src - FreeBSD source tree

diff options


context:
space:
mode:

author	Simon L. B. Nielsen <simon@FreeBSD.org>	2012-11-22 22:52:15 +0000
committer	Simon L. B. Nielsen <simon@FreeBSD.org>	2012-11-22 22:52:15 +0000
commit	671eb07ab62de1fbc03000f0e450f96586029847 (patch)
tree	44296d736f50c7d1e01eda8e43190aff30a04783
parent	9e80c86470e0c29ec38a21c3dc6790571228d031 (diff)
download	src-671eb07ab62de1fbc03000f0e450f96586029847.tar.gz src-671eb07ab62de1fbc03000f0e450f96586029847.zip

Fix multiple Denial of Service vulnerabilities with named(8).

Fix insufficient message length validation for EAP-TLS messages. Fix Linux compatibility layer input validation error. Security: FreeBSD-SA-12:06.bind Security: FreeBSD-SA-12:07.hostapd Security: FreeBSD-SA-12:08.linux Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576 Approved by: re Approved by: security-officer

Notes

Notes: svn path=/releng/9.0/; revision=243417

Diffstat

-rw-r--r--

UPDATING

-rw-r--r--

contrib/bind9/bin/named/query.c

-rw-r--r--

contrib/bind9/lib/dns/include/dns/rdata.h

-rw-r--r--

contrib/bind9/lib/dns/master.c

-rw-r--r--

contrib/bind9/lib/dns/rdata.c

-rw-r--r--

contrib/wpa/src/eap_server/eap_server_tls_common.c

-rw-r--r--

sys/compat/linux/linux_ioctl.c

-rw-r--r--

sys/conf/newvers.sh

8 files changed, 61 insertions, 17 deletions

diff --git a/UPDATING b/UPDATING
index 45dd66f095aa..a86a757e40a4 100644
--- a/UPDATING
+++ b/UPDATING

@@ -9,6 +9,14 @@ handbook.

Items affecting the ports and packages system can be found in

/usr/ports/UPDATING. Please read that file before running portupgrade.

+20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd

+ FreeBSD-SA-12:08.linux

+ Fix multiple Denial of Service vulnerabilities with named(8).

+ Fix insufficient message length validation for EAP-TLS messages.

+ Fix Linux compatibility layer input validation error.

20120806: p4 FreeBSD-SA-12:05.bind

Fix named(8) DNSSEC validation Denial of Service.

diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index 4945f474f73f..7c3889a9e684 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c

@@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,

mname = NULL;

}

- /*

- * If the dns_name_t we're looking up is already in the message,

- * we don't want to trigger the caller's name replacement logic.

- */

- if (name == mname)

- mname = NULL;

*mnamep = mname;

CTRACE("query_isduplicate: false: done");

@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {

if (dns_rdataset_isassociated(rdataset) &&

!query_isduplicate(client, fname, type, &mname)) {

if (mname != NULL) {

+ INSIST(mname != fname);

query_releasename(client, &fname);

fname = mname;

} else

@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {

mname = NULL;

if (!query_isduplicate(client, fname,

dns_rdatatype_a, &mname)) {

+ if (mname != fname) {

if (mname != NULL) {

query_releasename(client, &fname);

fname = mname;

} else

need_addname = ISC_TRUE;

+ }

ISC_LIST_APPEND(fname->list, rdataset, link);

added_something = ISC_TRUE;

if (sigrdataset != NULL &&

@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {

mname = NULL;

if (!query_isduplicate(client, fname,

dns_rdatatype_aaaa, &mname)) {

+ if (mname != fname) {

if (mname != NULL) {

query_releasename(client, &fname);

fname = mname;

} else

need_addname = ISC_TRUE;

+ }

ISC_LIST_APPEND(fname->list, rdataset, link);

added_something = ISC_TRUE;

if (sigrdataset != NULL &&

@@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {

crdataset->type == dns_rdatatype_aaaa) {

if (!query_isduplicate(client, fname, crdataset->type,

&mname)) {

+ if (mname != fname) {

if (mname != NULL) {

* A different type of this name is

@@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {

mname0 = mname;

} else

need_addname = ISC_TRUE;

+ }

ISC_LIST_UNLINK(cfname.list, crdataset, link);

ISC_LIST_APPEND(fname->list, crdataset, link);

added_something = ISC_TRUE;

diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h
index b70a353dde1a..4c969942fb8f 100644
--- a/contrib/bind9/lib/dns/include/dns/rdata.h
+++ b/contrib/bind9/lib/dns/include/dns/rdata.h

@@ -147,6 +147,17 @@ struct dns_rdata {

(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)

+ * The maximum length of a RDATA that can be sent on the wire.

+ * Max packet size (65535) less header (12), less name (1), type (2),

+ * class (2), ttl(4), length (2).

+ *

+ * None of the defined types that support name compression can exceed

+ * this and all new types are to be sent uncompressed.

+ */

+#define DNS_RDATA_MAXLENGTH 65512U

+/*

* Flags affecting rdata formatting style. Flags 0xFFFF0000

* are used by masterfile-level formatting and defined elsewhere.

* See additional comments at dns_rdata_tofmttext().

diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c
index 1e9fead687e5..9ed7cd0099a6 100644
--- a/contrib/bind9/lib/dns/master.c
+++ b/contrib/bind9/lib/dns/master.c

@@ -75,7 +75,7 @@

/*%

* max message size - header - root - type - class - ttl - rdlen

-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)

+#define MINTSIZ DNS_RDATA_MAXLENGTH

/*%

* Size for tokens in the presentation format,

* The largest tokens are the base64 blocks in KEY and CERT records,

diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c
index 9337a801fa2e..bf3e7395af0a 100644
--- a/contrib/bind9/lib/dns/rdata.c
+++ b/contrib/bind9/lib/dns/rdata.c

@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

isc_buffer_t st;

isc_boolean_t use_default = ISC_FALSE;

isc_uint32_t activelength;

+ size_t length;

REQUIRE(dctx != NULL);

if (rdata != NULL) {

@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

}

+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH

+ * as we cannot transmit it.

+ */

+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);

+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)

+ result = DNS_R_FORMERR;

+ /*

* We should have consumed all of our buffer.

if (result == ISC_R_SUCCESS && !buffer_empty(source))

@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

if (rdata != NULL && result == ISC_R_SUCCESS) {

region.base = isc_buffer_used(&st);

- region.length = isc_buffer_usedlength(target) -

- isc_buffer_usedlength(&st);

+ region.length = length;

dns_rdata_fromregion(rdata, rdclass, type, &region);

}

@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

unsigned long line;

void (*callback)(dns_rdatacallbacks_t *, const char *, ...);

isc_result_t tresult;

+ size_t length;

REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);

if (rdata != NULL) {

@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

}

} while (1);

+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);

+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)

+ result = ISC_R_NOSPACE;

if (rdata != NULL && result == ISC_R_SUCCESS) {

region.base = isc_buffer_used(&st);

- region.length = isc_buffer_usedlength(target) -

- isc_buffer_usedlength(&st);

+ region.length = length;

dns_rdata_fromregion(rdata, rdclass, type, &region);

}

if (result != ISC_R_SUCCESS) {

@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

isc_buffer_t st;

isc_region_t region;

isc_boolean_t use_default = ISC_FALSE;

+ size_t length;

REQUIRE(source != NULL);

if (rdata != NULL) {

@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

if (use_default)

(void)NULL;

+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);

+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)

+ result = ISC_R_NOSPACE;

if (rdata != NULL && result == ISC_R_SUCCESS) {

region.base = isc_buffer_used(&st);

- region.length = isc_buffer_usedlength(target) -

- isc_buffer_usedlength(&st);

+ region.length = length;

dns_rdata_fromregion(rdata, rdclass, type, &region);

}

if (result != ISC_R_SUCCESS)

diff --git a/contrib/wpa/src/eap_server/eap_server_tls_common.c b/contrib/wpa/src/eap_server/eap_server_tls_common.c
index 25ae683f0668..625ff52a4c2b 100644
--- a/contrib/wpa/src/eap_server/eap_server_tls_common.c
+++ b/contrib/wpa/src/eap_server/eap_server_tls_common.c

@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,

return -1;

}

+ if (len > message_length) {

+ wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "

+ "first fragment of frame (TLS Message "

+ "Length %d bytes)",

+ (int) len, (int) message_length);

+ return -1;

+ }

data->tls_in = wpabuf_alloc(message_length);

if (data->tls_in == NULL) {

wpa_printf(MSG_DEBUG, "SSL: No memory for message");

diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c
index 15e313639369..5a3f628867be 100644
--- a/sys/compat/linux/linux_ioctl.c
+++ b/sys/compat/linux/linux_ioctl.c

@@ -2260,8 +2260,9 @@ again:

ifc.ifc_len = valid_len;

sbuf_finish(sb);

- memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);

- error = copyout(&ifc, uifc, sizeof(ifc));

+ error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);

+ if (error == 0)

+ error = copyout(&ifc, uifc, sizeof(ifc));

sbuf_delete(sb);

CURVNET_RESTORE();

diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 1a7c73d266a5..83449504b401 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh

@@ -32,7 +32,7 @@

TYPE="FreeBSD"

REVISION="9.0"

-BRANCH="RELEASE-p4"

+BRANCH="RELEASE-p5"

if [ "X${BRANCH_OVERRIDE}" != "X" ]; then

BRANCH=${BRANCH_OVERRIDE}