93 lines
3.1 KiB
Diff
93 lines
3.1 KiB
Diff
bind CVE-2012-1667
|
|
|
|
Upstream-Status: Backport
|
|
|
|
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1,
|
|
and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource
|
|
records with a zero-length RDATA section, which allows remote DNS servers to
|
|
cause a denial of service (daemon crash or data corruption) or obtain
|
|
sensitive information from process memory via a crafted record.
|
|
|
|
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667
|
|
|
|
The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package.
|
|
|
|
Signed-off-by: Li Wang <li.wang@windriver.com>
|
|
---
|
|
lib/dns/rdata.c | 8 ++++----
|
|
lib/dns/rdataslab.c | 11 ++++++++---
|
|
2 files changed, 12 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
|
|
index 063b1f6..9337a80 100644
|
|
--- a/lib/dns/rdata.c
|
|
+++ b/lib/dns/rdata.c
|
|
@@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
|
|
|
|
REQUIRE(rdata1 != NULL);
|
|
REQUIRE(rdata2 != NULL);
|
|
- REQUIRE(rdata1->data != NULL);
|
|
- REQUIRE(rdata2->data != NULL);
|
|
+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
|
|
+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
|
|
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
|
|
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
|
|
|
|
@@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
|
|
|
|
REQUIRE(rdata1 != NULL);
|
|
REQUIRE(rdata2 != NULL);
|
|
- REQUIRE(rdata1->data != NULL);
|
|
- REQUIRE(rdata2->data != NULL);
|
|
+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
|
|
+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
|
|
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
|
|
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
|
|
|
|
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
|
index a41f16f..ed13b30 100644
|
|
--- a/lib/dns/rdataslab.c
|
|
+++ b/lib/dns/rdataslab.c
|
|
@@ -125,6 +125,11 @@ isc_result_t
|
|
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
isc_region_t *region, unsigned int reservelen)
|
|
{
|
|
+ /*
|
|
+ * Use &removed as a sentinal pointer for duplicate
|
|
+ * rdata as rdata.data == NULL is valid.
|
|
+ */
|
|
+ static unsigned char removed;
|
|
struct xrdata *x;
|
|
unsigned char *rawbuf;
|
|
#if DNS_RDATASET_FIXED
|
|
@@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
INSIST(result == ISC_R_SUCCESS);
|
|
dns_rdata_init(&x[i].rdata);
|
|
dns_rdataset_current(rdataset, &x[i].rdata);
|
|
+ INSIST(x[i].rdata.data != &removed);
|
|
#if DNS_RDATASET_FIXED
|
|
x[i].order = i;
|
|
#endif
|
|
@@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
*/
|
|
for (i = 1; i < nalloc; i++) {
|
|
if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
|
|
- x[i-1].rdata.data = NULL;
|
|
- x[i-1].rdata.length = 0;
|
|
+ x[i-1].rdata.data = &removed;
|
|
#if DNS_RDATASET_FIXED
|
|
/*
|
|
* Preserve the least order so A, B, A -> A, B
|
|
@@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
#endif
|
|
|
|
for (i = 0; i < nalloc; i++) {
|
|
- if (x[i].rdata.data == NULL)
|
|
+ if (x[i].rdata.data == &removed)
|
|
continue;
|
|
#if DNS_RDATASET_FIXED
|
|
offsettable[x[i].order] = rawbuf - offsetbase;
|
|
--
|
|
1.7.0.5
|
|
|