Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Nov 2012 22:52:16 +0000 (UTC)
From:      "Simon L. Nielsen" <simon@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r243417 - releng/7.4 releng/7.4/contrib/bind9/bin/named releng/7.4/contrib/bind9/lib/dns releng/7.4/contrib/bind9/lib/dns/include/dns releng/7.4/sys/compat/linux releng/7.4/sys/conf rel...
Message-ID:  <201211222252.qAMMqG3o080186@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: simon
Date: Thu Nov 22 22:52:15 2012
New Revision: 243417
URL: http://svnweb.freebsd.org/changeset/base/243417

Log:
  Fix multiple Denial of Service vulnerabilities with named(8).
  
  Fix insufficient message length validation for EAP-TLS messages.
  
  Fix Linux compatibility layer input validation error.
  
  Security:	FreeBSD-SA-12:06.bind
  Security:	FreeBSD-SA-12:07.hostapd
  Security:	FreeBSD-SA-12:08.linux
  Security:	CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576
  Approved by:	re
  Approved by:	security-officer

Modified:
  releng/7.4/UPDATING
  releng/7.4/contrib/bind9/bin/named/query.c
  releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h
  releng/7.4/contrib/bind9/lib/dns/master.c
  releng/7.4/contrib/bind9/lib/dns/rdata.c
  releng/7.4/sys/compat/linux/linux_ioctl.c
  releng/7.4/sys/conf/newvers.sh
  releng/8.3/UPDATING
  releng/8.3/contrib/bind9/bin/named/query.c
  releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h
  releng/8.3/contrib/bind9/lib/dns/master.c
  releng/8.3/contrib/bind9/lib/dns/rdata.c
  releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c
  releng/8.3/sys/compat/linux/linux_ioctl.c
  releng/8.3/sys/conf/newvers.sh
  releng/9.0/UPDATING
  releng/9.0/contrib/bind9/bin/named/query.c
  releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h
  releng/9.0/contrib/bind9/lib/dns/master.c
  releng/9.0/contrib/bind9/lib/dns/rdata.c
  releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c
  releng/9.0/sys/compat/linux/linux_ioctl.c
  releng/9.0/sys/conf/newvers.sh
  releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c
  releng/9.1/sys/compat/linux/linux_ioctl.c

Changes in other areas also in this revision:
Modified:
  stable/8/contrib/wpa/src/eap_server/eap_tls_common.c
  stable/8/sys/compat/linux/linux_ioctl.c
  stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c
  stable/9/sys/compat/linux/linux_ioctl.c

Modified: releng/7.4/UPDATING
==============================================================================
--- releng/7.4/UPDATING	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/UPDATING	Thu Nov 22 22:52:15 2012	(r243417)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20121122:	p11	FreeBSD-SA-12:06.bind FreeBSD-SA-12:08.linux
+	Fix multiple Denial of Service vulnerabilities with named(8).
+
+	Fix Linux compatibility layer input validation error.
+
 20120806:	p10	FreeBSD-SA-12:05.bind
 	Fix named(8) DNSSEC validation Denial of Service.
 

Modified: releng/7.4/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/7.4/contrib/bind9/bin/named/query.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/contrib/bind9/bin/named/query.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -999,13 +999,6 @@ query_isduplicate(ns_client_t *client, d
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	*mnamep = mname;
 
 	CTRACE("query_isduplicate: false: done");
@@ -1199,6 +1192,7 @@ query_addadditional(void *arg, dns_name_
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1259,11 +1253,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1302,11 +1298,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1817,6 +1815,7 @@ query_addadditional2(void *arg, dns_name
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					/*
 					 * A different type of this name is
@@ -1833,6 +1832,7 @@ query_addadditional2(void *arg, dns_name
 					mname0 = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;

Modified: releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:52:15 2012	(r243417)
@@ -127,6 +127,17 @@ struct dns_rdata {
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record */
 
 /*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
+/*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
  * See additional comments at dns_rdata_tofmttext().

Modified: releng/7.4/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -75,7 +75,7 @@
 /*%
  * max message size - header - root - type - class - ttl - rdlen
  */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*%
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,

Modified: releng/7.4/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -403,6 +403,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;
 
 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -433,6 +434,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	}
 
 	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
 	 * We should have consumed all of our buffer.
 	 */
 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -440,8 +449,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
@@ -576,6 +584,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;
 
 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -648,10 +657,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 		}
 	} while (1);
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -758,6 +770,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;
 
 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -772,10 +785,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	if (use_default)
 		(void)NULL;
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)

Modified: releng/7.4/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/7.4/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -2207,8 +2207,9 @@ again:
 
 	ifc.ifc_len = valid_len; 
 	sbuf_finish(sb);
-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
-	error = copyout(&ifc, uifc, sizeof(ifc));
+	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+	if (error == 0)
+		error = copyout(&ifc, uifc, sizeof(ifc));
 	sbuf_delete(sb);
 
 	return (error);

Modified: releng/7.4/sys/conf/newvers.sh
==============================================================================
--- releng/7.4/sys/conf/newvers.sh	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/7.4/sys/conf/newvers.sh	Thu Nov 22 22:52:15 2012	(r243417)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.4"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/UPDATING	Thu Nov 22 22:52:15 2012	(r243417)
@@ -15,6 +15,14 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20121122:	p5	FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
+			FreeBSD-SA-12:08.linux
+	Fix multiple Denial of Service vulnerabilities with named(8).
+
+	Fix insufficient message length validation for EAP-TLS messages.
+
+	Fix Linux compatibility layer input validation error.
+
 20120806:	p4	FreeBSD-SA-12:05.bind
 	Fix named(8) DNSSEC validation Denial of Service.
 

Modified: releng/8.3/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/8.3/contrib/bind9/bin/named/query.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/contrib/bind9/bin/named/query.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -1024,13 +1024,6 @@ query_isduplicate(ns_client_t *client, d
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	*mnamep = mname;
 
 	CTRACE("query_isduplicate: false: done");
@@ -1228,6 +1221,7 @@ query_addadditional(void *arg, dns_name_
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1288,11 +1282,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1331,11 +1327,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1847,6 +1845,7 @@ query_addadditional2(void *arg, dns_name
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					/*
 					 * A different type of this name is
@@ -1863,6 +1862,7 @@ query_addadditional2(void *arg, dns_name
 					mname0 = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;

Modified: releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:52:15 2012	(r243417)
@@ -128,6 +128,17 @@ struct dns_rdata {
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
 
 /*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
+/*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
  * See additional comments at dns_rdata_tofmttext().

Modified: releng/8.3/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -75,7 +75,7 @@
 /*%
  * max message size - header - root - type - class - ttl - rdlen
  */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*%
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,

Modified: releng/8.3/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -410,6 +410,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;
 
 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -440,6 +441,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	}
 
 	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
 	 * We should have consumed all of our buffer.
 	 */
 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -447,8 +456,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
@@ -583,6 +591,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;
 
 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -655,10 +664,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 		}
 	} while (1);
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -766,6 +778,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;
 
 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -780,10 +793,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	if (use_default)
 		(void)NULL;
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)

Modified: releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c
==============================================================================
--- releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragme
 				   " over 64 kB)");
 			return -1;
 		}
+		if (len > message_length) {
+			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+				   "first fragment of frame (TLS Message "
+				   "Length %d bytes)",
+				   (int) len, (int) message_length);
+			return -1;
+		}
 
 		data->in_buf = wpabuf_alloc(message_length);
 		if (data->in_buf == NULL) {

Modified: releng/8.3/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/8.3/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -2253,8 +2253,9 @@ again:
 
 	ifc.ifc_len = valid_len; 
 	sbuf_finish(sb);
-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
-	error = copyout(&ifc, uifc, sizeof(ifc));
+	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+	if (error == 0)
+		error = copyout(&ifc, uifc, sizeof(ifc));
 	sbuf_delete(sb);
 	CURVNET_RESTORE();
 

Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/8.3/sys/conf/newvers.sh	Thu Nov 22 22:52:15 2012	(r243417)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.3"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.0/UPDATING
==============================================================================
--- releng/9.0/UPDATING	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/UPDATING	Thu Nov 22 22:52:15 2012	(r243417)
@@ -9,6 +9,14 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20121122:	p5	FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
+			FreeBSD-SA-12:08.linux
+	Fix multiple Denial of Service vulnerabilities with named(8).
+
+	Fix insufficient message length validation for EAP-TLS messages.
+
+	Fix Linux compatibility layer input validation error.
+
 20120806:	p4	FreeBSD-SA-12:05.bind
 	Fix named(8) DNSSEC validation Denial of Service.
 

Modified: releng/9.0/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.0/contrib/bind9/bin/named/query.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/contrib/bind9/bin/named/query.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	*mnamep = mname;
 
 	CTRACE("query_isduplicate: false: done");
@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					query_releasename(client, &fname);
 					fname = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
+				if (mname != fname) {
 				if (mname != NULL) {
 					/*
 					 * A different type of this name is
@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name
 					mname0 = mname;
 				} else
 					need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;

Modified: releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h	Thu Nov 22 22:52:15 2012	(r243417)
@@ -147,6 +147,17 @@ struct dns_rdata {
 	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
 
 /*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
+/*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
  * See additional comments at dns_rdata_tofmttext().

Modified: releng/9.0/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/contrib/bind9/lib/dns/master.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -75,7 +75,7 @@
 /*%
  * max message size - header - root - type - class - ttl - rdlen
  */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*%
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,

Modified: releng/9.0/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/contrib/bind9/lib/dns/rdata.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;
 
 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	}
 
 	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
 	 * We should have consumed all of our buffer.
 	 */
 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;
 
 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 		}
 	} while (1);
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;
 
 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	if (use_default)
 		(void)NULL;
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)

Modified: releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c
==============================================================================
--- releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme
 			return -1;
 		}
 
+		if (len > message_length) {
+			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+				   "first fragment of frame (TLS Message "
+				   "Length %d bytes)",
+				   (int) len, (int) message_length);
+			return -1;
+		}
+
 		data->tls_in = wpabuf_alloc(message_length);
 		if (data->tls_in == NULL) {
 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");

Modified: releng/9.0/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/9.0/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -2260,8 +2260,9 @@ again:
 
 	ifc.ifc_len = valid_len; 
 	sbuf_finish(sb);
-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
-	error = copyout(&ifc, uifc, sizeof(ifc));
+	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+	if (error == 0)
+		error = copyout(&ifc, uifc, sizeof(ifc));
 	sbuf_delete(sb);
 	CURVNET_RESTORE();
 

Modified: releng/9.0/sys/conf/newvers.sh
==============================================================================
--- releng/9.0/sys/conf/newvers.sh	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.0/sys/conf/newvers.sh	Thu Nov 22 22:52:15 2012	(r243417)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.0"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c
==============================================================================
--- releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme
 			return -1;
 		}
 
+		if (len > message_length) {
+			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+				   "first fragment of frame (TLS Message "
+				   "Length %d bytes)",
+				   (int) len, (int) message_length);
+			return -1;
+		}
+
 		data->tls_in = wpabuf_alloc(message_length);
 		if (data->tls_in == NULL) {
 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");

Modified: releng/9.1/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/9.1/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:10:10 2012	(r243416)
+++ releng/9.1/sys/compat/linux/linux_ioctl.c	Thu Nov 22 22:52:15 2012	(r243417)
@@ -2260,8 +2260,9 @@ again:
 
 	ifc.ifc_len = valid_len; 
 	sbuf_finish(sb);
-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
-	error = copyout(&ifc, uifc, sizeof(ifc));
+	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+	if (error == 0)
+		error = copyout(&ifc, uifc, sizeof(ifc));
 	sbuf_delete(sb);
 	CURVNET_RESTORE();
 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201211222252.qAMMqG3o080186>