aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2014-01-14 19:42:28 +0000
committerXin LI <delphij@FreeBSD.org>2014-01-14 19:42:28 +0000
commitb7f8c89c6acfbc5d217329d395fa168a037f6c45 (patch)
treeec500f044637782ba7c40018dec9dffc1e5e6fc6
parenta57976ab1274f11075cb35020a7729c9a675bb44 (diff)
downloadsrc-b7f8c89c6acfbc5d217329d395fa168a037f6c45.tar.gz
src-b7f8c89c6acfbc5d217329d395fa168a037f6c45.zip
Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
Fix ntpd distributed reflection Denial of Service vulnerability. [SA-14:02] Fix BIND remote denial of service vulnerability. [SA-14:04] Disable hardware RNGs by default. [EN-14:01] Fix incorrect coalescing of stack entry with mmap. [EN-14:02] Approved by: so
Notes
Notes: svn path=/releng/8.3/; revision=260647
-rw-r--r--UPDATING16
-rw-r--r--contrib/bind9/bin/named/query.c19
-rw-r--r--contrib/bsnmp/lib/snmpagent.c5
-rw-r--r--contrib/ntp/ntpd/ntp_config.c2
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/dev/random/probe.c9
-rw-r--r--sys/vm/vm_map.c2
7 files changed, 45 insertions, 10 deletions
diff --git a/UPDATING b/UPDATING
index d9ad537232ee..f4ffcdfb8984 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20140114: p14 FreeBSD-SA-14:01.bsnmpd
+ FreeBSD-SA-14:02.ntpd
+ FreeBSD-SA-14:04.bind
+ FreeBSD-EN-14:01.random
+ FreeBSD-EN-14:02.mmap
+ Fix bsnmpd remote denial of service vulnerability. [SA-14:01]
+
+ Fix ntpd distributed reflection Denial of Service
+ vulnerability. [SA-14:02]
+
+ Fix BIND remote denial of service vulnerability. [SA-14:04]
+
+ Disable hardware RNGs by default. [EN-14:01]
+
+ Fix incorrect coalescing of stack entry with mmap. [EN-14:02]
+
20131128: p13 FreeBSD-EN-13:05.freebsd-update
Fix error in patch for FreeBSD-EN-13:04.freebsd-update.
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index fddbb8af7f48..59cb3e874e76 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -3622,8 +3622,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
dns_fixedname_t fixed;
dns_hash_t hash;
dns_name_t name;
- int order;
- unsigned int count;
+ unsigned int skip = 0, labels;
dns_rdata_nsec3_t nsec3;
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_boolean_t optout;
@@ -3636,6 +3635,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
dns_name_init(&name, NULL);
dns_name_clone(qname, &name);
+ labels = dns_name_countlabels(&name);
/*
* Map unknown algorithm to known value.
@@ -3667,13 +3667,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
dns_rdata_reset(&rdata);
optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
if (found != NULL && optout &&
- dns_name_fullcompare(&name, dns_db_origin(db), &order,
- &count) == dns_namereln_subdomain) {
+ dns_name_issubdomain(&name, dns_db_origin(db)))
+ {
dns_rdataset_disassociate(rdataset);
if (dns_rdataset_isassociated(sigrdataset))
dns_rdataset_disassociate(sigrdataset);
- count = dns_name_countlabels(&name) - 1;
- dns_name_getlabelsequence(&name, 1, count, &name);
+ skip++;
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ &name);
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
"looking for closest provable encloser");
@@ -3691,7 +3692,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
"expected covering NSEC3, got an exact match");
- if (found != NULL)
+ if (found == qname) {
+ if (skip != 0U)
+ dns_name_getlabelsequence(qname, skip, labels - skip,
+ found);
+ } else if (found != NULL)
dns_name_copy(&name, found, NULL);
return;
}
diff --git a/contrib/bsnmp/lib/snmpagent.c b/contrib/bsnmp/lib/snmpagent.c
index ca9ccbd2c4eb..3b9403d9911e 100644
--- a/contrib/bsnmp/lib/snmpagent.c
+++ b/contrib/bsnmp/lib/snmpagent.c
@@ -488,6 +488,11 @@ snmp_getbulk(struct snmp_pdu *pdu, struct asn_buf *resp_b,
for (cnt = 0; cnt < pdu->error_index; cnt++) {
eomib = 1;
for (i = non_rep; i < pdu->nbindings; i++) {
+
+ if (resp->nbindings == SNMP_MAX_BINDINGS)
+ /* PDU is full */
+ goto done;
+
if (cnt == 0)
result = do_getnext(&context, &pdu->bindings[i],
&resp->bindings[resp->nbindings], pdu);
diff --git a/contrib/ntp/ntpd/ntp_config.c b/contrib/ntp/ntpd/ntp_config.c
index 99af999ad169..a28bd1b417c4 100644
--- a/contrib/ntp/ntpd/ntp_config.c
+++ b/contrib/ntp/ntpd/ntp_config.c
@@ -597,6 +597,8 @@ getconfig(
#endif /* not SYS_WINNT */
}
+ proto_config(PROTO_MONITOR, 0, 0., NULL);
+
for (;;) {
if (tok == CONFIG_END)
break;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 308afc876486..72bd2828a22b 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/dev/random/probe.c b/sys/dev/random/probe.c
index 264f9d594070..3b3e752c3af1 100644
--- a/sys/dev/random/probe.c
+++ b/sys/dev/random/probe.c
@@ -30,6 +30,8 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
#include <sys/malloc.h>
#include <sys/random.h>
#include <sys/selinfo.h>
@@ -57,7 +59,12 @@ random_ident_hardware(struct random_systat *systat)
/* Then go looking for hardware */
#if defined(__i386__) && !defined(PC98)
if (via_feature_rng & VIA_HAS_RNG) {
- *systat = random_nehemiah;
+ int enable;
+
+ enable = 0;
+ TUNABLE_INT_FETCH("hw.nehemiah_rng_enable", &enable);
+ if (enable)
+ *systat = random_nehemiah;
}
#endif
}
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 0fb6cb73079e..f20aab756940 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -1215,6 +1215,7 @@ charged:
}
else if ((prev_entry != &map->header) &&
(prev_entry->eflags == protoeflags) &&
+ (cow & (MAP_ENTRY_GROWS_DOWN | MAP_ENTRY_GROWS_UP)) == 0 &&
(prev_entry->end == start) &&
(prev_entry->wired_count == 0) &&
(prev_entry->uip == uip ||
@@ -3186,7 +3187,6 @@ vm_map_stack(vm_map_t map, vm_offset_t addrbos, vm_size_t max_ssize,
* NOTE: We explicitly allow bi-directional stacks.
*/
orient = cow & (MAP_STACK_GROWS_DOWN|MAP_STACK_GROWS_UP);
- cow &= ~orient;
KASSERT(orient != 0, ("No stack grow direction"));
if (addrbos < vm_map_min(map) ||