diff options
author | Xin LI <delphij@FreeBSD.org> | 2012-10-10 19:47:52 +0000 |
---|---|---|
committer | Xin LI <delphij@FreeBSD.org> | 2012-10-10 19:47:52 +0000 |
commit | 66887009ec9d7a66062b920cf9e66b5c269f67f3 (patch) | |
tree | 30dc84c623a870c4a4d53eaa4dded9bd55f8e1e3 | |
parent | 803a9b3efd550bcb8ca7a0c73a2ee385dd547397 (diff) | |
parent | 8d876c495fa11d5aa72e8340d4b6efa1e911030b (diff) | |
download | src-66887009ec9d7a66062b920cf9e66b5c269f67f3.tar.gz src-66887009ec9d7a66062b920cf9e66b5c269f67f3.zip |
Upgrade to 9.8.3-P4:
Prevents a lockup when queried a deliberately constructed combination
of records. [CVE-2012-5166]
For more information: https://kb.isc.org/article/AA-00801
Notes
Notes:
svn path=/head/; revision=241414
-rw-r--r-- | contrib/bind9/CHANGES | 6 | ||||
-rw-r--r-- | contrib/bind9/bin/named/query.c | 66 | ||||
-rw-r--r-- | contrib/bind9/version | 2 |
3 files changed, 40 insertions, 34 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index 0cc247a3b251..d9b6714eff29 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,3 +1,9 @@ + --- 9.8.3-P4 released --- + +3383. [security] A certain combination of records in the RBT could + cause named to hang while populating the additional + section of a response. [RT #31090] + --- 9.8.3-P3 released --- 3364. [security] Named could die on specially crafted record. diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 9464a828ca55..10a7d6dd4d94 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1119,13 +1119,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - if (mnamep != NULL) *mnamep = mname; @@ -1324,6 +1317,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1393,11 +1387,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { #endif if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1450,11 +1446,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { #endif if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { - if (mname != NULL) { - query_releasename(client, &fname); - fname = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + query_releasename(client, &fname); + fname = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1977,22 +1975,24 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { - if (mname != NULL) { - /* - * A different type of this name is - * already stored in the additional - * section. We'll reuse the name. - * Note that this should happen at most - * once. Otherwise, fname->link could - * leak below. - */ - INSIST(mname0 == NULL); - - query_releasename(client, &fname); - fname = mname; - mname0 = mname; - } else - need_addname = ISC_TRUE; + if (mname != fname) { + if (mname != NULL) { + /* + * A different type of this name is + * already stored in the additional + * section. We'll reuse the name. + * Note that this should happen at most + * once. Otherwise, fname->link could + * leak below. + */ + INSIST(mname0 == NULL); + + query_releasename(client, &fname); + fname = mname; + mname0 = mname; + } else + need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; diff --git a/contrib/bind9/version b/contrib/bind9/version index 9d821a2cabb2..b841ff875f59 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=8 PATCHVER=3 RELEASETYPE=-P -RELEASEVER=3 +RELEASEVER=4 |