From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 9 Sep 2016 11:29:48 +1000 Subject: [PATCH] 4467. [security] It was possible to trigger a assertion when rendering a message. [RT #43139] (cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12) --- CHANGES | 3 +++ lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- 2 files changed, 34 insertions(+), 11 deletions(-) Index: bind-9.10.2-P4/lib/dns/message.c =================================================================== --- bind-9.10.2-P4.orig/lib/dns/message.c +++ bind-9.10.2-P4/lib/dns/message.c @@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m if (r.length < DNS_MESSAGE_HEADERLEN) return (ISC_R_NOSPACE); - if (r.length < msg->reserved) + if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) return (ISC_R_NOSPACE); /* @@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t * return (ISC_TRUE); } - #endif + +static isc_result_t +renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, + dns_compress_t *cctx, isc_buffer_t *target, + unsigned int reserved, unsigned int options, unsigned int *countp) +{ + isc_result_t result; + + /* + * Shrink the space in the buffer by the reserved amount. + */ + if (target->length - target->used < reserved) + return (ISC_R_NOSPACE); + + target->length -= reserved; + result = dns_rdataset_towire(rdataset, owner_name, + cctx, target, options, countp); + target->length += reserved; + + return (result); +} + isc_result_t dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, unsigned int options) @@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t /* * Shrink the space in the buffer by the reserved amount. */ + if (msg->buffer->length - msg->buffer->used < msg->reserved) + return (ISC_R_NOSPACE); msg->buffer->length -= msg->reserved; total = 0; @@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg * Render. */ count = 0; - result = dns_rdataset_towire(msg->opt, dns_rootname, - msg->cctx, msg->buffer, 0, - &count); + result = renderset(msg->opt, dns_rootname, msg->cctx, + msg->buffer, msg->reserved, 0, &count); msg->counts[DNS_SECTION_ADDITIONAL] += count; if (result != ISC_R_SUCCESS) return (result); @@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg if (result != ISC_R_SUCCESS) return (result); count = 0; - result = dns_rdataset_towire(msg->tsig, msg->tsigname, - msg->cctx, msg->buffer, 0, - &count); + result = renderset(msg->tsig, msg->tsigname, msg->cctx, + msg->buffer, msg->reserved, 0, &count); msg->counts[DNS_SECTION_ADDITIONAL] += count; if (result != ISC_R_SUCCESS) return (result); @@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg * the owner name of a SIG(0) is irrelevant, and will not * be set in a message being rendered. */ - result = dns_rdataset_towire(msg->sig0, dns_rootname, - msg->cctx, msg->buffer, 0, - &count); + result = renderset(msg->sig0, dns_rootname, msg->cctx, + msg->buffer, msg->reserved, 0, &count); msg->counts[DNS_SECTION_ADDITIONAL] += count; if (result != ISC_R_SUCCESS) return (result); Index: bind-9.10.2-P4/CHANGES =================================================================== --- bind-9.10.2-P4.orig/CHANGES +++ bind-9.10.2-P4/CHANGES @@ -1,3 +1,6 @@ +4467. [security] It was possible to trigger a assertion when rendering + a message. [RT #43139] + 4406. [bug] getrrsetbyname with a non absolute name could trigger a infinite recursion bug in lwresd and named with lwres configured if when combined