From owner-svn-src-stable-9@FreeBSD.ORG Thu Nov 22 22:52:17 2012 Return-Path: Delivered-To: svn-src-stable-9@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 45226103; Thu, 22 Nov 2012 22:52:17 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 282A38FC19; Thu, 22 Nov 2012 22:52:17 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.5/8.14.5) with ESMTP id qAMMqHKM080222; Thu, 22 Nov 2012 22:52:17 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.5/8.14.5/Submit) id qAMMqHTU080220; Thu, 22 Nov 2012 22:52:17 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201211222252.qAMMqHTU080220@svn.freebsd.org> From: "Simon L. Nielsen" Date: Thu, 22 Nov 2012 22:52:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r243417 - releng/7.4 releng/7.4/contrib/bind9/bin/named releng/7.4/contrib/bind9/lib/dns releng/7.4/contrib/bind9/lib/dns/include/dns releng/7.4/sys/compat/linux releng/7.4/sys/conf rel... X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-9@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for only the 9-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Nov 2012 22:52:17 -0000 Author: simon Date: Thu Nov 22 22:52:15 2012 New Revision: 243417 URL: http://svnweb.freebsd.org/changeset/base/243417 Log: Fix multiple Denial of Service vulnerabilities with named(8). Fix insufficient message length validation for EAP-TLS messages. Fix Linux compatibility layer input validation error. Security: FreeBSD-SA-12:06.bind Security: FreeBSD-SA-12:07.hostapd Security: FreeBSD-SA-12:08.linux Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576 Approved by: re Approved by: security-officer Modified: stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c stable/9/sys/compat/linux/linux_ioctl.c Changes in other areas also in this revision: Modified: releng/7.4/UPDATING releng/7.4/contrib/bind9/bin/named/query.c releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h releng/7.4/contrib/bind9/lib/dns/master.c releng/7.4/contrib/bind9/lib/dns/rdata.c releng/7.4/sys/compat/linux/linux_ioctl.c releng/7.4/sys/conf/newvers.sh releng/8.3/UPDATING releng/8.3/contrib/bind9/bin/named/query.c releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h releng/8.3/contrib/bind9/lib/dns/master.c releng/8.3/contrib/bind9/lib/dns/rdata.c releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c releng/8.3/sys/compat/linux/linux_ioctl.c releng/8.3/sys/conf/newvers.sh releng/9.0/UPDATING releng/9.0/contrib/bind9/bin/named/query.c releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h releng/9.0/contrib/bind9/lib/dns/master.c releng/9.0/contrib/bind9/lib/dns/rdata.c releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c releng/9.0/sys/compat/linux/linux_ioctl.c releng/9.0/sys/conf/newvers.sh releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c releng/9.1/sys/compat/linux/linux_ioctl.c stable/8/contrib/wpa/src/eap_server/eap_tls_common.c stable/8/sys/compat/linux/linux_ioctl.c Modified: stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c ============================================================================== --- stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:10:10 2012 (r243416) +++ stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov 22 22:52:15 2012 (r243417) @@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } + data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message"); Modified: stable/9/sys/compat/linux/linux_ioctl.c ============================================================================== --- stable/9/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012 (r243416) +++ stable/9/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012 (r243417) @@ -2260,8 +2260,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE();