From a37112a3bc79e001223574cee797ae73e97496a6 Mon Sep 17 00:00:00 2001
From: Armin Kuster <akuster808@gmail.com>
Date: Sun, 2 Oct 2016 17:52:11 -0700
Subject: bind: Security fix CVE-2016-2776

affect bind < 9.10.4-p3

(From OE-Core rev: 57b4c03b263f2ad056d7973038662d6d6614a9de)

Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 .../bind/bind/CVE-2016-2776.patch                  | 112 +++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.10.2-P4.bb   |   1 +
 2 files changed, 113 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
new file mode 100644
index 0000000000..d22945d885
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
@@ -0,0 +1,112 @@
+From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 9 Sep 2016 11:29:48 +1000
+Subject: [PATCH] 4467.   [security]      It was possible to trigger a
+ assertion when rendering                         a message. [RT #43139]
+
+(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
+---
+ CHANGES           |  3 +++
+ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
+ 2 files changed, 34 insertions(+), 11 deletions(-)
+
+Index: bind-9.10.2-P4/lib/dns/message.c
+===================================================================
+--- bind-9.10.2-P4.orig/lib/dns/message.c
++++ bind-9.10.2-P4/lib/dns/message.c
+@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
+ 	if (r.length < DNS_MESSAGE_HEADERLEN)
+ 		return (ISC_R_NOSPACE);
+ 
+-	if (r.length < msg->reserved)
++	if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
+ 		return (ISC_R_NOSPACE);
+ 
+ 	/*
+@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
+ 
+ 	return (ISC_TRUE);
+ }
+-
+ #endif
++
++static isc_result_t
++renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
++	  dns_compress_t *cctx, isc_buffer_t *target,
++	  unsigned int reserved, unsigned int options, unsigned int *countp)
++{
++	isc_result_t result;
++
++	/*
++	 * Shrink the space in the buffer by the reserved amount.
++	 */
++	if (target->length - target->used < reserved)
++		return (ISC_R_NOSPACE);
++
++	target->length -= reserved;
++	result = dns_rdataset_towire(rdataset, owner_name,
++				     cctx, target, options, countp);
++	target->length += reserved;
++
++	return (result);
++}
++
+ isc_result_t
+ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
+ 			  unsigned int options)
+@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
+ 	/*
+ 	 * Shrink the space in the buffer by the reserved amount.
+ 	 */
++	if (msg->buffer->length - msg->buffer->used < msg->reserved)
++		return (ISC_R_NOSPACE);
+ 	msg->buffer->length -= msg->reserved;
+ 
+ 	total = 0;
+@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * Render.
+ 		 */
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->opt, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->opt, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+ 		count = 0;
+-		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->tsig, msg->tsigname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
+ 		 * the owner name of a SIG(0) is irrelevant, and will not
+ 		 * be set in a message being rendered.
+ 		 */
+-		result = dns_rdataset_towire(msg->sig0, dns_rootname,
+-					     msg->cctx, msg->buffer, 0,
+-					     &count);
++		result = renderset(msg->sig0, dns_rootname, msg->cctx,
++				   msg->buffer, msg->reserved, 0, &count);
+ 		msg->counts[DNS_SECTION_ADDITIONAL] += count;
+ 		if (result != ISC_R_SUCCESS)
+ 			return (result);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,6 @@
++4467.  [security]      It was possible to trigger a assertion when rendering
++                       a message. [RT #43139]
++
+ 4406.  [bug]           getrrsetbyname with a non absolute name could
+                        trigger a infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
diff --git a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
index 80c7b44127..bc105d3fbc 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.2-P4.bb
@@ -30,6 +30,7 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://CVE-2016-1286_2.patch \
            file://CVE-2016-2088.patch \
            file://CVE-2016-2775.patch \
+           file://CVE-2016-2776.patch \
            "
 
 SRC_URI[md5sum] = "8b1f5064837756c938eadc1537dec5c7"
-- 
cgit v1.2.3-54-g00ecf