From owner-svn-src-releng@freebsd.org  Wed Dec 16 13:56:40 2015
Return-Path: <owner-svn-src-releng@freebsd.org>
Delivered-To: svn-src-releng@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D06F5A49CE7;
 Wed, 16 Dec 2015 13:56:40 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 831771FAB;
 Wed, 16 Dec 2015 13:56:40 +0000 (UTC)
 (envelope-from delphij@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id tBG6LRN5097107;
 Wed, 16 Dec 2015 06:21:27 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id tBG6LRff097100;
 Wed, 16 Dec 2015 06:21:27 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201512160621.tBG6LRff097100@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Wed, 16 Dec 2015 06:21:27 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r292321 - in releng/9.3: . contrib/bind9/lib/dns
 contrib/bind9/lib/dns/include/dns sys/conf
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree <svn-src-releng.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-releng>, 
 <mailto:svn-src-releng-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-releng/>
List-Post: <mailto:svn-src-releng@freebsd.org>
List-Help: <mailto:svn-src-releng-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-releng>,
 <mailto:svn-src-releng-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 13:56:40 -0000

Author: delphij
Date: Wed Dec 16 06:21:26 2015
New Revision: 292321
URL: https://svnweb.freebsd.org/changeset/base/292321

Log:
  Fix BIND remote denial of service vulnerability. [SA-15:27]
  
  Security:	FreeBSD-SA-15:27.bind
  Security:	CVE-2015-8000
  Approved by:	so

Modified:
  releng/9.3/UPDATING
  releng/9.3/contrib/bind9/lib/dns/include/dns/message.h
  releng/9.3/contrib/bind9/lib/dns/message.c
  releng/9.3/contrib/bind9/lib/dns/resolver.c
  releng/9.3/contrib/bind9/lib/dns/xfrin.c
  releng/9.3/sys/conf/newvers.sh

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/UPDATING	Wed Dec 16 06:21:26 2015	(r292321)
@@ -11,6 +11,9 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20151216	p32	FreeBSD-SA-15:27.bind
+	Fix BIND remote denial of service vulnerability. [SA-15:27]
+
 20151205	p31	FreeBSD-SA-15:26.openssl
 
 	Fix OpenSSL X509_ATTRIBUTE memory leak. [SA-15:26]

Modified: releng/9.3/contrib/bind9/lib/dns/include/dns/message.h
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/include/dns/message.h	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/contrib/bind9/lib/dns/include/dns/message.h	Wed Dec 16 06:21:26 2015	(r292321)
@@ -15,8 +15,6 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id$ */
-
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
 
@@ -211,6 +209,8 @@ struct dns_message {
 	unsigned int			verify_attempted : 1;
 	unsigned int			free_query : 1;
 	unsigned int			free_saved : 1;
+	unsigned int			tkey : 1;
+	unsigned int			rdclass_set : 1;
 
 	unsigned int			opt_reserved;
 	unsigned int			sig_reserved;
@@ -1375,6 +1375,15 @@ dns_message_buildopt(dns_message_t *msg,
  * \li	 other.
  */
 
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li   msg be a valid message with parsing intent.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MESSAGE_H */

Modified: releng/9.3/contrib/bind9/lib/dns/message.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/message.c	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/contrib/bind9/lib/dns/message.c	Wed Dec 16 06:21:26 2015	(r292321)
@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
 	m->saved.base = NULL;
 	m->saved.length = 0;
 	m->free_saved = 0;
+	m->tkey = 0;
+	m->rdclass_set = 0;
 	m->querytsig = NULL;
 }
 
@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_m
 		 * If this class is different than the one we already read,
 		 * this is an error.
 		 */
-		if (msg->state == DNS_SECTION_ANY) {
-			msg->state = DNS_SECTION_QUESTION;
+		if (msg->rdclass_set == 0) {
 			msg->rdclass = rdclass;
+			msg->rdclass_set = 1;
 		} else if (msg->rdclass != rdclass)
 			DO_FORMERR;
 
 		/*
+		 * Is this a TKEY query?
+		 */
+		if (rdtype == dns_rdatatype_tkey)
+			msg->tkey = 1;
+
+		/*
 		 * Can't ask the same question twice.
 		 */
 		result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_mes
 		 * If there was no question section, we may not yet have
 		 * established a class.  Do so now.
 		 */
-		if (msg->state == DNS_SECTION_ANY &&
+		if (msg->rdclass_set == 0 &&
 		    rdtype != dns_rdatatype_opt &&	/* class is UDP SIZE */
 		    rdtype != dns_rdatatype_tsig &&	/* class is ANY */
 		    rdtype != dns_rdatatype_tkey) {	/* class is undefined */
 			msg->rdclass = rdclass;
-			msg->state = DNS_SECTION_QUESTION;
+			msg->rdclass_set = 1;
 		}
 
 		/*
@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_mes
 		if (msg->opcode != dns_opcode_update
 		    && rdtype != dns_rdatatype_tsig
 		    && rdtype != dns_rdatatype_opt
-		    && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+		    && rdtype != dns_rdatatype_key /* in a TKEY query */
 		    && rdtype != dns_rdatatype_sig /* SIG(0) */
 		    && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
 		    && msg->rdclass != dns_rdataclass_any
@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_mes
 			DO_FORMERR;
 
 		/*
+		 * If this is not a TKEY query/response then the KEY
+		 * record's class needs to match.
+		 */
+		if (msg->opcode != dns_opcode_update && !msg->tkey &&
+		    rdtype == dns_rdatatype_key &&
+		    msg->rdclass != dns_rdataclass_any &&
+		    msg->rdclass != rdclass)
+			DO_FORMERR;
+
+		/*
 		 * Special type handling for TSIG, OPT, and TKEY.
 		 */
 		if (rdtype == dns_rdatatype_tsig) {
@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_mes
 				skip_name_search = ISC_TRUE;
 				skip_type_search = ISC_TRUE;
 				issigzero = ISC_TRUE;
+			} else {
+				if (msg->rdclass != dns_rdataclass_any &&
+				    msg->rdclass != rdclass)
+					DO_FORMERR;
 			}
 		} else
 			covers = 0;
@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, is
 	msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
 
 	msg->header_ok = 1;
+	msg->state = DNS_SECTION_QUESTION;
 
 	/*
 	 * -1 means no EDNS.
@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *mess
 		dns_message_puttemprdatalist(message, &rdatalist);
 	return (result);
 }
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+	REQUIRE(DNS_MESSAGE_VALID(msg));
+	REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+	REQUIRE(msg->state == DNS_SECTION_ANY);
+	REQUIRE(msg->rdclass_set == 0);
+
+	msg->rdclass = rdclass;
+	msg->rdclass_set = 1;
+}

Modified: releng/9.3/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/resolver.c	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/contrib/bind9/lib/dns/resolver.c	Wed Dec 16 06:21:26 2015	(r292321)
@@ -6941,6 +6941,8 @@ resquery_response(isc_task_t *task, isc_
 			goto done;
 	}
 
+	dns_message_setclass(message, fctx->res->rdclass);
+
 	result = dns_message_parse(message, &devent->buffer, 0);
 	if (result != ISC_R_SUCCESS) {
 		switch (result) {
@@ -7013,6 +7015,12 @@ resquery_response(isc_task_t *task, isc_
 	 */
 	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
 
+	if (message->rdclass != fctx->res->rdclass) {
+		resend = ISC_TRUE;
+		FCTXTRACE("bad class");
+		goto done;
+	}
+
 	/*
 	 * Process receive opt record.
 	 */

Modified: releng/9.3/contrib/bind9/lib/dns/xfrin.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/xfrin.c	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/contrib/bind9/lib/dns/xfrin.c	Wed Dec 16 06:21:26 2015	(r292321)
@@ -1211,6 +1211,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
 	msg->tsigctx = xfr->tsigctx;
 	xfr->tsigctx = NULL;
 
+	dns_message_setclass(msg, xfr->rdclass);
+
 	if (xfr->nmsg > 0)
 		msg->tcp_continuation = 1;
 

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Wed Dec 16 06:10:05 2015	(r292320)
+++ releng/9.3/sys/conf/newvers.sh	Wed Dec 16 06:21:26 2015	(r292321)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p31"
+BRANCH="RELEASE-p32"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi