1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
bind CVE-2012-1667
Upstream-Status: Backport
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1,
and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource
records with a zero-length RDATA section, which allows remote DNS servers to
cause a denial of service (daemon crash or data corruption) or obtain
sensitive information from process memory via a crafted record.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667
The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package.
Signed-off-by: Li Wang <li.wang@windriver.com>
---
lib/dns/rdata.c | 8 ++++----
lib/dns/rdataslab.c | 11 ++++++++---
2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 063b1f6..9337a80 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
REQUIRE(rdata1 != NULL);
REQUIRE(rdata2 != NULL);
- REQUIRE(rdata1->data != NULL);
- REQUIRE(rdata2->data != NULL);
+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
@@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
REQUIRE(rdata1 != NULL);
REQUIRE(rdata2 != NULL);
- REQUIRE(rdata1->data != NULL);
- REQUIRE(rdata2->data != NULL);
+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index a41f16f..ed13b30 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -125,6 +125,11 @@ isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen)
{
+ /*
+ * Use &removed as a sentinal pointer for duplicate
+ * rdata as rdata.data == NULL is valid.
+ */
+ static unsigned char removed;
struct xrdata *x;
unsigned char *rawbuf;
#if DNS_RDATASET_FIXED
@@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
INSIST(result == ISC_R_SUCCESS);
dns_rdata_init(&x[i].rdata);
dns_rdataset_current(rdataset, &x[i].rdata);
+ INSIST(x[i].rdata.data != &removed);
#if DNS_RDATASET_FIXED
x[i].order = i;
#endif
@@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
*/
for (i = 1; i < nalloc; i++) {
if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
- x[i-1].rdata.data = NULL;
- x[i-1].rdata.length = 0;
+ x[i-1].rdata.data = &removed;
#if DNS_RDATASET_FIXED
/*
* Preserve the least order so A, B, A -> A, B
@@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
#endif
for (i = 0; i < nalloc; i++) {
- if (x[i].rdata.data == NULL)
+ if (x[i].rdata.data == &removed)
continue;
#if DNS_RDATASET_FIXED
offsettable[x[i].order] = rawbuf - offsetbase;
--
1.7.0.5
|