Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 11 Oct 2012 13:25:10 +0000 (UTC)
From:      Erwin Lansing <erwin@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r241443 - in stable/8/contrib/bind9: . bin/named
Message-ID:  <201210111325.q9BDPA0A029211@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: erwin (ports committer)
Date: Thu Oct 11 13:25:09 2012
New Revision: 241443
URL: http://svn.freebsd.org/changeset/base/241443

Log:
  Update to 9.6-ESV-R7-P4
  
  Prevents a lockup when queried a deliberately constructed combination
  of records. [CVE-2012-5166]
  
  For more information: https://kb.isc.org/article/AA-00801
  
  Approved by:	bz

Modified:
  stable/8/contrib/bind9/CHANGES
  stable/8/contrib/bind9/bin/named/query.c
  stable/8/contrib/bind9/version

Modified: stable/8/contrib/bind9/CHANGES
==============================================================================
--- stable/8/contrib/bind9/CHANGES	Thu Oct 11 08:44:15 2012	(r241442)
+++ stable/8/contrib/bind9/CHANGES	Thu Oct 11 13:25:09 2012	(r241443)
@@ -1,3 +1,9 @@
+	--- 9.6-ESV-R7-P4 released ---
+
+3383.	[security]	A certain combination of records in the RBT could
+                        cause named to hang while populating the additional
+                        section of a response. [RT #31090]
+
 	--- 9.6-ESV-R7-P3 released ---
 
 3364.	[security]	Named could die on specially crafted record.

Modified: stable/8/contrib/bind9/bin/named/query.c
==============================================================================
--- stable/8/contrib/bind9/bin/named/query.c	Thu Oct 11 08:44:15 2012	(r241442)
+++ stable/8/contrib/bind9/bin/named/query.c	Thu Oct 11 13:25:09 2012	(r241443)
@@ -1025,13 +1025,6 @@ query_isduplicate(ns_client_t *client, d
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	if (mnamep != NULL)
 		*mnamep = mname;
 
@@ -1230,6 +1223,7 @@ query_addadditional(void *arg, dns_name_
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1292,11 +1286,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
+				if (mname != fname) {
+					if (mname != NULL) {
+						query_releasename(client, &fname);
+						fname = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1338,11 +1334,13 @@ query_addadditional(void *arg, dns_name_
 			mname = NULL;
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
-				if (mname != NULL) {
-					query_releasename(client, &fname);
-					fname = mname;
-				} else
-					need_addname = ISC_TRUE;
+				if (mname != fname) {
+					if (mname != NULL) {
+						query_releasename(client, &fname);
+						fname = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1865,22 +1863,24 @@ query_addadditional2(void *arg, dns_name
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
-				if (mname != NULL) {
-					/*
-					 * A different type of this name is
-					 * already stored in the additional
-					 * section.  We'll reuse the name.
-					 * Note that this should happen at most
-					 * once.  Otherwise, fname->link could
-					 * leak below.
-					 */
-					INSIST(mname0 == NULL);
-
-					query_releasename(client, &fname);
-					fname = mname;
-					mname0 = mname;
-				} else
-					need_addname = ISC_TRUE;
+				if (mname != fname) {
+					if (mname != NULL) {
+						/*
+						 * A different type of this name is
+						 * already stored in the additional
+						 * section.  We'll reuse the name.
+						 * Note that this should happen at most
+						 * once.  Otherwise, fname->link could
+						 * leak below.
+						 */
+						INSIST(mname0 == NULL);
+
+						query_releasename(client, &fname);
+						fname = mname;
+						mname0 = mname;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;

Modified: stable/8/contrib/bind9/version
==============================================================================
--- stable/8/contrib/bind9/version	Thu Oct 11 08:44:15 2012	(r241442)
+++ stable/8/contrib/bind9/version	Thu Oct 11 13:25:09 2012	(r241443)
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=6
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R7-P3
+RELEASEVER=-R7-P4



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210111325.q9BDPA0A029211>