Upgrade to 9.8.3-P3:

Prevents a crash when queried for a record whose RDATA exceeds
65535 bytes.

Prevents a crash when validating caused by using "Bad cache" data
before it has been initialized.

ISC_QUEUE handling for recursive clients was updated to address
a race condition that could cause a memory leak. This rarely
occurred with UDP clients, but could be a significant problem
for a server handling a steady rate of TCP queries.

A condition has been corrected where improper handling of
zero-length RDATA could cause undesirable behavior, including
termination of the named process.

For more information: https://kb.isc.org/article/AA-00788
This commit is contained in:
dougb 2012-09-20 04:12:09 +00:00
parent 033aa5b964
commit 4ca95619a9
6 changed files with 41 additions and 8 deletions

View File

@ -1,3 +1,8 @@
--- 9.8.3-P3 released ---
3364. [security] Named could die on specially crafted record.
[RT #30416]
--- 9.8.3-P2 released ---
3346. [security] Bad-cache data could be used before it was

View File

@ -146,6 +146,17 @@ struct dns_rdata {
#define DNS_RDATA_VALIDFLAGS(rdata) \
(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
/*
* The maximum length of a RDATA that can be sent on the wire.
* Max packet size (65535) less header (12), less name (1), type (2),
* class (2), ttl(4), length (2).
*
* None of the defined types that support name compression can exceed
* this and all new types are to be sent uncompressed.
*/
#define DNS_RDATA_MAXLENGTH 65512U
/*
* Flags affecting rdata formatting style. Flags 0xFFFF0000
* are used by masterfile-level formatting and defined elsewhere.

View File

@ -75,7 +75,7 @@
/*%
* max message size - header - root - type - class - ttl - rdlen
*/
#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
#define MINTSIZ DNS_RDATA_MAXLENGTH
/*%
* Size for tokens in the presentation format,
* The largest tokens are the base64 blocks in KEY and CERT records,

View File

@ -429,6 +429,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
isc_buffer_t st;
isc_boolean_t use_default = ISC_FALSE;
isc_uint32_t activelength;
size_t length;
REQUIRE(dctx != NULL);
if (rdata != NULL) {
@ -458,6 +459,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
}
}
/*
* Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
* as we cannot transmit it.
*/
length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
result = DNS_R_FORMERR;
/*
* We should have consumed all of our buffer.
*/
@ -466,8 +475,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
region.length = isc_buffer_usedlength(target) -
isc_buffer_usedlength(&st);
region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
@ -602,6 +610,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
unsigned long line;
void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
isc_result_t tresult;
size_t length;
REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
if (rdata != NULL) {
@ -673,10 +682,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
}
} while (1);
length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
result = ISC_R_NOSPACE;
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
region.length = isc_buffer_usedlength(target) -
isc_buffer_usedlength(&st);
region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
if (result != ISC_R_SUCCESS) {
@ -804,6 +816,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
isc_buffer_t st;
isc_region_t region;
isc_boolean_t use_default = ISC_FALSE;
size_t length;
REQUIRE(source != NULL);
if (rdata != NULL) {
@ -818,10 +831,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
if (use_default)
(void)NULL;
length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
result = ISC_R_NOSPACE;
if (rdata != NULL && result == ISC_R_SUCCESS) {
region.base = isc_buffer_used(&st);
region.length = isc_buffer_usedlength(target) -
isc_buffer_usedlength(&st);
region.length = length;
dns_rdata_fromregion(rdata, rdclass, type, &region);
}
if (result != ISC_R_SUCCESS)

View File

@ -305,6 +305,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
length = x[i].rdata.length;
if (rdataset->type == dns_rdatatype_rrsig)
length++;
INSIST(length <= 0xffff);
*rawbuf++ = (length & 0xff00) >> 8;
*rawbuf++ = (length & 0x00ff);
#if DNS_RDATASET_FIXED

View File

@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=8
PATCHVER=3
RELEASETYPE=-P
RELEASEVER=2
RELEASEVER=3