diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch | 175 |
1 files changed, 175 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch new file mode 100644 index 0000000000..be479cb00e --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2023-3341.patch | |||
@@ -0,0 +1,175 @@ | |||
1 | From c4fac5ca98efd02fbaef43601627c7a3a09f5a71 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Tue, 20 Jun 2023 15:21:36 +1000 | ||
4 | Subject: [PATCH] Limit isccc_cc_fromwire recursion depth | ||
5 | |||
6 | Named and rndc do not need a lot of recursion so the depth is | ||
7 | set to 10. | ||
8 | |||
9 | Taken from BIND 9.16.44 change. | ||
10 | |||
11 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/-/commit/c4fac5ca98efd02fbaef43601627c7a3a09f5a71] | ||
12 | CVE: CVE-2023-3341 | ||
13 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
14 | --- | ||
15 | lib/isccc/cc.c | 38 +++++++++++++++++++++++--------- | ||
16 | lib/isccc/include/isccc/result.h | 4 +++- | ||
17 | lib/isccc/result.c | 4 +++- | ||
18 | 3 files changed, 34 insertions(+), 12 deletions(-) | ||
19 | |||
20 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
21 | index e012685..8eac3d6 100644 | ||
22 | --- a/lib/isccc/cc.c | ||
23 | +++ b/lib/isccc/cc.c | ||
24 | @@ -53,6 +53,10 @@ | ||
25 | |||
26 | #define MAX_TAGS 256 | ||
27 | #define DUP_LIFETIME 900 | ||
28 | +#ifndef ISCCC_MAXDEPTH | ||
29 | +#define ISCCC_MAXDEPTH \ | ||
30 | + 10 /* Big enough for rndc which just sends a string each way. */ | ||
31 | +#endif | ||
32 | |||
33 | typedef isccc_sexpr_t *sexpr_ptr; | ||
34 | |||
35 | @@ -561,19 +565,25 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
36 | |||
37 | static isc_result_t | ||
38 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
39 | - uint32_t algorithm, isccc_sexpr_t **alistp); | ||
40 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp); | ||
41 | |||
42 | static isc_result_t | ||
43 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp); | ||
44 | +list_fromwire(isccc_region_t *source, unsigned int depth, | ||
45 | + isccc_sexpr_t **listp); | ||
46 | |||
47 | static isc_result_t | ||
48 | -value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
49 | +value_fromwire(isccc_region_t *source, unsigned int depth, | ||
50 | + isccc_sexpr_t **valuep) { | ||
51 | unsigned int msgtype; | ||
52 | uint32_t len; | ||
53 | isccc_sexpr_t *value; | ||
54 | isccc_region_t active; | ||
55 | isc_result_t result; | ||
56 | |||
57 | + if (depth > ISCCC_MAXDEPTH) { | ||
58 | + return (ISCCC_R_MAXDEPTH); | ||
59 | + } | ||
60 | + | ||
61 | if (REGION_SIZE(*source) < 1 + 4) | ||
62 | return (ISC_R_UNEXPECTEDEND); | ||
63 | GET8(msgtype, source->rstart); | ||
64 | @@ -591,9 +601,9 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
65 | } else | ||
66 | result = ISC_R_NOMEMORY; | ||
67 | } else if (msgtype == ISCCC_CCMSGTYPE_TABLE) | ||
68 | - result = table_fromwire(&active, NULL, 0, valuep); | ||
69 | + result = table_fromwire(&active, NULL, 0, depth + 1, valuep); | ||
70 | else if (msgtype == ISCCC_CCMSGTYPE_LIST) | ||
71 | - result = list_fromwire(&active, valuep); | ||
72 | + result = list_fromwire(&active, depth + 1, valuep); | ||
73 | else | ||
74 | result = ISCCC_R_SYNTAX; | ||
75 | |||
76 | @@ -602,7 +612,7 @@ value_fromwire(isccc_region_t *source, isccc_sexpr_t **valuep) { | ||
77 | |||
78 | static isc_result_t | ||
79 | table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
80 | - uint32_t algorithm, isccc_sexpr_t **alistp) | ||
81 | + uint32_t algorithm, unsigned int depth, isccc_sexpr_t **alistp) | ||
82 | { | ||
83 | char key[256]; | ||
84 | uint32_t len; | ||
85 | @@ -613,6 +623,10 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
86 | |||
87 | REQUIRE(alistp != NULL && *alistp == NULL); | ||
88 | |||
89 | + if (depth > ISCCC_MAXDEPTH) { | ||
90 | + return (ISCCC_R_MAXDEPTH); | ||
91 | + } | ||
92 | + | ||
93 | checksum_rstart = NULL; | ||
94 | first_tag = true; | ||
95 | alist = isccc_alist_create(); | ||
96 | @@ -628,7 +642,7 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
97 | GET_MEM(key, len, source->rstart); | ||
98 | key[len] = '\0'; /* Ensure NUL termination. */ | ||
99 | value = NULL; | ||
100 | - result = value_fromwire(source, &value); | ||
101 | + result = value_fromwire(source, depth + 1, &value); | ||
102 | if (result != ISC_R_SUCCESS) | ||
103 | goto bad; | ||
104 | if (isccc_alist_define(alist, key, value) == NULL) { | ||
105 | @@ -661,14 +675,18 @@ table_fromwire(isccc_region_t *source, isccc_region_t *secret, | ||
106 | } | ||
107 | |||
108 | static isc_result_t | ||
109 | -list_fromwire(isccc_region_t *source, isccc_sexpr_t **listp) { | ||
110 | +list_fromwire(isccc_region_t *source, unsigned int depth, isccc_sexpr_t **listp) { | ||
111 | isccc_sexpr_t *list, *value; | ||
112 | isc_result_t result; | ||
113 | |||
114 | + if (depth > ISCCC_MAXDEPTH) { | ||
115 | + return (ISCCC_R_MAXDEPTH); | ||
116 | + } | ||
117 | + | ||
118 | list = NULL; | ||
119 | while (!REGION_EMPTY(*source)) { | ||
120 | value = NULL; | ||
121 | - result = value_fromwire(source, &value); | ||
122 | + result = value_fromwire(source, depth + 1, &value); | ||
123 | if (result != ISC_R_SUCCESS) { | ||
124 | isccc_sexpr_free(&list); | ||
125 | return (result); | ||
126 | @@ -699,7 +717,7 @@ isccc_cc_fromwire(isccc_region_t *source, isccc_sexpr_t **alistp, | ||
127 | if (version != 1) | ||
128 | return (ISCCC_R_UNKNOWNVERSION); | ||
129 | |||
130 | - return (table_fromwire(source, secret, algorithm, alistp)); | ||
131 | + return (table_fromwire(source, secret, algorithm, 0, alistp)); | ||
132 | } | ||
133 | |||
134 | static isc_result_t | ||
135 | diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h | ||
136 | index 6c79dd7..a85861c 100644 | ||
137 | --- a/lib/isccc/include/isccc/result.h | ||
138 | +++ b/lib/isccc/include/isccc/result.h | ||
139 | @@ -47,8 +47,10 @@ | ||
140 | #define ISCCC_R_CLOCKSKEW (ISC_RESULTCLASS_ISCCC + 4) | ||
141 | /*% Duplicate */ | ||
142 | #define ISCCC_R_DUPLICATE (ISC_RESULTCLASS_ISCCC + 5) | ||
143 | +/*% Maximum recursion depth */ | ||
144 | +#define ISCCC_R_MAXDEPTH (ISC_RESULTCLASS_ISCCC + 6) | ||
145 | |||
146 | -#define ISCCC_R_NRESULTS 6 /*%< Number of results */ | ||
147 | +#define ISCCC_R_NRESULTS 7 /*%< Number of results */ | ||
148 | |||
149 | ISC_LANG_BEGINDECLS | ||
150 | |||
151 | diff --git a/lib/isccc/result.c b/lib/isccc/result.c | ||
152 | index 8419bbb..325200b 100644 | ||
153 | --- a/lib/isccc/result.c | ||
154 | +++ b/lib/isccc/result.c | ||
155 | @@ -40,7 +40,8 @@ static const char *text[ISCCC_R_NRESULTS] = { | ||
156 | "bad auth", /* 3 */ | ||
157 | "expired", /* 4 */ | ||
158 | "clock skew", /* 5 */ | ||
159 | - "duplicate" /* 6 */ | ||
160 | + "duplicate", /* 6 */ | ||
161 | + "max depth", /* 7 */ | ||
162 | }; | ||
163 | |||
164 | static const char *ids[ISCCC_R_NRESULTS] = { | ||
165 | @@ -50,6 +51,7 @@ static const char *ids[ISCCC_R_NRESULTS] = { | ||
166 | "ISCCC_R_EXPIRED", | ||
167 | "ISCCC_R_CLOCKSKEW", | ||
168 | "ISCCC_R_DUPLICATE", | ||
169 | + "ISCCC_R_MAXDEPTH", | ||
170 | }; | ||
171 | |||
172 | #define ISCCC_RESULT_RESULTSET 2 | ||
173 | -- | ||
174 | 2.25.1 | ||
175 | |||