From owner-svn-src-all@FreeBSD.ORG Mon Jun 4 22:21:56 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1DC69106564A; Mon, 4 Jun 2012 22:21:56 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 0667A8FC08; Mon, 4 Jun 2012 22:21:56 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q54MLtn9071221; Mon, 4 Jun 2012 22:21:55 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q54MLtbS071216; Mon, 4 Jun 2012 22:21:55 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <201206042221.q54MLtbS071216@svn.freebsd.org> From: Doug Barton Date: Mon, 4 Jun 2012 22:21:55 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r236590 - in stable/8/contrib/bind9: . lib/dns X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jun 2012 22:21:56 -0000 Author: dougb Date: Mon Jun 4 22:21:55 2012 New Revision: 236590 URL: http://svn.freebsd.org/changeset/base/236590 Log: Upgrade to 9.6-ESV-R7-P1, the latest from ISC. This version contains a critical bugfix: Processing of DNS resource records where the rdata field is zero length may cause various issues for the servers handling them. Processing of these records may lead to unexpected outcomes. Recursive servers may crash or disclose some portion of memory to the client. Secondary servers may crash on restart after transferring a zone containing these records. Master servers may corrupt zone data if the zone option "auto-dnssec" is set to "maintain". Other unexpected problems that are not listed here may also be encountered. All BIND users are strongly encouraged to upgrade. Modified: stable/8/contrib/bind9/CHANGES stable/8/contrib/bind9/lib/dns/rdata.c stable/8/contrib/bind9/lib/dns/rdataslab.c stable/8/contrib/bind9/version Directory Properties: stable/8/contrib/bind9/ (props changed) Modified: stable/8/contrib/bind9/CHANGES ============================================================================== --- stable/8/contrib/bind9/CHANGES Mon Jun 4 22:19:32 2012 (r236589) +++ stable/8/contrib/bind9/CHANGES Mon Jun 4 22:21:55 2012 (r236590) @@ -1,3 +1,8 @@ + --- 9.6-ESV-R7-P1 released --- + +3331. [security] dns_rdataslab_fromrdataset could produce bad + rdataslabs. [RT #29644] + --- 9.6-ESV-R7 released --- 3318. [tuning] Reduce the amount of work performed while holding a Modified: stable/8/contrib/bind9/lib/dns/rdata.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/rdata.c Mon Jun 4 22:19:32 2012 (r236589) +++ stable/8/contrib/bind9/lib/dns/rdata.c Mon Jun 4 22:21:55 2012 (r236590) @@ -345,8 +345,8 @@ dns_rdata_compare(const dns_rdata_t *rda REQUIRE(rdata1 != NULL); REQUIRE(rdata2 != NULL); - REQUIRE(rdata1->data != NULL); - REQUIRE(rdata2->data != NULL); + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); Modified: stable/8/contrib/bind9/lib/dns/rdataslab.c ============================================================================== --- stable/8/contrib/bind9/lib/dns/rdataslab.c Mon Jun 4 22:19:32 2012 (r236589) +++ stable/8/contrib/bind9/lib/dns/rdataslab.c Mon Jun 4 22:21:55 2012 (r236590) @@ -126,6 +126,11 @@ isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, unsigned int reservelen) { + /* + * Use &removed as a sentinal pointer for duplicate + * rdata as rdata.data == NULL is valid. + */ + static unsigned char removed; struct xrdata *x; unsigned char *rawbuf; #if DNS_RDATASET_FIXED @@ -165,6 +170,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ INSIST(result == ISC_R_SUCCESS); dns_rdata_init(&x[i].rdata); dns_rdataset_current(rdataset, &x[i].rdata); + INSIST(x[i].rdata.data != &removed); #if DNS_RDATASET_FIXED x[i].order = i; #endif @@ -197,8 +203,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ */ for (i = 1; i < nalloc; i++) { if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) { - x[i-1].rdata.data = NULL; - x[i-1].rdata.length = 0; + x[i-1].rdata.data = &removed; #if DNS_RDATASET_FIXED /* * Preserve the least order so A, B, A -> A, B @@ -285,7 +290,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ #endif for (i = 0; i < nalloc; i++) { - if (x[i].rdata.data == NULL) + if (x[i].rdata.data == &removed) continue; #if DNS_RDATASET_FIXED offsettable[x[i].order] = rawbuf - offsetbase; Modified: stable/8/contrib/bind9/version ============================================================================== --- stable/8/contrib/bind9/version Mon Jun 4 22:19:32 2012 (r236589) +++ stable/8/contrib/bind9/version Mon Jun 4 22:21:55 2012 (r236590) @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=6 PATCHVER= RELEASETYPE=-ESV -RELEASEVER=-R7 +RELEASEVER=-R7-P1