validation Denial of Service. Modified: releng/8.3/contrib/bind9/bin/named/query.c ============================================================================== --- releng/8.3/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012 (r243417) @@ -1024,13 +1024,6 @@ query_isduplicate(ns_client_t *client, d mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1228,6 +1221,7 @@ query_addadditional(void *arg, dns_name_ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1288,11 +1282,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1331,11 +1327,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1847,6 +1845,7 @@ query_addadditional2(void *arg, dns_name crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { + if (mname != fname) { if (mname != NULL) { /* * A different type of this name is @@ -1863,6 +1862,7 @@ query_addadditional2(void *arg, dns_name mname0 = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; Modified: releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h ============================================================================== --- releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:52:15 2012 (r243417) @@ -128,6 +128,17 @@ struct dns_rdata { #define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */ /* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + +/* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. * See additional comments at dns_rdata_tofmttext(). Modified: releng/8.3/contrib/bind9/lib/dns/master.c ============================================================================== --- releng/8.3/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012 (r243417) @@ -75,7 +75,7 @@ /*% * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /*% * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, Modified: releng/8.3/contrib/bind9/lib/dns/rdata.c ============================================================================== --- releng/8.3/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012 (r243417) @@ -410,6 +410,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -440,6 +441,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d } /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + + /* * We should have consumed all of our buffer. */ if (result == ISC_R_SUCCESS && !buffer_empty(source)) @@ -447,8 +456,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -583,6 +591,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -655,10 +664,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -766,6 +778,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -780,10 +793,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) Modified: releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c ============================================================================== --- releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c Thu Nov 22 22:52:15 2012 (r243417) @@ -220,6 +220,13 @@ static int eap_server_tls_process_fragme " over 64 kB)"); return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } data->in_buf = wpabuf_alloc(message_length); if (data->in_buf == NULL) { Modified: releng/8.3/sys/compat/linux/linux_ioctl.c ============================================================================== --- releng/8.3/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012 (r243417) @@ -2253,8 +2253,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE(); Modified: releng/8.3/sys/conf/newvers.sh ============================================================================== --- releng/8.3/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012 (r243416) +++ releng/8.3/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012 (r243417) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.3" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.0/UPDATING ============================================================================== --- releng/9.0/UPDATING Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/UPDATING Thu Nov 22 22:52:15 2012 (r243417) @@ -9,6 +9,14 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd + FreeBSD-SA-12:08.linux + Fix multiple Denial of Service vulnerabilities with named(8). + + Fix insufficient message length validation for EAP-TLS messages. + + Fix Linux compatibility layer input validation error. + 20120806: p4 FreeBSD-SA-12:05.bind Fix named(8) DNSSEC validation Denial of Service. Modified: releng/9.0/contrib/bind9/bin/named/query.c ============================================================================== --- releng/9.0/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012 (r243417) @@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { + if (mname != fname) { if (mname != NULL) { /* * A different type of this name is @@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name mname0 = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; Modified: releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h ============================================================================== --- releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22 22:52:15 2012 (r243417) @@ -147,6 +147,17 @@ struct dns_rdata { (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) /* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + +/* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. * See additional comments at dns_rdata_tofmttext(). Modified: releng/9.0/contrib/bind9/lib/dns/master.c ============================================================================== --- releng/9.0/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012 (r243417) @@ -75,7 +75,7 @@ /*% * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /*% * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, Modified: releng/9.0/contrib/bind9/lib/dns/rdata.c ============================================================================== --- releng/9.0/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012 (r243417) @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d } /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + + /* * We should have consumed all of our buffer. */ if (result == ISC_R_SUCCESS && !buffer_empty(source)) @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) Modified: releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c ============================================================================== --- releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:52:15 2012 (r243417) @@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } + data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message"); Modified: releng/9.0/sys/compat/linux/linux_ioctl.c ============================================================================== --- releng/9.0/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012 (r243417) @@ -2260,8 +2260,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE(); Modified: releng/9.0/sys/conf/newvers.sh ============================================================================== --- releng/9.0/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.0/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012 (r243417) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.0" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c ============================================================================== --- releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:52:15 2012 (r243417) @@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } + data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message"); Modified: releng/9.1/sys/compat/linux/linux_ioctl.c ============================================================================== --- releng/9.1/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012 (r243416) +++ releng/9.1/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012 (r243417) @@ -2260,8 +2260,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE();