svn commit: r292321 - in releng/9.3: . contrib/bind9/lib/dns contrib/bind9/lib/dns/include/dns sys/conf
Xin LI
delphij at FreeBSD.org
Wed Dec 16 13:56:40 UTC 2015
Author: delphij
Date: Wed Dec 16 06:21:26 2015
New Revision: 292321
URL: https://svnweb.freebsd.org/changeset/base/292321
Log:
Fix BIND remote denial of service vulnerability. [SA-15:27]
Security: FreeBSD-SA-15:27.bind
Security: CVE-2015-8000
Approved by: so
Modified:
releng/9.3/UPDATING
releng/9.3/contrib/bind9/lib/dns/include/dns/message.h
releng/9.3/contrib/bind9/lib/dns/message.c
releng/9.3/contrib/bind9/lib/dns/resolver.c
releng/9.3/contrib/bind9/lib/dns/xfrin.c
releng/9.3/sys/conf/newvers.sh
Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/UPDATING Wed Dec 16 06:21:26 2015 (r292321)
@@ -11,6 +11,9 @@ handbook:
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20151216 p32 FreeBSD-SA-15:27.bind
+ Fix BIND remote denial of service vulnerability. [SA-15:27]
+
20151205 p31 FreeBSD-SA-15:26.openssl
Fix OpenSSL X509_ATTRIBUTE memory leak. [SA-15:26]
Modified: releng/9.3/contrib/bind9/lib/dns/include/dns/message.h
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/include/dns/message.h Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/contrib/bind9/lib/dns/include/dns/message.h Wed Dec 16 06:21:26 2015 (r292321)
@@ -15,8 +15,6 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id$ */
-
#ifndef DNS_MESSAGE_H
#define DNS_MESSAGE_H 1
@@ -211,6 +209,8 @@ struct dns_message {
unsigned int verify_attempted : 1;
unsigned int free_query : 1;
unsigned int free_saved : 1;
+ unsigned int tkey : 1;
+ unsigned int rdclass_set : 1;
unsigned int opt_reserved;
unsigned int sig_reserved;
@@ -1375,6 +1375,15 @@ dns_message_buildopt(dns_message_t *msg,
* \li other.
*/
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass);
+/*%<
+ * Set the expected class of records in the response.
+ *
+ * Requires:
+ * \li msg be a valid message with parsing intent.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */
Modified: releng/9.3/contrib/bind9/lib/dns/message.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/message.c Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/contrib/bind9/lib/dns/message.c Wed Dec 16 06:21:26 2015 (r292321)
@@ -436,6 +436,8 @@ msginit(dns_message_t *m) {
m->saved.base = NULL;
m->saved.length = 0;
m->free_saved = 0;
+ m->tkey = 0;
+ m->rdclass_set = 0;
m->querytsig = NULL;
}
@@ -1086,13 +1088,19 @@ getquestions(isc_buffer_t *source, dns_m
* If this class is different than the one we already read,
* this is an error.
*/
- if (msg->state == DNS_SECTION_ANY) {
- msg->state = DNS_SECTION_QUESTION;
+ if (msg->rdclass_set == 0) {
msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
} else if (msg->rdclass != rdclass)
DO_FORMERR;
/*
+ * Is this a TKEY query?
+ */
+ if (rdtype == dns_rdatatype_tkey)
+ msg->tkey = 1;
+
+ /*
* Can't ask the same question twice.
*/
result = dns_message_find(name, rdclass, rdtype, 0, NULL);
@@ -1236,12 +1244,12 @@ getsection(isc_buffer_t *source, dns_mes
* If there was no question section, we may not yet have
* established a class. Do so now.
*/
- if (msg->state == DNS_SECTION_ANY &&
+ if (msg->rdclass_set == 0 &&
rdtype != dns_rdatatype_opt && /* class is UDP SIZE */
rdtype != dns_rdatatype_tsig && /* class is ANY */
rdtype != dns_rdatatype_tkey) { /* class is undefined */
msg->rdclass = rdclass;
- msg->state = DNS_SECTION_QUESTION;
+ msg->rdclass_set = 1;
}
/*
@@ -1251,7 +1259,7 @@ getsection(isc_buffer_t *source, dns_mes
if (msg->opcode != dns_opcode_update
&& rdtype != dns_rdatatype_tsig
&& rdtype != dns_rdatatype_opt
- && rdtype != dns_rdatatype_dnskey /* in a TKEY query */
+ && rdtype != dns_rdatatype_key /* in a TKEY query */
&& rdtype != dns_rdatatype_sig /* SIG(0) */
&& rdtype != dns_rdatatype_tkey /* Win2000 TKEY */
&& msg->rdclass != dns_rdataclass_any
@@ -1259,6 +1267,16 @@ getsection(isc_buffer_t *source, dns_mes
DO_FORMERR;
/*
+ * If this is not a TKEY query/response then the KEY
+ * record's class needs to match.
+ */
+ if (msg->opcode != dns_opcode_update && !msg->tkey &&
+ rdtype == dns_rdatatype_key &&
+ msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
+
+ /*
* Special type handling for TSIG, OPT, and TKEY.
*/
if (rdtype == dns_rdatatype_tsig) {
@@ -1372,6 +1390,10 @@ getsection(isc_buffer_t *source, dns_mes
skip_name_search = ISC_TRUE;
skip_type_search = ISC_TRUE;
issigzero = ISC_TRUE;
+ } else {
+ if (msg->rdclass != dns_rdataclass_any &&
+ msg->rdclass != rdclass)
+ DO_FORMERR;
}
} else
covers = 0;
@@ -1610,6 +1632,7 @@ dns_message_parse(dns_message_t *msg, is
msg->counts[DNS_SECTION_ADDITIONAL] = isc_buffer_getuint16(source);
msg->header_ok = 1;
+ msg->state = DNS_SECTION_QUESTION;
/*
* -1 means no EDNS.
@@ -3550,3 +3573,15 @@ dns_message_buildopt(dns_message_t *mess
dns_message_puttemprdatalist(message, &rdatalist);
return (result);
}
+
+void
+dns_message_setclass(dns_message_t *msg, dns_rdataclass_t rdclass) {
+
+ REQUIRE(DNS_MESSAGE_VALID(msg));
+ REQUIRE(msg->from_to_wire == DNS_MESSAGE_INTENTPARSE);
+ REQUIRE(msg->state == DNS_SECTION_ANY);
+ REQUIRE(msg->rdclass_set == 0);
+
+ msg->rdclass = rdclass;
+ msg->rdclass_set = 1;
+}
Modified: releng/9.3/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/resolver.c Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/contrib/bind9/lib/dns/resolver.c Wed Dec 16 06:21:26 2015 (r292321)
@@ -6941,6 +6941,8 @@ resquery_response(isc_task_t *task, isc_
goto done;
}
+ dns_message_setclass(message, fctx->res->rdclass);
+
result = dns_message_parse(message, &devent->buffer, 0);
if (result != ISC_R_SUCCESS) {
switch (result) {
@@ -7013,6 +7015,12 @@ resquery_response(isc_task_t *task, isc_
*/
log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
+ if (message->rdclass != fctx->res->rdclass) {
+ resend = ISC_TRUE;
+ FCTXTRACE("bad class");
+ goto done;
+ }
+
/*
* Process receive opt record.
*/
Modified: releng/9.3/contrib/bind9/lib/dns/xfrin.c
==============================================================================
--- releng/9.3/contrib/bind9/lib/dns/xfrin.c Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/contrib/bind9/lib/dns/xfrin.c Wed Dec 16 06:21:26 2015 (r292321)
@@ -1211,6 +1211,8 @@ xfrin_recv_done(isc_task_t *task, isc_ev
msg->tsigctx = xfr->tsigctx;
xfr->tsigctx = NULL;
+ dns_message_setclass(msg, xfr->rdclass);
+
if (xfr->nmsg > 0)
msg->tcp_continuation = 1;
Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh Wed Dec 16 06:10:05 2015 (r292320)
+++ releng/9.3/sys/conf/newvers.sh Wed Dec 16 06:21:26 2015 (r292321)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.3"
-BRANCH="RELEASE-p31"
+BRANCH="RELEASE-p32"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-releng
mailing list