diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch new file mode 100644 index 0000000000..0abb475adc --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-9.8.1-CVE-2012-5166.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | bind_Fix_for_CVE-2012-5166 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:http://launchpadlibrarian.net/119212498/bind9_1%3A9.7.3.dfsOBg | ||
6 | -1ubuntu2.6_1%3A9.7.3.dfsg-1ubuntu2.7.diff.gz | ||
7 | |||
8 | ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before | ||
9 | 9.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows | ||
10 | remote attackers to cause a denial of service (named daemon hang) | ||
11 | via unspecified combinations of resource records. | ||
12 | |||
13 | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5166 | ||
14 | |||
15 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
16 | diff -urpN a/bin/named/query.c b/bin/named/query.c | ||
17 | --- a/bin/named/query.c 2012-10-22 13:24:27.000000000 +0800 | ||
18 | +++ b/bin/named/query.c 2012-10-22 13:17:04.000000000 +0800 | ||
19 | @@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d | ||
20 | mname = NULL; | ||
21 | } | ||
22 | |||
23 | - /* | ||
24 | - * If the dns_name_t we're looking up is already in the message, | ||
25 | - * we don't want to trigger the caller's name replacement logic. | ||
26 | - */ | ||
27 | - if (name == mname) | ||
28 | - mname = NULL; | ||
29 | - | ||
30 | *mnamep = mname; | ||
31 | |||
32 | CTRACE("query_isduplicate: false: done"); | ||
33 | @@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_ | ||
34 | if (dns_rdataset_isassociated(rdataset) && | ||
35 | !query_isduplicate(client, fname, type, &mname)) { | ||
36 | if (mname != NULL) { | ||
37 | + INSIST(mname != fname); | ||
38 | query_releasename(client, &fname); | ||
39 | fname = mname; | ||
40 | } else | ||
41 | @@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_ | ||
42 | mname = NULL; | ||
43 | if (!query_isduplicate(client, fname, | ||
44 | dns_rdatatype_a, &mname)) { | ||
45 | - if (mname != NULL) { | ||
46 | - query_releasename(client, &fname); | ||
47 | - fname = mname; | ||
48 | - } else | ||
49 | - need_addname = ISC_TRUE; | ||
50 | + if (mname != fname) { | ||
51 | + if (mname != NULL) { | ||
52 | + query_releasename(client, &fname); | ||
53 | + fname = mname; | ||
54 | + } else | ||
55 | + need_addname = ISC_TRUE; | ||
56 | + } | ||
57 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
58 | added_something = ISC_TRUE; | ||
59 | if (sigrdataset != NULL && | ||
60 | @@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_ | ||
61 | mname = NULL; | ||
62 | if (!query_isduplicate(client, fname, | ||
63 | dns_rdatatype_aaaa, &mname)) { | ||
64 | - if (mname != NULL) { | ||
65 | - query_releasename(client, &fname); | ||
66 | - fname = mname; | ||
67 | - } else | ||
68 | - need_addname = ISC_TRUE; | ||
69 | + if (mname != fname) { | ||
70 | + if (mname != NULL) { | ||
71 | + query_releasename(client, &fname); | ||
72 | + fname = mname; | ||
73 | + } else | ||
74 | + need_addname = ISC_TRUE; | ||
75 | + } | ||
76 | ISC_LIST_APPEND(fname->list, rdataset, link); | ||
77 | added_something = ISC_TRUE; | ||
78 | if (sigrdataset != NULL && | ||
79 | @@ -1960,22 +1958,24 @@ query_addadditional2(void *arg, dns_name | ||
80 | crdataset->type == dns_rdatatype_aaaa) { | ||
81 | if (!query_isduplicate(client, fname, crdataset->type, | ||
82 | &mname)) { | ||
83 | - if (mname != NULL) { | ||
84 | - /* | ||
85 | - * A different type of this name is | ||
86 | - * already stored in the additional | ||
87 | - * section. We'll reuse the name. | ||
88 | - * Note that this should happen at most | ||
89 | - * once. Otherwise, fname->link could | ||
90 | - * leak below. | ||
91 | - */ | ||
92 | - INSIST(mname0 == NULL); | ||
93 | - | ||
94 | - query_releasename(client, &fname); | ||
95 | - fname = mname; | ||
96 | - mname0 = mname; | ||
97 | - } else | ||
98 | - need_addname = ISC_TRUE; | ||
99 | + if (mname != fname) { | ||
100 | + if (mname != NULL) { | ||
101 | + /* | ||
102 | + * A different type of this name is | ||
103 | + * already stored in the additional | ||
104 | + * section. We'll reuse the name. | ||
105 | + * Note that this should happen at most | ||
106 | + * once. Otherwise, fname->link could | ||
107 | + * leak below. | ||
108 | + */ | ||
109 | + INSIST(mname0 == NULL); | ||
110 | + | ||
111 | + query_releasename(client, &fname); | ||
112 | + fname = mname; | ||
113 | + mname0 = mname; | ||
114 | + } else | ||
115 | + need_addname = ISC_TRUE; | ||
116 | + } | ||
117 | ISC_LIST_UNLINK(cfname.list, crdataset, link); | ||
118 | ISC_LIST_APPEND(fname->list, crdataset, link); | ||
119 | added_something = ISC_TRUE; | ||