aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/bind/bin/named/ns_resp.c
diff options
context:
space:
mode:
authorDoug Barton <dougb@FreeBSD.org>2002-11-14 10:04:51 +0000
committerDoug Barton <dougb@FreeBSD.org>2002-11-14 10:04:51 +0000
commit4a43fe6c983881f9b953906cb4e8afaa41b49b86 (patch)
tree9a860e605e6e23f7f753bc0221760c67a42f4bf4 /contrib/bind/bin/named/ns_resp.c
parent9d6de8c046840d6f64dde4e18ec911cdd352a873 (diff)
downloadsrc-4a43fe6c983881f9b953906cb4e8afaa41b49b86.tar.gz
src-4a43fe6c983881f9b953906cb4e8afaa41b49b86.zip
Import security patches from ISC for BIND version 8.3.3
Notes
Notes: svn path=/vendor/bind/dist/; revision=106907
Diffstat (limited to 'contrib/bind/bin/named/ns_resp.c')
-rw-r--r--contrib/bind/bin/named/ns_resp.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/contrib/bind/bin/named/ns_resp.c b/contrib/bind/bin/named/ns_resp.c
index 91a38694ef4a..c371fba842af 100644
--- a/contrib/bind/bin/named/ns_resp.c
+++ b/contrib/bind/bin/named/ns_resp.c
@@ -2001,7 +2001,7 @@ rrextract(u_char *msg, int msglen, u_char *rrp, struct databuf **dpp,
* to BOUNDS_CHECK() here.
*/
cp1 += (n = strlen((char *)cp1) + 1);
- n1 = sizeof(data) - n;
+ n1 = sizeof(data) - n - INT16SZ;
n = dn_expand(msg, eom, cp, (char *)cp1, n1);
if (n < 0) {
hp->rcode = FORMERR;
@@ -2043,8 +2043,18 @@ rrextract(u_char *msg, int msglen, u_char *rrp, struct databuf **dpp,
ttl = origTTL;
}
+ /*
+ * Check that expire and signature times are internally
+ * consistant.
+ */
+ if (!SEQ_GT(exptime, signtime) && exptime != signtime) {
+ ns_debug(ns_log_default, 3,
+ "ignoring SIG: signature expires before it was signed");
+ return ((cp - rrp) + dlen);
+ }
+
/* Don't let bogus signers "sign" in the future. */
- if (signtime > now) {
+ if (SEQ_GT(signtime, now)) {
ns_debug(ns_log_default, 3,
"ignoring SIG: signature date %s is in the future",
p_secstodate (signtime));
@@ -2052,7 +2062,7 @@ rrextract(u_char *msg, int msglen, u_char *rrp, struct databuf **dpp,
}
/* Ignore received SIG RR's that are already expired. */
- if (exptime <= now) {
+ if (SEQ_GT(now, exptime)) {
ns_debug(ns_log_default, 3,
"ignoring SIG: expiration %s is in the past",
p_secstodate (exptime));