1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
From 060b6137eee62bc6d2eb77aeaeb1ad2292ca8ed7 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Sep 2016 11:29:48 +1000
Subject: [PATCH] 4467. [security] It was possible to trigger a
assertion when rendering a message. [RT #43139]
(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
---
CHANGES | 3 +++
lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
2 files changed, 34 insertions(+), 11 deletions(-)
Index: bind-9.10.2-P4/lib/dns/message.c
===================================================================
--- bind-9.10.2-P4.orig/lib/dns/message.c
+++ bind-9.10.2-P4/lib/dns/message.c
@@ -1751,7 +1751,7 @@ dns_message_renderbegin(dns_message_t *m
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_NOSPACE);
- if (r.length < msg->reserved)
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
return (ISC_R_NOSPACE);
/*
@@ -1878,8 +1878,29 @@ norender_rdataset(const dns_rdataset_t *
return (ISC_TRUE);
}
-
#endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+ dns_compress_t *cctx, isc_buffer_t *target,
+ unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+ isc_result_t result;
+
+ /*
+ * Shrink the space in the buffer by the reserved amount.
+ */
+ if (target->length - target->used < reserved)
+ return (ISC_R_NOSPACE);
+
+ target->length -= reserved;
+ result = dns_rdataset_towire(rdataset, owner_name,
+ cctx, target, options, countp);
+ target->length += reserved;
+
+ return (result);
+}
+
isc_result_t
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
unsigned int options)
@@ -1922,6 +1943,8 @@ dns_message_rendersection(dns_message_t
/*
* Shrink the space in the buffer by the reserved amount.
*/
+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
+ return (ISC_R_NOSPACE);
msg->buffer->length -= msg->reserved;
total = 0;
@@ -2198,9 +2221,8 @@ dns_message_renderend(dns_message_t *msg
* Render.
*/
count = 0;
- result = dns_rdataset_towire(msg->opt, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->opt, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2216,9 +2238,8 @@ dns_message_renderend(dns_message_t *msg
if (result != ISC_R_SUCCESS)
return (result);
count = 0;
- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
@@ -2239,9 +2260,8 @@ dns_message_renderend(dns_message_t *msg
* the owner name of a SIG(0) is irrelevant, and will not
* be set in a message being rendered.
*/
- result = dns_rdataset_towire(msg->sig0, dns_rootname,
- msg->cctx, msg->buffer, 0,
- &count);
+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
+ msg->buffer, msg->reserved, 0, &count);
msg->counts[DNS_SECTION_ADDITIONAL] += count;
if (result != ISC_R_SUCCESS)
return (result);
Index: bind-9.10.2-P4/CHANGES
===================================================================
--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
@@ -1,3 +1,6 @@
+4467. [security] It was possible to trigger a assertion when rendering
+ a message. [RT #43139]
+
4406. [bug] getrrsetbyname with a non absolute name could
trigger a infinite recursion bug in lwresd
and named with lwres configured if when combined
|