bind: CVE-2016-2088

Duplicate EDNS COOKIE options in a response could trigger an assertion failure: Fix with a backport. bind as built with the oe-core recipe is not at risk: Only servers which are built with DNS cookie support (--enable-sit) are vulnerable to denial of service. Fixes [YOCTO #9438] (From OE-Core rev: da38a9840b32e80464e2938395db5c9167729f7e) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Jussi Kukkonen <jussi.kukkonen@intel.com> 2016-04-15 15:03:17 +0300
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-04-18 16:28:22 +0100
commit: 74ab080d3475cfbf4ad0f6e747601c71709f2e44 (patch)
tree: c33acd22aec37ec41be50f18e07c6584aaa7dc6e /meta/recipes-connectivity
parent: d488d78db0b60433b54e0aec45624970309567b6 (diff)
download: poky-74ab080d3475cfbf4ad0f6e747601c71709f2e44.tar.gz
2 files changed, 248 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
new file mode 100644
index 0000000000..1b84d46b78
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,247 @@
+CVE-2016-2088
+Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
+v9_10_3_patch branch.
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
+https://kb.isc.org/article/AA-01351
+CVE: CVE-2016-2088
+Upstream-Status: Backport
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Original commit message from Mark Andrews <marka@isc.org> below:
+4322.   [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
+(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
+(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
+---
+ CHANGES            |  4 ++++
+ bin/dig/dighost.c  |  9 +++++++++
+ bin/named/client.c | 33 +++++++++++++++++++++++----------
+ doc/arm/notes.xml  |  7 +++++++
+ lib/dns/resolver.c | 14 +++++++++++++-
+ 5 files changed, 56 insertions(+), 11 deletions(-)
+diff --git a/CHANGES b/CHANGES
+index c5b5d2b..d2e3360 100644
+--- a/CHANGES
+++ b/CHANGES
+@@ -1,3 +1,7 @@
+4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                       trigger an assertion failure. (CVE-2016-2088)
+                       [RT #41809]
+
+ 4319.  [security]      Fix resolver assertion failure due to improper
+                        DNAME handling when parsing fetch reply messages.
+                        (CVE-2016-1286) [RT #41753]
+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
+index ca82f8e..340904f 100644
+--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
+@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
+        isc_buffer_t optbuf;
+        isc_uint16_t optcode, optlen;
+        dns_rdataset_t *opt = msg->opt;
+       isc_boolean_t seen_cookie = ISC_FALSE;
+ 
+        result = dns_rdataset_first(opt);
+        if (result == ISC_R_SUCCESS) {
+@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
+                        optlen = isc_buffer_getuint16(&optbuf);
+                        switch (optcode) {
+                        case DNS_OPT_COOKIE:
+                               /*
+                                * Only process the first cookie option.
+                                */
+                               if (seen_cookie) {
+                                       isc_buffer_forward(&optbuf, optlen);
+                                       break;
+                               }
+                                process_sit(l, msg, &optbuf, optlen);
+                               seen_cookie = ISC_TRUE;
+                                break;
+                        default:
+                                isc_buffer_forward(&optbuf, optlen);
+diff --git a/bin/named/client.c b/bin/named/client.c
+index 683305c..0d7331a 100644
+--- a/bin/named/client.c
+++ b/bin/named/client.c
+@@ -120,7 +120,10 @@
+  */
+ #endif
+ 
+-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
+
+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
+ 
+ /*% nameserver client manager structure */
+ struct ns_clientmgr {
+@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+ {
+        char nsid[BUFSIZ], *nsidp;
+ #ifdef ISC_PLATFORM_USESIT
+-       unsigned char sit[SIT_SIZE];
+       unsigned char sit[COOKIE_SIZE];
+ #endif
+        isc_result_t result;
+        dns_view_t *view;
+@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+        flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
+ 
+        /* Set EDNS options if applicable */
+-       if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
+       if (WANTNSID(client) &&
+            (ns_g_server->server_id != NULL ||
+             ns_g_server->server_usehostname)) {
+                if (ns_g_server->server_usehostname) {
+@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
+ 
+                INSIST(count < DNS_EDNSOPTIONS);
+                ednsopts[count].code = DNS_OPT_COOKIE;
+-               ednsopts[count].length = SIT_SIZE;
+               ednsopts[count].length = COOKIE_SIZE;
+                ednsopts[count].value = sit;
+                count++;
+        }
+@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
+ 
+ static void
+ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+-       unsigned char dbuf[SIT_SIZE];
+       unsigned char dbuf[COOKIE_SIZE];
+        unsigned char *old;
+        isc_stdtime_t now;
+        isc_uint32_t when;
+        isc_uint32_t nonce;
+        isc_buffer_t db;
+ 
+       /*
+        * If we have already seen a ECS option skip this ECS option.
+        */
+       if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
+               isc_buffer_forward(buf, optlen);
+               return;
+       }
+        client->attributes |= NS_CLIENTATTR_WANTSIT;
+ 
+        isc_stats_increment(ns_g_server->nsstats,
+                            dns_nsstatscounter_sitopt);
+ 
+-       if (optlen != SIT_SIZE) {
+       if (optlen != COOKIE_SIZE) {
+                /*
+                 * Not our token.
+                 */
+@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
+        isc_buffer_init(&db, dbuf, sizeof(dbuf));
+        compute_sit(client, when, nonce, &db);
+ 
+-       if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
+       if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
+                isc_stats_increment(ns_g_server->nsstats,
+                                    dns_nsstatscounter_sitnomatch);
+                return;
+        }
+        isc_stats_increment(ns_g_server->nsstats,
+                            dns_nsstatscounter_sitmatch);
+-
+        client->attributes |= NS_CLIENTATTR_HAVESIT;
+ }
+ #endif
+@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+                        optlen = isc_buffer_getuint16(&optbuf);
+                        switch (optcode) {
+                        case DNS_OPT_NSID:
+-                               isc_stats_increment(ns_g_server->nsstats,
+                               if (!WANTNSID(client))
+                                       isc_stats_increment(
+                                                   ns_g_server->nsstats,
+                                                    dns_nsstatscounter_nsidopt);
+                                client->attributes |= NS_CLIENTATTR_WANTNSID;
+                                isc_buffer_forward(&optbuf, optlen);
+@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
+                                break;
+ #endif
+                        case DNS_OPT_EXPIRE:
+-                               isc_stats_increment(ns_g_server->nsstats,
+                               if (!WANTEXPIRE(client))
+                                       isc_stats_increment(
+                                                 ns_g_server->nsstats,
+                                                  dns_nsstatscounter_expireopt);
+                                client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
+                                isc_buffer_forward(&optbuf, optlen);
+diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+index ebf4f55..095eb5b 100644
+--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
+@@ -51,6 +51,13 @@
+     <title>Security Fixes</title>
+     <itemizedlist>
+       <listitem>
+       <para>
+         Duplicate EDNS COOKIE options in a response could trigger
+         an assertion failure. This flaw is disclosed in CVE-2016-2088.
+         [RT #41809]
+       </para>
+      </listitem>
+      <listitem>
+        <para>
+          Specific APL data could trigger an INSIST.  This flaw
+          was discovered by Brian Mitchell and is disclosed in
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index a797e3f..ba1ae23 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+        unsigned char *sit;
+        dns_adbaddrinfo_t *addrinfo;
+        unsigned char cookie[8];
+       isc_boolean_t seen_cookie = ISC_FALSE;
+ #endif
+       isc_boolean_t seen_nsid = ISC_FALSE;
+ 
+        result = dns_rdataset_first(opt);
+        if (result == ISC_R_SUCCESS) {
+@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+                        INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
+                        switch (optcode) {
+                        case DNS_OPT_NSID:
+-                               if (query->options & DNS_FETCHOPT_WANTNSID)
+                               if (!seen_nsid &&
+                                   query->options & DNS_FETCHOPT_WANTNSID)
+                                        log_nsid(&optbuf, optlen, query,
+                                                 ISC_LOG_DEBUG(3),
+                                                 query->fctx->res->mctx);
+                                isc_buffer_forward(&optbuf, optlen);
+                               seen_nsid = ISC_TRUE;
+                                break;
+ #ifdef ISC_PLATFORM_USESIT
+                        case DNS_OPT_COOKIE:
+                               /*
+                                * Only process the first cookie option.
+                                */
+                               if (seen_cookie) {
+                                       isc_buffer_forward(&optbuf, optlen);
+                                       break;
+                               }
+                                sit = isc_buffer_current(&optbuf);
+                                compute_cc(query, cookie, sizeof(cookie));
+                                INSIST(query->fctx->rmessage->sitbad == 0 &&
+@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
+                                isc_buffer_forward(&optbuf, optlen);
+                                inc_stats(query->fctx->res,
+                                          dns_resstatscounter_sitin);
+                               seen_cookie = ISC_TRUE;
+                                break;
+ #endif
+                        default:
+-- 
+2.1.4
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 3ad14b235f..1e3a20f9a3 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
           file://CVE-2016-1285.patch \
           file://CVE-2016-1286_1.patch \
           file://CVE-2016-1286_2.patch \
+           file://CVE-2016-2088.patch \
           "
 SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
author	Jussi Kukkonen <jussi.kukkonen@intel.com>	2016-04-15 15:03:17 +0300
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-04-18 16:28:22 +0100
commit	74ab080d3475cfbf4ad0f6e747601c71709f2e44 (patch)
tree	c33acd22aec37ec41be50f18e07c6584aaa7dc6e /meta/recipes-connectivity
parent	d488d78db0b60433b54e0aec45624970309567b6 (diff)
download	poky-74ab080d3475cfbf4ad0f6e747601c71709f2e44.tar.gz

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch new file mode 100644 index 0000000000..1b84d46b78 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
@@ -0,0 +1,247 @@
		1	CVE-2016-2088
		2
		3	Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
		4	v9_10_3_patch branch.
		5
		6	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
		7	https://kb.isc.org/article/AA-01351
		8
		9	CVE: CVE-2016-2088
		10	Upstream-Status: Backport
		11	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
		12
		13
		14	Original commit message from Mark Andrews <marka@isc.org> below:
		15
		16	4322. [security] Duplicate EDNS COOKIE options in a response could
		17	trigger an assertion failure. (CVE-2016-2088)
		18	[RT #41809]
		19
		20	(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
		21	(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
		22	---
		23	CHANGES \| 4 ++++
		24	bin/dig/dighost.c \| 9 +++++++++
		25	bin/named/client.c \| 33 +++++++++++++++++++++++----------
		26	doc/arm/notes.xml \| 7 +++++++
		27	lib/dns/resolver.c \| 14 +++++++++++++-
		28	5 files changed, 56 insertions(+), 11 deletions(-)
		29
		30	diff --git a/CHANGES b/CHANGES
		31	index c5b5d2b..d2e3360 100644
		32	--- a/CHANGES
		33	+++ b/CHANGES
		34	@@ -1,3 +1,7 @@
		35	+4322. [security] Duplicate EDNS COOKIE options in a response could
		36	+ trigger an assertion failure. (CVE-2016-2088)
		37	+ [RT #41809]
		38	+
		39	4319. [security] Fix resolver assertion failure due to improper
		40	DNAME handling when parsing fetch reply messages.
		41	(CVE-2016-1286) [RT #41753]
		42	diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
		43	index ca82f8e..340904f 100644
		44	--- a/bin/dig/dighost.c
		45	+++ b/bin/dig/dighost.c
		46	@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t l, dns_message_t msg) {
		47	isc_buffer_t optbuf;
		48	isc_uint16_t optcode, optlen;
		49	dns_rdataset_t *opt = msg->opt;
		50	+ isc_boolean_t seen_cookie = ISC_FALSE;
		51
		52	result = dns_rdataset_first(opt);
		53	if (result == ISC_R_SUCCESS) {
		54	@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t l, dns_message_t msg) {
		55	optlen = isc_buffer_getuint16(&optbuf);
		56	switch (optcode) {
		57	case DNS_OPT_COOKIE:
		58	+ /*
		59	+ * Only process the first cookie option.
		60	+ */
		61	+ if (seen_cookie) {
		62	+ isc_buffer_forward(&optbuf, optlen);
		63	+ break;
		64	+ }
		65	process_sit(l, msg, &optbuf, optlen);
		66	+ seen_cookie = ISC_TRUE;
		67	break;
		68	default:
		69	isc_buffer_forward(&optbuf, optlen);
		70	diff --git a/bin/named/client.c b/bin/named/client.c
		71	index 683305c..0d7331a 100644
		72	--- a/bin/named/client.c
		73	+++ b/bin/named/client.c
		74	@@ -120,7 +120,10 @@
		75	*/
		76	#endif
		77
		78	-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
		79	+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
		80	+
		81	+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
		82	+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
		83
		84	/% nameserver client manager structure /
		85	struct ns_clientmgr {
		86	@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t client, dns_message_t message,
		87	{
		88	char nsid[BUFSIZ], *nsidp;
		89	#ifdef ISC_PLATFORM_USESIT
		90	- unsigned char sit[SIT_SIZE];
		91	+ unsigned char sit[COOKIE_SIZE];
		92	#endif
		93	isc_result_t result;
		94	dns_view_t *view;
		95	@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t client, dns_message_t message,
		96	flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
		97
		98	/* Set EDNS options if applicable */
		99	- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
		100	+ if (WANTNSID(client) &&
		101	(ns_g_server->server_id != NULL \|\|
		102	ns_g_server->server_usehostname)) {
		103	if (ns_g_server->server_usehostname) {
		104	@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t client, dns_message_t message,
		105
		106	INSIST(count < DNS_EDNSOPTIONS);
		107	ednsopts[count].code = DNS_OPT_COOKIE;
		108	- ednsopts[count].length = SIT_SIZE;
		109	+ ednsopts[count].length = COOKIE_SIZE;
		110	ednsopts[count].value = sit;
		111	count++;
		112	}
		113	@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
		114
		115	static void
		116	process_sit(ns_client_t client, isc_buffer_t buf, size_t optlen) {
		117	- unsigned char dbuf[SIT_SIZE];
		118	+ unsigned char dbuf[COOKIE_SIZE];
		119	unsigned char *old;
		120	isc_stdtime_t now;
		121	isc_uint32_t when;
		122	isc_uint32_t nonce;
		123	isc_buffer_t db;
		124
		125	+ /*
		126	+ * If we have already seen a ECS option skip this ECS option.
		127	+ */
		128	+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
		129	+ isc_buffer_forward(buf, optlen);
		130	+ return;
		131	+ }
		132	client->attributes \|= NS_CLIENTATTR_WANTSIT;
		133
		134	isc_stats_increment(ns_g_server->nsstats,
		135	dns_nsstatscounter_sitopt);
		136
		137	- if (optlen != SIT_SIZE) {
		138	+ if (optlen != COOKIE_SIZE) {
		139	/*
		140	* Not our token.
		141	*/
		142	@@ -1717,14 +1727,13 @@ process_sit(ns_client_t client, isc_buffer_t buf, size_t optlen) {
		143	isc_buffer_init(&db, dbuf, sizeof(dbuf));
		144	compute_sit(client, when, nonce, &db);
		145
		146	- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
		147	+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
		148	isc_stats_increment(ns_g_server->nsstats,
		149	dns_nsstatscounter_sitnomatch);
		150	return;
		151	}
		152	isc_stats_increment(ns_g_server->nsstats,
		153	dns_nsstatscounter_sitmatch);
		154	-
		155	client->attributes \|= NS_CLIENTATTR_HAVESIT;
		156	}
		157	#endif
		158	@@ -1783,7 +1792,9 @@ process_opt(ns_client_t client, dns_rdataset_t opt) {
		159	optlen = isc_buffer_getuint16(&optbuf);
		160	switch (optcode) {
		161	case DNS_OPT_NSID:
		162	- isc_stats_increment(ns_g_server->nsstats,
		163	+ if (!WANTNSID(client))
		164	+ isc_stats_increment(
		165	+ ns_g_server->nsstats,
		166	dns_nsstatscounter_nsidopt);
		167	client->attributes \|= NS_CLIENTATTR_WANTNSID;
		168	isc_buffer_forward(&optbuf, optlen);
		169	@@ -1794,7 +1805,9 @@ process_opt(ns_client_t client, dns_rdataset_t opt) {
		170	break;
		171	#endif
		172	case DNS_OPT_EXPIRE:
		173	- isc_stats_increment(ns_g_server->nsstats,
		174	+ if (!WANTEXPIRE(client))
		175	+ isc_stats_increment(
		176	+ ns_g_server->nsstats,
		177	dns_nsstatscounter_expireopt);
		178	client->attributes \|= NS_CLIENTATTR_WANTEXPIRE;
		179	isc_buffer_forward(&optbuf, optlen);
		180	diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
		181	index ebf4f55..095eb5b 100644
		182	--- a/doc/arm/notes.xml
		183	+++ b/doc/arm/notes.xml
		184	@@ -51,6 +51,13 @@
		185	<title>Security Fixes</title>
		186	<itemizedlist>
		187	<listitem>
		188	+ <para>
		189	+ Duplicate EDNS COOKIE options in a response could trigger
		190	+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
		191	+ [RT #41809]
		192	+ </para>
		193	+ </listitem>
		194	+ <listitem>
		195	<para>
		196	Specific APL data could trigger an INSIST. This flaw
		197	was discovered by Brian Mitchell and is disclosed in
		198	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
		199	index a797e3f..ba1ae23 100644
		200	--- a/lib/dns/resolver.c
		201	+++ b/lib/dns/resolver.c
		202	@@ -7502,7 +7502,9 @@ process_opt(resquery_t query, dns_rdataset_t opt) {
		203	unsigned char *sit;
		204	dns_adbaddrinfo_t *addrinfo;
		205	unsigned char cookie[8];
		206	+ isc_boolean_t seen_cookie = ISC_FALSE;
		207	#endif
		208	+ isc_boolean_t seen_nsid = ISC_FALSE;
		209
		210	result = dns_rdataset_first(opt);
		211	if (result == ISC_R_SUCCESS) {
		212	@@ -7516,14 +7518,23 @@ process_opt(resquery_t query, dns_rdataset_t opt) {
		213	INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
		214	switch (optcode) {
		215	case DNS_OPT_NSID:
		216	- if (query->options & DNS_FETCHOPT_WANTNSID)
		217	+ if (!seen_nsid &&
		218	+ query->options & DNS_FETCHOPT_WANTNSID)
		219	log_nsid(&optbuf, optlen, query,
		220	ISC_LOG_DEBUG(3),
		221	query->fctx->res->mctx);
		222	isc_buffer_forward(&optbuf, optlen);
		223	+ seen_nsid = ISC_TRUE;
		224	break;
		225	#ifdef ISC_PLATFORM_USESIT
		226	case DNS_OPT_COOKIE:
		227	+ /*
		228	+ * Only process the first cookie option.
		229	+ */
		230	+ if (seen_cookie) {
		231	+ isc_buffer_forward(&optbuf, optlen);
		232	+ break;
		233	+ }
		234	sit = isc_buffer_current(&optbuf);
		235	compute_cc(query, cookie, sizeof(cookie));
		236	INSIST(query->fctx->rmessage->sitbad == 0 &&
		237	@@ -7541,6 +7552,7 @@ process_opt(resquery_t query, dns_rdataset_t opt) {
		238	isc_buffer_forward(&optbuf, optlen);
		239	inc_stats(query->fctx->res,
		240	dns_resstatscounter_sitin);
		241	+ seen_cookie = ISC_TRUE;
		242	break;
		243	#endif
		244	default:
		245	--
		246	2.1.4
		247


diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb index 3ad14b235f..1e3a20f9a3 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -24,6 +24,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
24	file://CVE-2016-1285.patch \	24	file://CVE-2016-1285.patch \
25	file://CVE-2016-1286_1.patch \	25	file://CVE-2016-1286_1.patch \
26	file://CVE-2016-1286_2.patch \	26	file://CVE-2016-1286_2.patch \
		27	file://CVE-2016-2088.patch \
27	"	28	"
28		29
29	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"	30	SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"