Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Nov 2016 07:24:34 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r308205 - in releng/9.3: . contrib/bind9/lib/dns crypto/openssl/ssl sys/conf
Message-ID:  <201611020724.uA27OYtu078461@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Wed Nov  2 07:24:34 2016
New Revision: 308205
URL: https://svnweb.freebsd.org/changeset/base/308205

Log:
  Fix BIND remote Denial of Service vulnerability. [SA-16:34]
  
  Fix OpenSSL remote DoS vulnerability. [SA-16:35]
  
  Security:	FreeBSD-SA-16:34.bind
  Security:	FreeBSD-SA-16:35.openssl
  Approved by:	so

Modified:
  releng/9.3/UPDATING
  releng/9.3/contrib/bind9/lib/dns/resolver.c
  releng/9.3/crypto/openssl/ssl/d1_pkt.c
  releng/9.3/crypto/openssl/ssl/s3_pkt.c
  releng/9.3/crypto/openssl/ssl/ssl.h
  releng/9.3/crypto/openssl/ssl/ssl3.h
  releng/9.3/crypto/openssl/ssl/ssl_locl.h
  releng/9.3/sys/conf/newvers.sh

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/UPDATING	Wed Nov  2 07:24:34 2016	(r308205)
@@ -11,6 +11,13 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20161102	p50	FreeBSD-SA-16:34.bind
+			FreeBSD-SA-16:35.openssl
+
+	Fix BIND remote Denial of Service vulnerability. [SA-16:34]
+
+	Fix OpenSSL remote DoS vulnerability. [SA-16:35]
+
 20161025	p49	FreeBSD-SA-16:15.sysarch [revised]
 
 	Fix incorrect argument validation in sysarch(2). [SA-16:15]

Modified: releng/9.3/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/resolver.c	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/contrib/bind9/lib/dns/resolver.c	Wed Nov  2 07:24:34 2016	(r308205)
@@ -524,7 +524,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddri
 	valarg->addrinfo = addrinfo;
 
 	if (!ISC_LIST_EMPTY(fctx->validators))
-		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+		valoptions |= DNS_VALIDATOR_DEFER;
+	else
+		valoptions &= ~DNS_VALIDATOR_DEFER;
 
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, fctx->rmessage,
@@ -4849,13 +4851,6 @@ cache_name(fetchctx_t *fctx, dns_name_t 
 							   rdataset,
 							   sigrdataset,
 							   valoptions, task);
-					/*
-					 * Defer any further validations.
-					 * This prevents multiple validators
-					 * from manipulating fctx->rmessage
-					 * simultaneously.
-					 */
-					valoptions |= DNS_VALIDATOR_DEFER;
 				}
 			} else if (CHAINING(rdataset)) {
 				if (rdataset->type == dns_rdatatype_cname)
@@ -4961,6 +4956,11 @@ cache_name(fetchctx_t *fctx, dns_name_t 
 				       eresult == DNS_R_NCACHENXRRSET);
 			}
 			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL)
+					dns_db_detachnode(*adbp, anodep);
+				dns_db_detach(adbp);
+			}
 			dns_db_attach(fctx->cache, adbp);
 			dns_db_transfernode(fctx->cache, &node, anodep);
 			clone_results(fctx);
@@ -5208,6 +5208,11 @@ ncache_message(fetchctx_t *fctx, dns_adb
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
 		if (event != NULL) {
 			event->result = eresult;
+			if (adbp != NULL && *adbp != NULL) {
+				if (anodep != NULL && *anodep != NULL)
+					dns_db_detachnode(*adbp, anodep);
+				dns_db_detach(adbp);
+			}
 			dns_db_attach(fctx->cache, adbp);
 			dns_db_transfernode(fctx->cache, &node, anodep);
 			clone_results(fctx);
@@ -6016,13 +6021,15 @@ static isc_result_t
 answer_response(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_message_t *message;
-	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
+	dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
+	dns_name_t *cname = NULL;
 	dns_rdataset_t *rdataset, *ns_rdataset;
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
-	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
+	isc_boolean_t have_answer, found_cname, found_dname, found_type;
+	isc_boolean_t wanted_chaining;
 	unsigned int aflag;
 	dns_rdatatype_t type;
-	dns_fixedname_t fdname, fqname;
+	dns_fixedname_t fdname, fqname, fqdname;
 	dns_view_t *view;
 
 	FCTXTRACE("answer_response");
@@ -6036,6 +6043,7 @@ answer_response(fetchctx_t *fctx) {
 
 	done = ISC_FALSE;
 	found_cname = ISC_FALSE;
+	found_dname = ISC_FALSE;
 	found_type = ISC_FALSE;
 	chaining = ISC_FALSE;
 	have_answer = ISC_FALSE;
@@ -6045,12 +6053,13 @@ answer_response(fetchctx_t *fctx) {
 		aa = ISC_TRUE;
 	else
 		aa = ISC_FALSE;
-	qname = &fctx->name;
+	dqname = qname = &fctx->name;
 	type = fctx->type;
 	view = fctx->res->view;
+	dns_fixedname_init(&fqdname);
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
 	while (!done && result == ISC_R_SUCCESS) {
-		dns_namereln_t namereln;
+		dns_namereln_t namereln, dnamereln;
 		int order;
 		unsigned int nlabels;
 
@@ -6058,6 +6067,8 @@ answer_response(fetchctx_t *fctx) {
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
 		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
+		dnamereln = dns_name_fullcompare(dqname, name, &order,
+						 &nlabels);
 		if (namereln == dns_namereln_equal) {
 			wanted_chaining = ISC_FALSE;
 			for (rdataset = ISC_LIST_HEAD(name->list);
@@ -6152,7 +6163,7 @@ answer_response(fetchctx_t *fctx) {
 					}
 				} else if (rdataset->type == dns_rdatatype_rrsig
 					   && rdataset->covers ==
-					   dns_rdatatype_cname
+					      dns_rdatatype_cname
 					   && !found_type) {
 					/*
 					 * We're looking for something else,
@@ -6182,11 +6193,18 @@ answer_response(fetchctx_t *fctx) {
 						 * a CNAME or DNAME).
 						 */
 						INSIST(!external);
-						if (aflag ==
-						    DNS_RDATASETATTR_ANSWER) {
+						if ((rdataset->type !=
+						     dns_rdatatype_cname) ||
+						    !found_dname ||
+						    (aflag ==
+						     DNS_RDATASETATTR_ANSWER))
+						{
 							have_answer = ISC_TRUE;
+							if (rdataset->type ==
+							    dns_rdatatype_cname)
+								cname = name;
 							name->attributes |=
-								DNS_NAMEATTR_ANSWER;
+							    DNS_NAMEATTR_ANSWER;
 						}
 						rdataset->attributes |= aflag;
 						if (aa)
@@ -6280,11 +6298,11 @@ answer_response(fetchctx_t *fctx) {
 					return (DNS_R_FORMERR);
 				}
 
-				if (namereln != dns_namereln_subdomain) {
+				if (dnamereln != dns_namereln_subdomain) {
 					char qbuf[DNS_NAME_FORMATSIZE];
 					char obuf[DNS_NAME_FORMATSIZE];
 
-					dns_name_format(qname, qbuf,
+					dns_name_format(dqname, qbuf,
 							sizeof(qbuf));
 					dns_name_format(name, obuf,
 							sizeof(obuf));
@@ -6299,7 +6317,7 @@ answer_response(fetchctx_t *fctx) {
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
 					aflag = DNS_RDATASETATTR_ANSWER;
-					result = dname_target(rdataset, qname,
+					result = dname_target(rdataset, dqname,
 							      nlabels, &fdname);
 					if (result == ISC_R_NOSPACE) {
 						/*
@@ -6316,10 +6334,13 @@ answer_response(fetchctx_t *fctx) {
 
 					dname = dns_fixedname_name(&fdname);
 					if (!is_answertarget_allowed(view,
-							qname, rdataset->type,
-							dname, &fctx->domain)) {
+						     dqname, rdataset->type,
+						     dname, &fctx->domain))
+					{
 						return (DNS_R_SERVFAIL);
 					}
+					dqname = dns_fixedname_name(&fqdname);
+					dns_name_copy(dname, dqname, NULL);
 				} else {
 					/*
 					 * We've found a signature that
@@ -6344,6 +6365,10 @@ answer_response(fetchctx_t *fctx) {
 					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
+						found_dname = ISC_TRUE;
+						if (cname != NULL)
+							cname->attributes &=
+							   ~DNS_NAMEATTR_ANSWER;
 						name->attributes |=
 							DNS_NAMEATTR_ANSWER;
 					}

Modified: releng/9.3/crypto/openssl/ssl/d1_pkt.c
==============================================================================
--- releng/9.3/crypto/openssl/ssl/d1_pkt.c	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/crypto/openssl/ssl/d1_pkt.c	Wed Nov  2 07:24:34 2016	(r308205)
@@ -820,6 +820,13 @@ int dtls1_read_bytes(SSL *s, int type, u
         goto start;
     }
 
+    /*
+     * Reset the count of consecutive warning alerts if we've got a non-empty
+     * record that isn't an alert.
+     */
+    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        s->s3->alert_count = 0;
+
     /* we now have a packet which can be read and processed */
 
     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1043,6 +1050,14 @@ int dtls1_read_bytes(SSL *s, int type, u
 
         if (alert_level == 1) { /* warning */
             s->s3->warn_alert = alert_descr;
+
+            s->s3->alert_count++;
+            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+                al = SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+                goto f_err;
+            }
+
             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                 return (0);

Modified: releng/9.3/crypto/openssl/ssl/s3_pkt.c
==============================================================================
--- releng/9.3/crypto/openssl/ssl/s3_pkt.c	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/crypto/openssl/ssl/s3_pkt.c	Wed Nov  2 07:24:34 2016	(r308205)
@@ -922,6 +922,13 @@ int ssl3_read_bytes(SSL *s, int type, un
             return (ret);
     }
 
+    /*
+     * Reset the count of consecutive warning alerts if we've got a non-empty
+     * record that isn't an alert.
+     */
+    if (rr->type != SSL3_RT_ALERT && rr->length != 0)
+        s->s3->alert_count = 0;
+
     /* we now have a packet which can be read and processed */
 
     if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1121,6 +1128,14 @@ int ssl3_read_bytes(SSL *s, int type, un
 
         if (alert_level == 1) { /* warning */
             s->s3->warn_alert = alert_descr;
+
+            s->s3->alert_count++;
+            if (s->s3->alert_count == MAX_WARN_ALERT_COUNT) {
+                al = SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_TOO_MANY_WARN_ALERTS);
+                goto f_err;
+            }
+
             if (alert_descr == SSL_AD_CLOSE_NOTIFY) {
                 s->shutdown |= SSL_RECEIVED_SHUTDOWN;
                 return (0);

Modified: releng/9.3/crypto/openssl/ssl/ssl.h
==============================================================================
--- releng/9.3/crypto/openssl/ssl/ssl.h	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/crypto/openssl/ssl/ssl.h	Wed Nov  2 07:24:34 2016	(r308205)
@@ -2195,6 +2195,7 @@ void ERR_load_SSL_strings(void);
 # define SSL_R_TLSV1_UNSUPPORTED_EXTENSION                1110
 # define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER       232
 # define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST             227
+# define SSL_R_TOO_MANY_WARN_ALERTS                       409
 # define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233
 # define SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG    234
 # define SSL_R_TRIED_TO_USE_UNSUPPORTED_CIPHER            235

Modified: releng/9.3/crypto/openssl/ssl/ssl3.h
==============================================================================
--- releng/9.3/crypto/openssl/ssl/ssl3.h	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/crypto/openssl/ssl/ssl3.h	Wed Nov  2 07:24:34 2016	(r308205)
@@ -491,6 +491,8 @@ typedef struct ssl3_state_st {
     char is_probably_safari;
 #  endif                        /* !OPENSSL_NO_EC */
 # endif                         /* !OPENSSL_NO_TLSEXT */
+    /* Count of the number of consecutive warning alerts received */
+    unsigned int alert_count;
 } SSL3_STATE;
 
 /* SSLv3 */

Modified: releng/9.3/crypto/openssl/ssl/ssl_locl.h
==============================================================================
--- releng/9.3/crypto/openssl/ssl/ssl_locl.h	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/crypto/openssl/ssl/ssl_locl.h	Wed Nov  2 07:24:34 2016	(r308205)
@@ -247,6 +247,8 @@
 # define DEC32(a)        ((a)=((a)-1)&0xffffffffL)
 # define MAX_MAC_SIZE    20     /* up from 16 for SSLv3 */
 
+# define MAX_WARN_ALERT_COUNT    5
+
 /*
  * Define the Bitmasks for SSL_CIPHER.algorithms.
  * This bits are used packed as dense as possible. If new methods/ciphers

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Wed Nov  2 07:24:14 2016	(r308204)
+++ releng/9.3/sys/conf/newvers.sh	Wed Nov  2 07:24:34 2016	(r308205)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p49"
+BRANCH="RELEASE-p50"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611020724.uA27OYtu078461>