Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Jul 2012 22:32:03 +0000 (UTC)
From:      Doug Barton <dougb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r238756 - in stable/9/contrib/bind9: . lib/dns
Message-ID:  <201207242232.q6OMW3Ch081504@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dougb
Date: Tue Jul 24 22:32:03 2012
New Revision: 238756
URL: http://svn.freebsd.org/changeset/base/238756

Log:
  MFV r238744:
  
  Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
  in BIND9
  
  High numbers of queries with DNSSEC validation enabled can cause an
  assertion failure in named, caused by using a "bad cache" data structure
  before it has been initialized.
  
  CVE: CVE-2012-3817
  Posting date: 24 July, 2012
  
  Approved by:	re (kib)

Modified:
  stable/9/contrib/bind9/CHANGES
  stable/9/contrib/bind9/lib/dns/resolver.c
  stable/9/contrib/bind9/lib/dns/zone.c
  stable/9/contrib/bind9/version
Directory Properties:
  stable/9/contrib/bind9/   (props changed)

Modified: stable/9/contrib/bind9/CHANGES
==============================================================================
--- stable/9/contrib/bind9/CHANGES	Tue Jul 24 22:10:11 2012	(r238755)
+++ stable/9/contrib/bind9/CHANGES	Tue Jul 24 22:32:03 2012	(r238756)
@@ -1,3 +1,12 @@
+	--- 9.8.3-P2 released ---
+
+3346.	[security]	Bad-cache data could be used before it was
+			initialized, causing an assert. [RT #30025]
+
+3342.	[bug]		Change #3314 broke saving of stub zones to disk
+			resulting in excessive cpu usage in some cases.
+			[RT #29952]
+
 	--- 9.8.3-P1 released ---
 
 3331.	[security]	dns_rdataslab_fromrdataset could produce bad

Modified: stable/9/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- stable/9/contrib/bind9/lib/dns/resolver.c	Tue Jul 24 22:10:11 2012	(r238755)
+++ stable/9/contrib/bind9/lib/dns/resolver.c	Tue Jul 24 22:32:03 2012	(r238756)
@@ -8448,6 +8448,7 @@ dns_resolver_addbadcache(dns_resolver_t 
 			goto cleanup;
 		bad->type = type;
 		bad->hashval = hashval;
+		bad->expire = *expire;
 		isc_buffer_init(&buffer, bad + 1, name->length);
 		dns_name_init(&bad->name, NULL);
 		dns_name_copy(name, &bad->name, &buffer);
@@ -8459,8 +8460,8 @@ dns_resolver_addbadcache(dns_resolver_t 
 		if (resolver->badcount < resolver->badhash * 2 &&
 		    resolver->badhash > DNS_BADCACHE_SIZE)
 			resizehash(resolver, &now, ISC_FALSE);
-	}
-	bad->expire = *expire;
+	} else
+		bad->expire = *expire;
  cleanup:
 	UNLOCK(&resolver->lock);
 }

Modified: stable/9/contrib/bind9/lib/dns/zone.c
==============================================================================
--- stable/9/contrib/bind9/lib/dns/zone.c	Tue Jul 24 22:10:11 2012	(r238755)
+++ stable/9/contrib/bind9/lib/dns/zone.c	Tue Jul 24 22:32:03 2012	(r238756)
@@ -8027,13 +8027,14 @@ zone_maintenance(dns_zone_t *zone) {
 	case dns_zone_master:
 	case dns_zone_slave:
 	case dns_zone_key:
+	case dns_zone_stub:
 		LOCK_ZONE(zone);
 		if (zone->masterfile != NULL &&
 		    isc_time_compare(&now, &zone->dumptime) >= 0 &&
 		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) &&
 		    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDDUMP)) {
 			dumping = was_dumping(zone);
-		} else
+		} else 
 			dumping = ISC_TRUE;
 		UNLOCK_ZONE(zone);
 		if (!dumping) {
@@ -8386,7 +8387,7 @@ zone_dump(dns_zone_t *zone, isc_boolean_
 		goto fail;
 	}
 
-	if (compact) {
+	if (compact && zone->type != dns_zone_stub) {
 		dns_zone_t *dummy = NULL;
 		LOCK_ZONE(zone);
 		zone_iattach(zone, &dummy);
@@ -9242,7 +9243,7 @@ stub_callback(isc_task_t *task, isc_even
 	dns_zone_t *zone = NULL;
 	char master[ISC_SOCKADDR_FORMATSIZE];
 	char source[ISC_SOCKADDR_FORMATSIZE];
-	isc_uint32_t nscnt, cnamecnt;
+	isc_uint32_t nscnt, cnamecnt, refresh, retry, expire;
 	isc_result_t result;
 	isc_time_t now;
 	isc_boolean_t exiting = ISC_FALSE;
@@ -9390,19 +9391,32 @@ stub_callback(isc_task_t *task, isc_even
 	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
 	if (zone->db == NULL)
 		zone_attachdb(zone, stub->db);
+	result = zone_get_from_db(zone, zone->db, NULL, NULL, NULL, &refresh,
+				  &retry, &expire, NULL, NULL);
+	if (result == ISC_R_SUCCESS) {
+		zone->refresh = RANGE(refresh, zone->minrefresh,
+				      zone->maxrefresh);
+		zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+		zone->expire = RANGE(expire, zone->refresh + zone->retry,
+				     DNS_MAX_EXPIRE);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+	}
 	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
 	dns_db_detach(&stub->db);
 
-	if (zone->masterfile != NULL)
-		zone_needdump(zone, 0);
-
 	dns_message_destroy(&msg);
 	isc_event_free(&event);
 	dns_request_destroy(&zone->request);
+
 	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
 	DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
 	isc_interval_set(&i, zone->expire, 0);
 	DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+
+	if (zone->masterfile != NULL)
+		zone_needdump(zone, 0);
+
 	zone_settimer(zone, &now);
 	goto free_stub;
 

Modified: stable/9/contrib/bind9/version
==============================================================================
--- stable/9/contrib/bind9/version	Tue Jul 24 22:10:11 2012	(r238755)
+++ stable/9/contrib/bind9/version	Tue Jul 24 22:32:03 2012	(r238756)
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=8
 PATCHVER=3
 RELEASETYPE=-P
-RELEASEVER=1
+RELEASEVER=2



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207242232.q6OMW3Ch081504>