aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorXin LI <delphij@FreeBSD.org>2012-10-10 20:37:57 +0000
committerXin LI <delphij@FreeBSD.org>2012-10-10 20:37:57 +0000
commit5fe9da68d03989ba27e31117408969080d7b6155 (patch)
tree04a1836db83dad637598d5e1d2e1249a8f064445
parente2668e870ba25ca13ace29ee7c0669582cf458b9 (diff)
downloadsrc-5fe9da68d03989ba27e31117408969080d7b6155.tar.gz
src-5fe9da68d03989ba27e31117408969080d7b6155.zip
MFC r241414:
Upgrade to 9.8.3-P4: Prevents a lockup when queried a deliberately constructed combination of records. [CVE-2012-5166] For more information: https://kb.isc.org/article/AA-00801 Approved by: re (kib)
Notes
Notes: svn path=/releng/9.1/; revision=241417
-rw-r--r--contrib/bind9/CHANGES6
-rw-r--r--contrib/bind9/bin/named/query.c66
-rw-r--r--contrib/bind9/version2
3 files changed, 40 insertions, 34 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 0cc247a3b251..d9b6714eff29 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,3 +1,9 @@
+ --- 9.8.3-P4 released ---
+
+3383. [security] A certain combination of records in the RBT could
+ cause named to hang while populating the additional
+ section of a response. [RT #31090]
+
--- 9.8.3-P3 released ---
3364. [security] Named could die on specially crafted record.
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index 9464a828ca55..10a7d6dd4d94 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -1119,13 +1119,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
mname = NULL;
}
- /*
- * If the dns_name_t we're looking up is already in the message,
- * we don't want to trigger the caller's name replacement logic.
- */
- if (name == mname)
- mname = NULL;
-
if (mnamep != NULL)
*mnamep = mname;
@@ -1324,6 +1317,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
if (dns_rdataset_isassociated(rdataset) &&
!query_isduplicate(client, fname, type, &mname)) {
if (mname != NULL) {
+ INSIST(mname != fname);
query_releasename(client, &fname);
fname = mname;
} else
@@ -1393,11 +1387,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_a, &mname)) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1450,11 +1446,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
#endif
if (!query_isduplicate(client, fname,
dns_rdatatype_aaaa, &mname)) {
- if (mname != NULL) {
- query_releasename(client, &fname);
- fname = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ query_releasename(client, &fname);
+ fname = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_APPEND(fname->list, rdataset, link);
added_something = ISC_TRUE;
if (sigrdataset != NULL &&
@@ -1977,22 +1975,24 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
crdataset->type == dns_rdatatype_aaaa) {
if (!query_isduplicate(client, fname, crdataset->type,
&mname)) {
- if (mname != NULL) {
- /*
- * A different type of this name is
- * already stored in the additional
- * section. We'll reuse the name.
- * Note that this should happen at most
- * once. Otherwise, fname->link could
- * leak below.
- */
- INSIST(mname0 == NULL);
-
- query_releasename(client, &fname);
- fname = mname;
- mname0 = mname;
- } else
- need_addname = ISC_TRUE;
+ if (mname != fname) {
+ if (mname != NULL) {
+ /*
+ * A different type of this name is
+ * already stored in the additional
+ * section. We'll reuse the name.
+ * Note that this should happen at most
+ * once. Otherwise, fname->link could
+ * leak below.
+ */
+ INSIST(mname0 == NULL);
+
+ query_releasename(client, &fname);
+ fname = mname;
+ mname0 = mname;
+ } else
+ need_addname = ISC_TRUE;
+ }
ISC_LIST_UNLINK(cfname.list, crdataset, link);
ISC_LIST_APPEND(fname->list, crdataset, link);
added_something = ISC_TRUE;
diff --git a/contrib/bind9/version b/contrib/bind9/version
index 9d821a2cabb2..b841ff875f59 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=8
PATCHVER=3
RELEASETYPE=-P
-RELEASEVER=3
+RELEASEVER=4