Author: simon
Date: Thu Nov 22 22:52:15 2012
New Revision: 243417
URL: http://svnweb.freebsd.org/changeset/base/243417
Log:
Fix multiple Denial of Service vulnerabilities with named(8).
Fix insufficient message length validation for EAP-TLS messages.
Fix Linux compatibility layer input validation error.
Security: FreeBSD-SA-12:06.bind
Security: FreeBSD-SA-12:07.hostapd
Security: FreeBSD-SA-12:08.linux
Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576
Approved by: re
Approved by: security-officer
Modified:
releng/7.4/UPDATING
releng/7.4/contrib/bind9/bin/named/query.c
releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h
releng/7.4/contrib/bind9/lib/dns/master.c
releng/7.4/contrib/bind9/lib/dns/rdata.c
releng/7.4/sys/compat/linux/linux_ioctl.c
releng/7.4/sys/conf/newvers.sh
releng/8.3/UPDATING
releng/8.3/contrib/bind9/bin/named/query.c
releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h
releng/8.3/contrib/bind9/lib/dns/master.c
releng/8.3/contrib/bind9/lib/dns/rdata.c
releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c
releng/8.3/sys/compat/linux/linux_ioctl.c
releng/8.3/sys/conf/newvers.sh
releng/9.0/UPDATING
releng/9.0/contrib/bind9/bin/named/query.c
releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h
releng/9.0/contrib/bind9/lib/dns/master.c
releng/9.0/contrib/bind9/lib/dns/rdata.c
releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c
releng/9.0/sys/compat/linux/linux_ioctl.c
releng/9.0/sys/conf/newvers.sh
releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c
releng/9.1/sys/compat/linux/linux_ioctl.c
Changes in other areas also in this revision:
Modified:
stable/8/contrib/wpa/src/eap_server/eap_tls_common.c
stable/8/sys/compat/linux/linux_ioctl.c
stable/9/contrib/wpa/src/eap_server/eap_server_tls_common.c
stable/9/sys/compat/linux/linux_ioctl.c
Modified: releng/7.4/UPDATING
==============================================================================
--- releng/7.4/UPDATING Thu Nov 22 22:10:10 2012 (r243416)
+++ releng/7.4/UPDATING Thu Nov 22 22:52:15 2012 (r243417)
@@ -8,6 +8,11 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20121122: p11 FreeBSD-SA-12:06.bind FreeBSD-SA-12:08.linux
+ Fix multiple Denial of Service vulnerabilities with named(8).
+
+ Fix Linux compatibility layer input validation error.
+
20120806: p10 FreeBSD-SA-12:05.bind
Fix named(8) DNSSEC validation Denial of Service.
Modified: releng/7.4/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/7.4/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/7.4/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -999,13 +999,6 @@ query_isduplicate(ns_client_t *client, d
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE("query_isduplicate: false: done");
@@ -1199,6 +1192,7 @@ query_addadditional(void *arg, dns_name_
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1259,11 +1253,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1302,11 +1298,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1817,6 +1815,7 @@ query_addadditional2(void *arg, dns_name
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
+ if (mname != fname) {
if (mname != NULL) {
/*
* A different type of this name is
@@ -1833,6 +1832,7 @@ query_addadditional2(void *arg, dns_name
mname0 = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
Modified: releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:10:10 2012 (r243416)
+++ releng/7.4/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:52:15 2012 (r243417)
@@ -127,6 +127,17 @@ struct dns_rdata {
#define DNS_RDATA_UPDATE 0x0001 /*%< update pseudo record */
/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH 65512U
+
+/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.
* See additional comments at dns_rdata_tofmttext().
Modified: releng/7.4/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/7.4/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -75,7 +75,7 @@
/*%
* max message size - header - root - type - class - ttl - rdlen
*/
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
/*%
* Size for tokens in the presentation format,
* The largest tokens are the base64 blocks in KEY and CERT records,
Modified: releng/7.4/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/7.4/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/7.4/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -403,6 +403,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
isc_buffer_t st;
isc_boolean_t use_default = ISC_FALSE;
isc_uint32_t activelength;
+ size_t length;
REQUIRE(dctx != NULL);
if (rdata != NULL) {
@@ -433,6 +434,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
}
/*
+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+ * as we cannot transmit it.
+ */
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = DNS_R_FORMERR;
+
+ /*
* We should have consumed all of our buffer.
*/
if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -440,8 +449,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
@@ -576,6 +584,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
unsigned long line;
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
isc_result_t tresult;
+ size_t length;
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
if (rdata != NULL) {
@@ -648,10 +657,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
}
} while (1);
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS) {
@@ -758,6 +770,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
isc_buffer_t st;
isc_region_t region;
isc_boolean_t use_default = ISC_FALSE;
+ size_t length;
REQUIRE(source != NULL);
if (rdata != NULL) {
@@ -772,10 +785,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
if (use_default)
(void)NULL;
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS)
Modified: releng/7.4/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/7.4/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/7.4/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -2207,8 +2207,9 @@ again:
ifc.ifc_len = valid_len;
sbuf_finish(sb);
- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
- error = copyout(&ifc, uifc, sizeof(ifc));
+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+ if (error == 0)
+ error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
return (error);
Modified: releng/7.4/sys/conf/newvers.sh
==============================================================================
--- releng/7.4/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/7.4/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012
(r243417)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.4"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING Thu Nov 22 22:10:10 2012 (r243416)
+++ releng/8.3/UPDATING Thu Nov 22 22:52:15 2012 (r243417)
@@ -15,6 +15,14 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
+ FreeBSD-SA-12:08.linux
+ Fix multiple Denial of Service vulnerabilities with named(8).
+
+ Fix insufficient message length validation for EAP-TLS messages.
+
+ Fix Linux compatibility layer input validation error.
+
20120806: p4 FreeBSD-SA-12:05.bind
Fix named(8) DNSSEC validation Denial of Service.
Modified: releng/8.3/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/8.3/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/8.3/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -1024,13 +1024,6 @@ query_isduplicate(ns_client_t *client, d
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE("query_isduplicate: false: done");
@@ -1228,6 +1221,7 @@ query_addadditional(void *arg, dns_name_
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1288,11 +1282,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1331,11 +1327,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1847,6 +1845,7 @@ query_addadditional2(void *arg, dns_name
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
+ if (mname != fname) {
if (mname != NULL) {
/*
* A different type of this name is
@@ -1863,6 +1862,7 @@ query_addadditional2(void *arg, dns_name
mname0 = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
Modified: releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:10:10 2012 (r243416)
+++ releng/8.3/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:52:15 2012 (r243417)
@@ -128,6 +128,17 @@ struct dns_rdata {
#define DNS_RDATA_OFFLINE 0x0002 /*%< RRSIG has a offline key. */
/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH 65512U
+
+/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.
* See additional comments at dns_rdata_tofmttext().
Modified: releng/8.3/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/8.3/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -75,7 +75,7 @@
/*%
* max message size - header - root - type - class - ttl - rdlen
*/
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
/*%
* Size for tokens in the presentation format,
* The largest tokens are the base64 blocks in KEY and CERT records,
Modified: releng/8.3/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/8.3/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/8.3/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -410,6 +410,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
isc_buffer_t st;
isc_boolean_t use_default = ISC_FALSE;
isc_uint32_t activelength;
+ size_t length;
REQUIRE(dctx != NULL);
if (rdata != NULL) {
@@ -440,6 +441,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
}
/*
+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+ * as we cannot transmit it.
+ */
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = DNS_R_FORMERR;
+
+ /*
* We should have consumed all of our buffer.
*/
if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -447,8 +456,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
@@ -583,6 +591,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
unsigned long line;
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
isc_result_t tresult;
+ size_t length;
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
if (rdata != NULL) {
@@ -655,10 +664,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
}
} while (1);
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS) {
@@ -766,6 +778,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
isc_buffer_t st;
isc_region_t region;
isc_boolean_t use_default = ISC_FALSE;
+ size_t length;
REQUIRE(source != NULL);
if (rdata != NULL) {
@@ -780,10 +793,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
if (use_default)
(void)NULL;
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS)
Modified: releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c
==============================================================================
--- releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c Thu Nov 22
22:10:10 2012 (r243416)
+++ releng/8.3/contrib/wpa/src/eap_server/eap_tls_common.c Thu Nov 22
22:52:15 2012 (r243417)
@@ -220,6 +220,13 @@ static int eap_server_tls_process_fragme
" over 64 kB)");
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
data->in_buf = wpabuf_alloc(message_length);
if (data->in_buf == NULL) {
Modified: releng/8.3/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/8.3/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/8.3/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -2253,8 +2253,9 @@ again:
ifc.ifc_len = valid_len;
sbuf_finish(sb);
- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
- error = copyout(&ifc, uifc, sizeof(ifc));
+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+ if (error == 0)
+ error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
CURVNET_RESTORE();
Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/8.3/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012
(r243417)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.0/UPDATING
==============================================================================
--- releng/9.0/UPDATING Thu Nov 22 22:10:10 2012 (r243416)
+++ releng/9.0/UPDATING Thu Nov 22 22:52:15 2012 (r243417)
@@ -9,6 +9,14 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
+ FreeBSD-SA-12:08.linux
+ Fix multiple Denial of Service vulnerabilities with named(8).
+
+ Fix insufficient message length validation for EAP-TLS messages.
+
+ Fix Linux compatibility layer input validation error.
+
20120806: p4 FreeBSD-SA-12:05.bind
Fix named(8) DNSSEC validation Denial of Service.
Modified: releng/9.0/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.0/contrib/bind9/bin/named/query.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.0/contrib/bind9/bin/named/query.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
*mnamep = mname;
CTRACE("query_isduplicate: false: done");
@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_
mname = NULL;
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
+ if (mname != fname) {
if (mname != NULL) {
query_releasename(client, &fname);
fname = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
+ if (mname != fname) {
if (mname != NULL) {
/*
* A different type of this name is
@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name
mname0 = mname;
} else
need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
Modified: releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:10:10 2012 (r243416)
+++ releng/9.0/contrib/bind9/lib/dns/include/dns/rdata.h Thu Nov 22
22:52:15 2012 (r243417)
@@ -147,6 +147,17 @@ struct dns_rdata {
(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH 65512U
+
+/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.
* See additional comments at dns_rdata_tofmttext().
Modified: releng/9.0/contrib/bind9/lib/dns/master.c
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/master.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.0/contrib/bind9/lib/dns/master.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -75,7 +75,7 @@
/*%
* max message size - header - root - type - class - ttl - rdlen
*/
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
/*%
* Size for tokens in the presentation format,
* The largest tokens are the base64 blocks in KEY and CERT records,
Modified: releng/9.0/contrib/bind9/lib/dns/rdata.c
==============================================================================
--- releng/9.0/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.0/contrib/bind9/lib/dns/rdata.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
isc_buffer_t st;
isc_boolean_t use_default = ISC_FALSE;
isc_uint32_t activelength;
+ size_t length;
REQUIRE(dctx != NULL);
if (rdata != NULL) {
@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
}
/*
+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+ * as we cannot transmit it.
+ */
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = DNS_R_FORMERR;
+
+ /*
* We should have consumed all of our buffer.
*/
if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
unsigned long line;
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
isc_result_t tresult;
+ size_t length;
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
if (rdata != NULL) {
@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
}
} while (1);
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS) {
@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
isc_buffer_t st;
isc_region_t region;
isc_boolean_t use_default = ISC_FALSE;
+ size_t length;
REQUIRE(source != NULL);
if (rdata != NULL) {
@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
if (use_default)
(void)NULL;
+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+ result = ISC_R_NOSPACE;
+
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
- region.length = isc_buffer_usedlength(target) -
- isc_buffer_usedlength(&st);
+ region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, ®ion);
}
if (result != ISC_R_SUCCESS)
Modified: releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c
==============================================================================
--- releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov
22 22:10:10 2012 (r243416)
+++ releng/9.0/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov
22 22:52:15 2012 (r243417)
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
Modified: releng/9.0/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/9.0/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.0/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -2260,8 +2260,9 @@ again:
ifc.ifc_len = valid_len;
sbuf_finish(sb);
- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
- error = copyout(&ifc, uifc, sizeof(ifc));
+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+ if (error == 0)
+ error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
CURVNET_RESTORE();
Modified: releng/9.0/sys/conf/newvers.sh
==============================================================================
--- releng/9.0/sys/conf/newvers.sh Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.0/sys/conf/newvers.sh Thu Nov 22 22:52:15 2012
(r243417)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.0"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c
==============================================================================
--- releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov
22 22:10:10 2012 (r243416)
+++ releng/9.1/contrib/wpa/src/eap_server/eap_server_tls_common.c Thu Nov
22 22:52:15 2012 (r243417)
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragme
return -1;
}
+ if (len > message_length) {
+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+ "first fragment of frame (TLS Message "
+ "Length %d bytes)",
+ (int) len, (int) message_length);
+ return -1;
+ }
+
data->tls_in = wpabuf_alloc(message_length);
if (data->tls_in == NULL) {
wpa_printf(MSG_DEBUG, "SSL: No memory for message");
Modified: releng/9.1/sys/compat/linux/linux_ioctl.c
==============================================================================
--- releng/9.1/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:10:10 2012
(r243416)
+++ releng/9.1/sys/compat/linux/linux_ioctl.c Thu Nov 22 22:52:15 2012
(r243417)
@@ -2260,8 +2260,9 @@ again:
ifc.ifc_len = valid_len;
sbuf_finish(sb);
- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
- error = copyout(&ifc, uifc, sizeof(ifc));
+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+ if (error == 0)
+ error = copyout(&ifc, uifc, sizeof(ifc));
sbuf_delete(sb);
CURVNET_RESTORE();
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
