summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch')
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch141
1 files changed, 141 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch
new file mode 100644
index 0000000000..5dd6f69e45
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch
@@ -0,0 +1,141 @@
1bind_Fix_for_CVE-2012-4244
2
3Upstream-Status: Backport
4
5Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit
6
7ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3,
8 and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to
9cause a denial of service (assertion failure and named daemon exit) via
10a query for a long resource record.
11
12Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
13
14diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
15--- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800
16+++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800
17@@ -147,6 +147,17 @@ struct dns_rdata {
18 (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
19
20 /*
21+ * The maximum length of a RDATA that can be sent on the wire.
22+ * Max packet size (65535) less header (12), less name (1), type (2),
23+ * class (2), ttl(4), length (2).
24+ *
25+ * None of the defined types that support name compression can exceed
26+ * this and all new types are to be sent uncompressed.
27+ */
28+
29+#define DNS_RDATA_MAXLENGTH 65512U
30+
31+/*
32 * Flags affecting rdata formatting style. Flags 0xFFFF0000
33 * are used by masterfile-level formatting and defined elsewhere.
34 * See additional comments at dns_rdata_tofmttext().
35diff -urpN a/lib/dns/master.c b/lib/dns/master.c
36--- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800
37+++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800
38@@ -75,7 +75,7 @@
39 /*%
40 * max message size - header - root - type - class - ttl - rdlen
41 */
42-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
43+#define MINTSIZ DNS_RDATA_MAXLENGTH
44 /*%
45 * Size for tokens in the presentation format,
46 * The largest tokens are the base64 blocks in KEY and CERT records,
47diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c
48--- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800
49+++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800
50@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
51 isc_buffer_t st;
52 isc_boolean_t use_default = ISC_FALSE;
53 isc_uint32_t activelength;
54+ size_t length;
55
56 REQUIRE(dctx != NULL);
57 if (rdata != NULL) {
58@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
59 }
60
61 /*
62+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
63+ * as we cannot transmit it.
64+ */
65+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
66+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
67+ result = DNS_R_FORMERR;
68+
69+ /*
70 * We should have consumed all of our buffer.
71 */
72 if (result == ISC_R_SUCCESS && !buffer_empty(source))
73@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
74
75 if (rdata != NULL && result == ISC_R_SUCCESS) {
76 region.base = isc_buffer_used(&st);
77- region.length = isc_buffer_usedlength(target) -
78- isc_buffer_usedlength(&st);
79+ region.length = length;
80 dns_rdata_fromregion(rdata, rdclass, type, &region);
81 }
82
83@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
84 unsigned long line;
85 void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
86 isc_result_t tresult;
87+ size_t length;
88
89 REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
90 if (rdata != NULL) {
91@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
92 }
93 } while (1);
94
95+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
96+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
97+ result = ISC_R_NOSPACE;
98+
99 if (rdata != NULL && result == ISC_R_SUCCESS) {
100 region.base = isc_buffer_used(&st);
101- region.length = isc_buffer_usedlength(target) -
102- isc_buffer_usedlength(&st);
103+ region.length = length;
104 dns_rdata_fromregion(rdata, rdclass, type, &region);
105 }
106 if (result != ISC_R_SUCCESS) {
107@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
108 isc_buffer_t st;
109 isc_region_t region;
110 isc_boolean_t use_default = ISC_FALSE;
111+ size_t length;
112
113 REQUIRE(source != NULL);
114 if (rdata != NULL) {
115@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
116 if (use_default)
117 (void)NULL;
118
119+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
120+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
121+ result = ISC_R_NOSPACE;
122+
123 if (rdata != NULL && result == ISC_R_SUCCESS) {
124 region.base = isc_buffer_used(&st);
125- region.length = isc_buffer_usedlength(target) -
126- isc_buffer_usedlength(&st);
127+ region.length = length;
128 dns_rdata_fromregion(rdata, rdclass, type, &region);
129 }
130 if (result != ISC_R_SUCCESS)
131diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
132--- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800
133+++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800
134@@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_
135 length = x[i].rdata.length;
136 if (rdataset->type == dns_rdatatype_rrsig)
137 length++;
138+ INSIST(length <= 0xffff);
139 *rawbuf++ = (length & 0xff00) >> 8;
140 *rawbuf++ = (length & 0x00ff);
141 #if DNS_RDATASET_FIXED