diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch | 141 |
1 files changed, 141 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch new file mode 100644 index 0000000000..5dd6f69e45 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind-Fix-CVE-2012-4244.patch | |||
@@ -0,0 +1,141 @@ | |||
1 | bind_Fix_for_CVE-2012-4244 | ||
2 | |||
3 | Upstream-Status: Backport | ||
4 | |||
5 | Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit | ||
6 | |||
7 | ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, | ||
8 | and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to | ||
9 | cause a denial of service (assertion failure and named daemon exit) via | ||
10 | a query for a long resource record. | ||
11 | |||
12 | Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> | ||
13 | |||
14 | diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h | ||
15 | --- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800 | ||
16 | +++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800 | ||
17 | @@ -147,6 +147,17 @@ struct dns_rdata { | ||
18 | (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) | ||
19 | |||
20 | /* | ||
21 | + * The maximum length of a RDATA that can be sent on the wire. | ||
22 | + * Max packet size (65535) less header (12), less name (1), type (2), | ||
23 | + * class (2), ttl(4), length (2). | ||
24 | + * | ||
25 | + * None of the defined types that support name compression can exceed | ||
26 | + * this and all new types are to be sent uncompressed. | ||
27 | + */ | ||
28 | + | ||
29 | +#define DNS_RDATA_MAXLENGTH 65512U | ||
30 | + | ||
31 | +/* | ||
32 | * Flags affecting rdata formatting style. Flags 0xFFFF0000 | ||
33 | * are used by masterfile-level formatting and defined elsewhere. | ||
34 | * See additional comments at dns_rdata_tofmttext(). | ||
35 | diff -urpN a/lib/dns/master.c b/lib/dns/master.c | ||
36 | --- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800 | ||
37 | +++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800 | ||
38 | @@ -75,7 +75,7 @@ | ||
39 | /*% | ||
40 | * max message size - header - root - type - class - ttl - rdlen | ||
41 | */ | ||
42 | -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) | ||
43 | +#define MINTSIZ DNS_RDATA_MAXLENGTH | ||
44 | /*% | ||
45 | * Size for tokens in the presentation format, | ||
46 | * The largest tokens are the base64 blocks in KEY and CERT records, | ||
47 | diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c | ||
48 | --- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800 | ||
49 | +++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800 | ||
50 | @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
51 | isc_buffer_t st; | ||
52 | isc_boolean_t use_default = ISC_FALSE; | ||
53 | isc_uint32_t activelength; | ||
54 | + size_t length; | ||
55 | |||
56 | REQUIRE(dctx != NULL); | ||
57 | if (rdata != NULL) { | ||
58 | @@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
59 | } | ||
60 | |||
61 | /* | ||
62 | + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH | ||
63 | + * as we cannot transmit it. | ||
64 | + */ | ||
65 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
66 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
67 | + result = DNS_R_FORMERR; | ||
68 | + | ||
69 | + /* | ||
70 | * We should have consumed all of our buffer. | ||
71 | */ | ||
72 | if (result == ISC_R_SUCCESS && !buffer_empty(source)) | ||
73 | @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d | ||
74 | |||
75 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
76 | region.base = isc_buffer_used(&st); | ||
77 | - region.length = isc_buffer_usedlength(target) - | ||
78 | - isc_buffer_usedlength(&st); | ||
79 | + region.length = length; | ||
80 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
81 | } | ||
82 | |||
83 | @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
84 | unsigned long line; | ||
85 | void (*callback)(dns_rdatacallbacks_t *, const char *, ...); | ||
86 | isc_result_t tresult; | ||
87 | + size_t length; | ||
88 | |||
89 | REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); | ||
90 | if (rdata != NULL) { | ||
91 | @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d | ||
92 | } | ||
93 | } while (1); | ||
94 | |||
95 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
96 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
97 | + result = ISC_R_NOSPACE; | ||
98 | + | ||
99 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
100 | region.base = isc_buffer_used(&st); | ||
101 | - region.length = isc_buffer_usedlength(target) - | ||
102 | - isc_buffer_usedlength(&st); | ||
103 | + region.length = length; | ||
104 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
105 | } | ||
106 | if (result != ISC_R_SUCCESS) { | ||
107 | @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
108 | isc_buffer_t st; | ||
109 | isc_region_t region; | ||
110 | isc_boolean_t use_default = ISC_FALSE; | ||
111 | + size_t length; | ||
112 | |||
113 | REQUIRE(source != NULL); | ||
114 | if (rdata != NULL) { | ||
115 | @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, | ||
116 | if (use_default) | ||
117 | (void)NULL; | ||
118 | |||
119 | + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); | ||
120 | + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) | ||
121 | + result = ISC_R_NOSPACE; | ||
122 | + | ||
123 | if (rdata != NULL && result == ISC_R_SUCCESS) { | ||
124 | region.base = isc_buffer_used(&st); | ||
125 | - region.length = isc_buffer_usedlength(target) - | ||
126 | - isc_buffer_usedlength(&st); | ||
127 | + region.length = length; | ||
128 | dns_rdata_fromregion(rdata, rdclass, type, ®ion); | ||
129 | } | ||
130 | if (result != ISC_R_SUCCESS) | ||
131 | diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
132 | --- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800 | ||
133 | +++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800 | ||
134 | @@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ | ||
135 | length = x[i].rdata.length; | ||
136 | if (rdataset->type == dns_rdatatype_rrsig) | ||
137 | length++; | ||
138 | + INSIST(length <= 0xffff); | ||
139 | *rawbuf++ = (length & 0xff00) >> 8; | ||
140 | *rawbuf++ = (length & 0x00ff); | ||
141 | #if DNS_RDATASET_FIXED | ||