1 files changed, 112 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000000..d22945d885
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,112 @@
+From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 9 Sep 2016 11:29:48 +1000
+Subject: [PATCH] 4467.   [security]      It was possible to trigger a
+ assertion when rendering                         a message. [RT #43139]
+(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
+++ bind-9.10.2-P4/lib/dns/message.c
+@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
+        if (r.length < DNS_MESSAGE_HEADERLEN)
+                return (ISC_R_NOSPACE);
+ 
+-       if (r.length < msg->reserved)
+       if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+                return (ISC_R_NOSPACE);
+ 
+        /*
+@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
+ 
+        return (ISC_TRUE);
+ }
+-
+ #endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+         dns_compress_t *cctx, isc_buffer_t *target,
+         unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+       isc_result_t result;
+
+       /*
+        * Shrink the space in the buffer by the reserved amount.
+        */
+       if (target->length - target->used < reserved)
+               return (ISC_R_NOSPACE);
+
+       target->length -= reserved;
+       result = dns_rdataset_towire(rdataset, owner_name,
+                                    cctx, target, options, countp);
+       target->length += reserved;
+
+       return (result);
+}
+
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+                          unsigned int options)
+@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
+        /*
+         * Shrink the space in the buffer by the reserved amount.
+         */
+       if (msg->buffer->length - msg->buffer->used < msg->reserved)
+               return (ISC_R_NOSPACE);
+        msg->buffer->length -= msg->reserved;
+ 
+        total = 0;
+@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
+                 * Render.
+                 */
+                count = 0;
+-               result = dns_rdataset_towire(msg->opt, dns_rootname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+               result = renderset(msg->opt, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+                count = 0;
+-               result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+               result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
+                 * the owner name of a SIG(0) is irrelevant, and will not
+                 * be set in a message being rendered.
+                 */
+-               result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-                                            msg->cctx, msg->buffer, 0,
+-                                            &count);
+               result = renderset(msg->sig0, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
+                msg->counts[DNS_SECTION_ADDITIONAL] += count;
+                if (result != ISC_R_SUCCESS)
+                        return (result);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
+4467.  [security]      It was possible to trigger a assertion when rendering
+                       a message. [RT #43139]
+
+ 4406.  [bug]           getrrsetbyname with a non absolute name could
+                        trigger a infinite recursion bug in lwresd
+                        and named with lwres configured if when combined

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch new file mode 100644 index 0000000000..d22945d885 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,112 @@
	1	From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
	2	From: Mark Andrews <marka@isc.org>
	3	Date: Fri, 9 Sep 2016 11:29:48 +1000
	4	Subject: [PATCH] 4467. [security] It was possible to trigger a
	5	assertion when rendering a message. [RT #43139]
	6
	7	(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
	8	---
	9	CHANGES \| 3 +++
	10	lib/dns/message.c \| 42 +++++++++++++++++++++++++++++++-----------
	11	2 files changed, 34 insertions(+), 11 deletions(-)
	12
	13	Index: bind-9.10.2-P4/lib/dns/message.c
	14	===================================================================
	15	--- bind-9.10.2-P4.orig/lib/dns/message.c
	16	+++ bind-9.10.2-P4/lib/dns/message.c
	17	@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
	18	if (r.length < DNS_MESSAGE_HEADERLEN)
	19	return (ISC_R_NOSPACE);
	20
	21	- if (r.length < msg->reserved)
	22	+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
	23	return (ISC_R_NOSPACE);
	24
	25	/*
	26	@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
	27
	28	return (ISC_TRUE);
	29	}
	30	-
	31	#endif
	32	+
	33	+static isc_result_t
	34	+renderset(dns_rdataset_t rdataset, dns_name_t owner_name,
	35	+ dns_compress_t cctx, isc_buffer_t target,
	36	+ unsigned int reserved, unsigned int options, unsigned int *countp)
	37	+{
	38	+ isc_result_t result;
	39	+
	40	+ /*
	41	+ * Shrink the space in the buffer by the reserved amount.
	42	+ */
	43	+ if (target->length - target->used < reserved)
	44	+ return (ISC_R_NOSPACE);
	45	+
	46	+ target->length -= reserved;
	47	+ result = dns_rdataset_towire(rdataset, owner_name,
	48	+ cctx, target, options, countp);
	49	+ target->length += reserved;
	50	+
	51	+ return (result);
	52	+}
	53	+
	54	isc_result_t
	55	dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
	56	unsigned int options)
	57	@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
	58	/*
	59	* Shrink the space in the buffer by the reserved amount.
	60	*/
	61	+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
	62	+ return (ISC_R_NOSPACE);
	63	msg->buffer->length -= msg->reserved;
	64
	65	total = 0;
	66	@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
	67	* Render.
	68	*/
	69	count = 0;
	70	- result = dns_rdataset_towire(msg->opt, dns_rootname,
	71	- msg->cctx, msg->buffer, 0,
	72	- &count);
	73	+ result = renderset(msg->opt, dns_rootname, msg->cctx,
	74	+ msg->buffer, msg->reserved, 0, &count);
	75	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	76	if (result != ISC_R_SUCCESS)
	77	return (result);
	78	@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
	79	if (result != ISC_R_SUCCESS)
	80	return (result);
	81	count = 0;
	82	- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
	83	- msg->cctx, msg->buffer, 0,
	84	- &count);
	85	+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
	86	+ msg->buffer, msg->reserved, 0, &count);
	87	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	88	if (result != ISC_R_SUCCESS)
	89	return (result);
	90	@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
	91	* the owner name of a SIG(0) is irrelevant, and will not
	92	* be set in a message being rendered.
	93	*/
	94	- result = dns_rdataset_towire(msg->sig0, dns_rootname,
	95	- msg->cctx, msg->buffer, 0,
	96	- &count);
	97	+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
	98	+ msg->buffer, msg->reserved, 0, &count);
	99	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	100	if (result != ISC_R_SUCCESS)
	101	return (result);
	102	Index: bind-9.10.2-P4/CHANGES
	103	===================================================================
	104	--- bind-9.10.2-P4.orig/CHANGES
	105	+++ bind-9.10.2-P4/CHANGES
	106	@@ -1,3 +1,6 @@
	107	+4467. [security] It was possible to trigger a assertion when rendering
	108	+ a message. [RT #43139]
	109	+
	110	4406. [bug] getrrsetbyname with a non absolute name could
	111	trigger a infinite recursion bug in lwresd
	112	and named with lwres configured if when combined