aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2006-09-06 21:27:11 +0000
committerDoug Barton <dougb@FreeBSD.org>2006-09-06 21:27:11 +0000
commit42b74b2549a0891d22d649ac2404abee2d26ccda (patch)
tree5db15983213b4bacad5757be0dcf9cbc079fa554
parent16cf7c033ff9fab106249a894e5670bd0b4fbbe8 (diff)
downloadsrc-42b74b2549a0891d22d649ac2404abee2d26ccda.tar.gz
src-42b74b2549a0891d22d649ac2404abee2d26ccda.zip
Vendor import of BIND 9.3.2-P1, which addresses the following security
vulnerabilities: http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en 2066. [security] Handle SIG queries gracefully. [RT #16300] http://www.kb.cert.org/vuls/id/697164 1941. [bug] ncache_adderesult() should set eresult even if no rdataset is passed to it. [RT #15642] All users of BIND 9 are encouraged to upgrade to this version.
Notes
Notes: svn path=/vendor/bind9/dist/; revision=162079
-rw-r--r--contrib/bind9/CHANGES7
-rw-r--r--contrib/bind9/bin/named/query.c6
-rw-r--r--contrib/bind9/lib/dns/resolver.c51
-rw-r--r--contrib/bind9/version6
4 files changed, 42 insertions, 28 deletions
diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
index 941b946db36a..0cfafd20aba1 100644
--- a/contrib/bind9/CHANGES
+++ b/contrib/bind9/CHANGES
@@ -1,4 +1,11 @@
+ --- 9.3.2-P1 released ---
+
+2066. [security] Handle SIG queries gracefully. [RT #16300]
+
+1941. [bug] ncache_adderesult() should set eresult even if no
+ rdataset is passed to it. [RT #15642]
+
--- 9.3.2 released ---
--- 9.3.2rc1 released ---
diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c
index 75102fd1369d..b20324b3fd61 100644
--- a/contrib/bind9/bin/named/query.c
+++ b/contrib/bind9/bin/named/query.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: query.c,v 1.198.2.13.4.36 2005/08/11 05:25:20 marka Exp $ */
+/* $Id: query.c,v 1.198.2.13.4.36.6.1 2006/08/17 07:12:31 marka Exp $ */
#include <config.h>
@@ -2393,7 +2393,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
is_zone = ISC_FALSE;
qtype = event->qtype;
- if (qtype == dns_rdatatype_rrsig)
+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
type = dns_rdatatype_any;
else
type = qtype;
@@ -2434,7 +2434,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/*
* If it's a SIG query, we'll iterate the node.
*/
- if (qtype == dns_rdatatype_rrsig)
+ if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
type = dns_rdatatype_any;
else
type = qtype;
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index 6f803eb192f4..28779645a560 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.218.2.18.4.56 2005/10/14 01:38:48 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.18.4.56.4.1 2006/08/17 07:12:31 marka Exp $ */
#include <config.h>
@@ -762,7 +762,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
INSIST(result != ISC_R_SUCCESS ||
dns_rdataset_isassociated(event->rdataset) ||
fctx->type == dns_rdatatype_any ||
- fctx->type == dns_rdatatype_rrsig);
+ fctx->type == dns_rdatatype_rrsig ||
+ fctx->type == dns_rdatatype_sig);
isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
}
@@ -3188,7 +3189,8 @@ validated(isc_task_t *task, isc_event_t *event) {
if (hevent != NULL) {
if (!negative && !chaining &&
(fctx->type == dns_rdatatype_any ||
- fctx->type == dns_rdatatype_rrsig)) {
+ fctx->type == dns_rdatatype_rrsig ||
+ fctx->type == dns_rdatatype_sig)) {
/*
* Don't bind rdatasets; the caller
* will iterate the node.
@@ -3306,7 +3308,8 @@ validated(isc_task_t *task, isc_event_t *event) {
if (!ISC_LIST_EMPTY(fctx->validators)) {
INSIST(!negative);
INSIST(fctx->type == dns_rdatatype_any ||
- fctx->type == dns_rdatatype_rrsig);
+ fctx->type == dns_rdatatype_rrsig ||
+ fctx->type == dns_rdatatype_sig);
/*
* Don't send a response yet - we have
* more rdatasets that still need to
@@ -3455,14 +3458,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
return (result);
anodep = &event->node;
/*
- * If this is an ANY or SIG query, we're not going
- * to return any rdatasets, unless we encountered
+ * If this is an ANY, SIG or RRSIG query, we're not
+ * going to return any rdatasets, unless we encountered
* a CNAME or DNAME as "the answer". In this case,
* we're going to return DNS_R_CNAME or DNS_R_DNAME
* and we must set up the rdatasets.
*/
if ((fctx->type != dns_rdatatype_any &&
- fctx->type != dns_rdatatype_rrsig) ||
+ fctx->type != dns_rdatatype_rrsig &&
+ fctx->type != dns_rdatatype_sig) ||
(name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
ardataset = event->rdataset;
asigrdataset = event->sigrdataset;
@@ -3521,7 +3525,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
*/
if (secure_domain && rdataset->trust != dns_trust_glue) {
/*
- * SIGs are validated as part of validating the
+ * RRSIGs are validated as part of validating the
* type they cover.
*/
if (rdataset->type == dns_rdatatype_rrsig)
@@ -3591,7 +3595,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
if (ANSWER(rdataset) && need_validation) {
if (fctx->type != dns_rdatatype_any &&
- fctx->type != dns_rdatatype_rrsig) {
+ fctx->type != dns_rdatatype_rrsig &&
+ fctx->type != dns_rdatatype_sig) {
/*
* This is The Answer. We will
* validate it, but first we cache
@@ -3763,23 +3768,28 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
isc_result_t *eresultp)
{
isc_result_t result;
+ dns_rdataset_t rdataset;
+
+ if (ardataset == NULL) {
+ dns_rdataset_init(&rdataset);
+ ardataset = &rdataset;
+ }
result = dns_ncache_add(message, cache, node, covers, now,
maxttl, ardataset);
- if (result == DNS_R_UNCHANGED) {
+ if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
/*
- * The data in the cache are better than the negative cache
- * entry we're trying to add.
+ * If the cache now contains a negative entry and we
+ * care about whether it is DNS_R_NCACHENXDOMAIN or
+ * DNS_R_NCACHENXRRSET then extract it.
*/
- if (ardataset != NULL && ardataset->type == 0) {
+ if (ardataset->type == 0) {
/*
- * The cache data is also a negative cache
- * entry.
+ * The cache data is a negative cache entry.
*/
if (NXDOMAIN(ardataset))
*eresultp = DNS_R_NCACHENXDOMAIN;
else
*eresultp = DNS_R_NCACHENXRRSET;
- result = ISC_R_SUCCESS;
} else {
/*
* Either we don't care about the nature of the
@@ -3791,14 +3801,11 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
* XXXRTH There's a CNAME/DNAME problem here.
*/
*eresultp = ISC_R_SUCCESS;
- result = ISC_R_SUCCESS;
}
- } else if (result == ISC_R_SUCCESS) {
- if (NXDOMAIN(ardataset))
- *eresultp = DNS_R_NCACHENXDOMAIN;
- else
- *eresultp = DNS_R_NCACHENXRRSET;
+ result = ISC_R_SUCCESS;
}
+ if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset))
+ dns_rdataset_disassociate(ardataset);
return (result);
}
diff --git a/contrib/bind9/version b/contrib/bind9/version
index 5c9032a3ed08..fe47241d0a83 100644
--- a/contrib/bind9/version
+++ b/contrib/bind9/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.26.2.17.2.21 2005/12/14 00:43:14 marka Exp $
+# $Id: version,v 1.26.2.17.2.21.4.1 2006/08/17 07:12:31 marka Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -6,5 +6,5 @@
MAJORVER=9
MINORVER=3
PATCHVER=2
-RELEASETYPE=
-RELEASEVER=
+RELEASETYPE=-P
+RELEASEVER=1