From owner-svn-src-all@FreeBSD.ORG Thu Oct 11 13:25:10 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id A42F0F5D; Thu, 11 Oct 2012 13:25:10 +0000 (UTC) (envelope-from erwin@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 819B48FC1B; Thu, 11 Oct 2012 13:25:10 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q9BDPAJI029215; Thu, 11 Oct 2012 13:25:10 GMT (envelope-from erwin@svn.freebsd.org) Received: (from erwin@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q9BDPA0A029211; Thu, 11 Oct 2012 13:25:10 GMT (envelope-from erwin@svn.freebsd.org) Message-Id: <201210111325.q9BDPA0A029211@svn.freebsd.org> From: Erwin Lansing Date: Thu, 11 Oct 2012 13:25:10 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r241443 - in stable/8/contrib/bind9: . bin/named X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Oct 2012 13:25:10 -0000 Author: erwin (ports committer) Date: Thu Oct 11 13:25:09 2012 New Revision: 241443 URL: http://svn.freebsd.org/changeset/base/241443 Log: Update to 9.6-ESV-R7-P4 Prevents a lockup when queried a deliberately constructed combination of records. [CVE-2012-5166] For more information: https://kb.isc.org/article/AA-00801 Approved by: bz Modified: stable/8/contrib/bind9/CHANGES stable/8/contrib/bind9/bin/named/query.c stable/8/contrib/bind9/version Modified: stable/8/contrib/bind9/CHANGES ============================================================================== --- stable/8/contrib/bind9/CHANGES Thu Oct 11 08:44:15 2012 (r241442) +++ stable/8/contrib/bind9/CHANGES Thu Oct 11 13:25:09 2012 (r241443) @@ -1,3 +1,9 @@ + --- 9.6-ESV-R7-P4 released --- + +3383. [security] A certain combination of records in the RBT could + cause named to hang while populating the additional + section of a response. [RT #31090] + --- 9.6-ESV-R7-P3 released --- 3364. [security] Named could die on specially crafted record. Modified: stable/8/contrib/bind9/bin/named/query.c ============================================================================== --- stable/8/contrib/bind9/bin/named/query.c Thu Oct 11 08:44:15 2012 (r241442) +++ stable/8/contrib/bind9/bin/named/query.c Thu Oct 11 13:25:09 2012 (r241443) @@ -1025,13 +1025,6 @@ query_isduplicate(ns_client_t *client, d mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - if (mnamep != NULL) *mnamep = mname; @@ -1230,6 +1223,7 @@ query_addadditional(void *arg, dns_name_ if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1292,11 +1286,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1338,11 +1334,13 @@ query_addadditional(void *arg, dns_name_ mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1865,22 +1863,24 @@ query_addadditional2(void *arg, dns_name crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { - if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname->link could - * leak below. - */ - INSIST(mname0 == NULL); - - query_releasename(client, &fname); - fname = mname; - mname0 = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; Modified: stable/8/contrib/bind9/version ============================================================================== --- stable/8/contrib/bind9/version Thu Oct 11 08:44:15 2012 (r241442) +++ stable/8/contrib/bind9/version Thu Oct 11 13:25:09 2012 (r241443) @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=6 PATCHVER= RELEASETYPE=-ESV -RELEASEVER=-R7-P3 +RELEASEVER=-R7-P4