Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 22 Sep 2012 08:48:26 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r240808 - in releng/9.1/contrib/bind9: . lib/dns lib/dns/include/dns
Message-ID:  <201209220848.q8M8mQJg030192@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Sat Sep 22 08:48:26 2012
New Revision: 240808
URL: http://svn.freebsd.org/changeset/base/240808

Log:
  MFC 240729 (dougb):
  
  Upgrade to 9.8.3-P3:
  
  Prevents a crash when queried for a record whose RDATA exceeds
  65535 bytes.
  
  Prevents a crash when validating caused by using "Bad cache" data
  before it has been initialized.
  
  ISC_QUEUE handling for recursive clients was updated to address
  a race condition that could cause a memory leak. This rarely
  occurred with UDP clients, but could be a significant problem
  for a server handling a steady rate of TCP queries.
  
  A condition has been corrected where improper handling of
  zero-length RDATA could cause undesirable behavior, including
  termination of the named process.
  
  For more information: https://kb.isc.org/article/AA-00788
  
  Approved by:	re (kib)

Modified:
  releng/9.1/contrib/bind9/CHANGES
  releng/9.1/contrib/bind9/lib/dns/include/dns/rdata.h
  releng/9.1/contrib/bind9/lib/dns/master.c
  releng/9.1/contrib/bind9/lib/dns/rdata.c
  releng/9.1/contrib/bind9/lib/dns/rdataslab.c
  releng/9.1/contrib/bind9/version
Directory Properties:
  releng/9.1/contrib/bind9/   (props changed)

Modified: releng/9.1/contrib/bind9/CHANGES
==============================================================================
--- releng/9.1/contrib/bind9/CHANGES	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/CHANGES	Sat Sep 22 08:48:26 2012	(r240808)
@@ -1,3 +1,8 @@
+	--- 9.8.3-P3 released ---
+
+3364.	[security]	Named could die on specially crafted record.
+			[RT #30416]
+
 	--- 9.8.3-P2 released ---
 
 3346.	[security]	Bad-cache data could be used before it was

Modified: releng/9.1/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/9.1/contrib/bind9/lib/dns/include/dns/rdata.h	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/lib/dns/include/dns/rdata.h	Sat Sep 22 08:48:26 2012	(r240808)
@@ -147,6 +147,17 @@ struct dns_rdata {
 	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
 
 /*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
+/*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
  * See additional comments at dns_rdata_tofmttext().

Modified: releng/9.1/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/9.1/contrib/bind9/lib/dns/master.c	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/lib/dns/master.c	Sat Sep 22 08:48:26 2012	(r240808)
@@ -75,7 +75,7 @@
 /*%
  * max message size - header - root - type - class - ttl - rdlen
  */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*%
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,

Modified: releng/9.1/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/9.1/contrib/bind9/lib/dns/rdata.c	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/lib/dns/rdata.c	Sat Sep 22 08:48:26 2012	(r240808)
@@ -429,6 +429,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;
 
 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -459,6 +460,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	}
 
 	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
 	 * We should have consumed all of our buffer.
 	 */
 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -466,8 +475,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
@@ -602,6 +610,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;
 
 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -673,10 +682,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 		}
 	} while (1);
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -804,6 +816,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;
 
 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -818,10 +831,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	if (use_default)
 		(void)NULL;
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)

Modified: releng/9.1/contrib/bind9/lib/dns/rdataslab.c
==============================================================================
--- releng/9.1/contrib/bind9/lib/dns/rdataslab.c	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/lib/dns/rdataslab.c	Sat Sep 22 08:48:26 2012	(r240808)
@@ -305,6 +305,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_
 		length = x[i].rdata.length;
 		if (rdataset->type == dns_rdatatype_rrsig)
 			length++;
+		INSIST(length <= 0xffff);
 		*rawbuf++ = (length & 0xff00) >> 8;
 		*rawbuf++ = (length & 0x00ff);
 #if DNS_RDATASET_FIXED

Modified: releng/9.1/contrib/bind9/version
==============================================================================
--- releng/9.1/contrib/bind9/version	Sat Sep 22 08:47:29 2012	(r240807)
+++ releng/9.1/contrib/bind9/version	Sat Sep 22 08:48:26 2012	(r240808)
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=8
 PATCHVER=3
 RELEASETYPE=-P
-RELEASEVER=2
+RELEASEVER=3



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201209220848.q8M8mQJg030192>