bind_Fix_for_CVE-2012-4244 Upstream-Status: Backport Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record. Signed-off-by: yanjun.zhu diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h --- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800 +++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800 @@ -147,6 +147,17 @@ struct dns_rdata { (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) /* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + +/* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. * See additional comments at dns_rdata_tofmttext(). diff -urpN a/lib/dns/master.c b/lib/dns/master.c --- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800 +++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800 @@ -75,7 +75,7 @@ /*% * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /*% * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c --- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800 +++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800 @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d } /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + + /* * We should have consumed all of our buffer. */ if (result == ISC_R_SUCCESS && !buffer_empty(source)) @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c --- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800 +++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800 @@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ length = x[i].rdata.length; if (rdataset->type == dns_rdatatype_rrsig) length++; + INSIST(length <= 0xffff); *rawbuf++ = (length & 0xff00) >> 8; *rawbuf++ = (length & 0x00ff); #if DNS_RDATASET_FIXED