svn commit: r275917 - in user/cperciva/freebsd-update-build/patches: 10.0-RELEASE 10.1-RELEASE 8.4-RELEASE 9.1-RELEASE 9.2-RELEASE 9.3-RELEASE
Xin LI
delphij at FreeBSD.org
Thu Dec 18 19:33:31 UTC 2014
Author: delphij
Date: Thu Dec 18 19:33:28 2014
New Revision: 275917
URL: https://svnweb.freebsd.org/changeset/base/275917
Log:
Add patches for recent patch batches.
Added:
user/cperciva/freebsd-update-build/patches/10.0-RELEASE/13-SA-14:28.file
user/cperciva/freebsd-update-build/patches/10.0-RELEASE/14-SA-14:30.unbound
user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:27.stdio
user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:28.file
user/cperciva/freebsd-update-build/patches/10.1-RELEASE/2-SA-14:30.unbound
user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:28.file
user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:29.bind
user/cperciva/freebsd-update-build/patches/9.1-RELEASE/23-SA-14:28.file
user/cperciva/freebsd-update-build/patches/9.1-RELEASE/23-SA-14:29.bind
user/cperciva/freebsd-update-build/patches/9.2-RELEASE/16-SA-14:28.file
user/cperciva/freebsd-update-build/patches/9.2-RELEASE/16-SA-14:29.bind
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/6-SA-14:28.file
user/cperciva/freebsd-update-build/patches/9.3-RELEASE/6-SA-14:29.bind
Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/13-SA-14:28.file
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.0-RELEASE/13-SA-14:28.file Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,147 @@
+Index: contrib/file/elfclass.h
+===================================================================
+--- contrib/file/elfclass.h.orig
++++ contrib/file/elfclass.h
+@@ -35,10 +35,12 @@
+ switch (type) {
+ #ifdef ELFCORE
+ case ET_CORE:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
+ flags |= FLAGS_IS_CORE;
+ if (dophn_core(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ fsize, &flags) == -1)
+ return -1;
+@@ -46,18 +48,24 @@
+ #endif
+ case ET_EXEC:
+ case ET_DYN:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (dophn_exec(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+- == -1)
++ fsize, &flags, shnum) == -1)
+ return -1;
+ /*FALLTHROUGH*/
+ case ET_REL:
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (doshn(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_shoff),
+- elf_getu16(swap, elfhdr.e_shnum),
++ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+ fsize, &flags, elf_getu16(swap, elfhdr.e_machine)) == -1)
+ return -1;
+Index: contrib/file/readelf.c
+===================================================================
+--- contrib/file/readelf.c.orig
++++ contrib/file/readelf.c
+@@ -60,6 +60,18 @@
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+
++#define MAX_PHNUM 256
++#define MAX_SHNUM 1024
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++ if (file_printf(ms, ", too many %s header sections (%u)", name, num
++ ) == -1)
++ return -1;
++ return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -384,13 +396,13 @@
+ if (namesz & 0x80000000) {
+ (void)file_printf(ms, ", bad note name size 0x%lx",
+ (unsigned long)namesz);
+- return offset;
++ return 0;
+ }
+
+ if (descsz & 0x80000000) {
+ (void)file_printf(ms, ", bad note description size 0x%lx",
+ (unsigned long)descsz);
+- return offset;
++ return 0;
+ }
+
+
+@@ -847,6 +859,7 @@
+ Elf32_Shdr sh32;
+ Elf64_Shdr sh64;
+ int stripped = 1;
++ size_t nbadcap = 0;
+ void *nbuf;
+ off_t noff, coff;
+ uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
+@@ -919,6 +932,8 @@
+ free(nbuf);
+ break;
+ case SHT_SUNW_cap:
++ if (nbadcap > 5)
++ break;
+ if (lseek(fd, (off_t)xsh_offset, SEEK_SET) ==
+ (off_t)-1) {
+ file_badseek(ms);
+@@ -955,6 +970,8 @@
+ (unsigned long long)xcap_tag,
+ (unsigned long long)xcap_val) == -1)
+ return -1;
++ if (nbadcap++ > 2)
++ coff = xsh_size;
+ break;
+ }
+ }
+@@ -1142,7 +1159,7 @@
+ int flags = 0;
+ Elf32_Ehdr elf32hdr;
+ Elf64_Ehdr elf64hdr;
+- uint16_t type;
++ uint16_t type, phnum, shnum;
+
+ if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ return 0;
+Index: contrib/file/softmagic.c
+===================================================================
+--- contrib/file/softmagic.c.orig
++++ contrib/file/softmagic.c
+@@ -61,6 +61,9 @@
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+
+ #define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
++
++#define MAX_RECURSION_LEVEL 10
++
+ /*
+ * softmagic - lookup one file in parsed, in-memory copy of database
+ * Passed the name and FILE * of one file to be typed.
+@@ -1027,7 +1030,7 @@
+ uint32_t count = m->str_range;
+ union VALUETYPE *p = &ms->ms_value;
+
+- if (recursion_level >= 20) {
++ if (recursion_level >= MAX_RECURSION_LEVEL) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
Added: user/cperciva/freebsd-update-build/patches/10.0-RELEASE/14-SA-14:30.unbound
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.0-RELEASE/14-SA-14:30.unbound Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,149 @@
+Index: contrib/unbound/iterator/iterator.c
+===================================================================
+--- contrib/unbound/iterator/iterator.c (revision 275717)
++++ contrib/unbound/iterator/iterator.c (working copy)
+@@ -117,6 +117,7 @@ iter_new(struct module_qstate* qstate, int id)
+ iq->query_restart_count = 0;
+ iq->referral_count = 0;
+ iq->sent_count = 0;
++ iq->target_count = NULL;
+ iq->wait_priming_stub = 0;
+ iq->refetch_glue = 0;
+ iq->dnssec_expected = 0;
+@@ -442,6 +443,26 @@ handle_cname_response(struct module_qstate* qstate
+ return 1;
+ }
+
++/** create target count structure for this query */
++static void
++target_count_create(struct iter_qstate* iq)
++{
++ if(!iq->target_count) {
++ iq->target_count = (int*)calloc(2, sizeof(int));
++ /* if calloc fails we simply do not track this number */
++ if(iq->target_count)
++ iq->target_count[0] = 1;
++ }
++}
++
++static void
++target_count_increase(struct iter_qstate* iq, int num)
++{
++ target_count_create(iq);
++ if(iq->target_count)
++ iq->target_count[1] += num;
++}
++
+ /**
+ * Generate a subrequest.
+ * Generate a local request event. Local events are tied to this module, and
+@@ -513,6 +534,10 @@ generate_sub_request(uint8_t* qname, size_t qnamel
+ subiq = (struct iter_qstate*)subq->minfo[id];
+ memset(subiq, 0, sizeof(*subiq));
+ subiq->num_target_queries = 0;
++ target_count_create(iq);
++ subiq->target_count = iq->target_count;
++ if(iq->target_count)
++ iq->target_count[0] ++; /* extra reference */
+ subiq->num_current_queries = 0;
+ subiq->depth = iq->depth+1;
+ outbound_list_init(&subiq->outlist);
+@@ -1339,6 +1364,12 @@ query_for_targets(struct module_qstate* qstate, st
+
+ if(iq->depth == ie->max_dependency_depth)
+ return 0;
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return 0;
++ }
+
+ iter_mark_cycle_targets(qstate, iq->dp);
+ missing = (int)delegpt_count_missing_targets(iq->dp);
+@@ -1487,6 +1518,7 @@ processLastResort(struct module_qstate* qstate, st
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ if(qs != 0) {
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0; /* and wait for them */
+@@ -1496,6 +1528,12 @@ processLastResort(struct module_qstate* qstate, st
+ verbose(VERB_QUERY, "maxdepth and need more nameservers, fail");
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
++ }
+ /* mark cycle targets for parent-side lookups */
+ iter_mark_pside_cycle_targets(qstate, iq->dp);
+ /* see if we can issue queries to get nameserver addresses */
+@@ -1525,6 +1563,7 @@ processLastResort(struct module_qstate* qstate, st
+ if(query_count != 0) { /* suspend to await results */
+ verbose(VERB_ALGO, "try parent-side glue lookup");
+ iq->num_target_queries += query_count;
++ target_count_increase(iq, query_count);
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0;
+ }
+@@ -1680,6 +1719,7 @@ processQueryTargets(struct module_qstate* qstate,
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ if(iq->num_target_queries > 0) {
+ /* wait to get all targets, we want to try em */
+ verbose(VERB_ALGO, "wait for all targets for fallback");
+@@ -1720,6 +1760,7 @@ processQueryTargets(struct module_qstate* qstate,
+ /* errors ignored, these targets are not strictly necessary for
+ * this result, we do not have to reply with SERVFAIL */
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ }
+
+ /* Add the current set of unused targets to our queue. */
+@@ -1765,6 +1806,7 @@ processQueryTargets(struct module_qstate* qstate,
+ return 1;
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ }
+ /* Since a target query might have been made, we
+ * need to check again. */
+@@ -2847,6 +2889,8 @@ iter_clear(struct module_qstate* qstate, int id)
+ iq = (struct iter_qstate*)qstate->minfo[id];
+ if(iq) {
+ outbound_list_clear(&iq->outlist);
++ if(iq->target_count && --iq->target_count[0] == 0)
++ free(iq->target_count);
+ iq->num_current_queries = 0;
+ }
+ qstate->minfo[id] = NULL;
+Index: contrib/unbound/iterator/iterator.h
+===================================================================
+--- contrib/unbound/iterator/iterator.h (revision 275717)
++++ contrib/unbound/iterator/iterator.h (working copy)
+@@ -52,6 +52,8 @@ struct iter_donotq;
+ struct iter_prep_list;
+ struct iter_priv;
+
++/** max number of targets spawned for a query and its subqueries */
++#define MAX_TARGET_COUNT 32
+ /** max number of query restarts. Determines max number of CNAME chain. */
+ #define MAX_RESTART_COUNT 8
+ /** max number of referrals. Makes sure resolver does not run away */
+@@ -254,6 +256,10 @@ struct iter_qstate {
+
+ /** number of queries fired off */
+ int sent_count;
++
++ /** number of target queries spawned in [1], for this query and its
++ * subqueries, the malloced-array is shared, [0] refcount. */
++ int* target_count;
+
+ /**
+ * The query must store NS records from referrals as parentside RRs
Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:27.stdio
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:27.stdio Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,22 @@
+Index: lib/libc/stdio/fflush.c
+===================================================================
+--- lib/libc/stdio/fflush.c (revision 274946)
++++ lib/libc/stdio/fflush.c (working copy)
+@@ -124,11 +124,13 @@ __sflush(FILE *fp)
+ t = _swrite(fp, (char *)p, n);
+ if (t <= 0) {
+ /* Reset _p and _w. */
+- if (p > fp->_p) /* Some was written. */
++ if (p > fp->_p) {
++ /* Some was written. */
+ memmove(fp->_p, p, n);
+- fp->_p += n;
+- if ((fp->_flags & (__SLBF | __SNBF)) == 0)
+- fp->_w -= n;
++ fp->_p += n;
++ if ((fp->_flags & (__SLBF | __SNBF)) == 0)
++ fp->_w -= n;
++ }
+ fp->_flags |= __SERR;
+ return (EOF);
+ }
Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:28.file
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/1-SA-14:28.file Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,288 @@
+Index: contrib/file/src/elfclass.h
+===================================================================
+--- contrib/file/src/elfclass.h (revision 275629)
++++ contrib/file/src/elfclass.h (working copy)
+@@ -35,10 +35,12 @@
+ switch (type) {
+ #ifdef ELFCORE
+ case ET_CORE:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
+ flags |= FLAGS_IS_CORE;
+ if (dophn_core(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ fsize, &flags) == -1)
+ return -1;
+@@ -46,18 +48,24 @@
+ #endif
+ case ET_EXEC:
+ case ET_DYN:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (dophn_exec(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+- == -1)
++ fsize, &flags, shnum) == -1)
+ return -1;
+ /*FALLTHROUGH*/
+ case ET_REL:
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (doshn(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_shoff),
+- elf_getu16(swap, elfhdr.e_shnum),
++ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+ fsize, &flags, elf_getu16(swap, elfhdr.e_machine),
+ (int)elf_getu16(swap, elfhdr.e_shstrndx)) == -1)
+Index: contrib/file/src/file.h
+===================================================================
+--- contrib/file/src/file.h (revision 275629)
++++ contrib/file/src/file.h (working copy)
+@@ -482,6 +482,14 @@ protected int file_regexec(file_regex_t *, const c
+ protected void file_regfree(file_regex_t *);
+ protected void file_regerror(file_regex_t *, int, struct magic_set *);
+
++typedef struct {
++ char *buf;
++ uint32_t offset;
++} file_pushbuf_t;
++
++protected file_pushbuf_t *file_push_buffer(struct magic_set *);
++protected char *file_pop_buffer(struct magic_set *, file_pushbuf_t *);
++
+ #ifndef COMPILE_ONLY
+ extern const char *file_names[];
+ extern const size_t file_nnames;
+Index: contrib/file/src/funcs.c
+===================================================================
+--- contrib/file/src/funcs.c (revision 275629)
++++ contrib/file/src/funcs.c (working copy)
+@@ -491,3 +491,43 @@ file_regerror(file_regex_t *rx, int rc, struct mag
+ file_magerror(ms, "regex error %d for `%s', (%s)", rc, rx->pat,
+ errmsg);
+ }
++
++protected file_pushbuf_t *
++file_push_buffer(struct magic_set *ms)
++{
++ file_pushbuf_t *pb;
++
++ if (ms->event_flags & EVENT_HAD_ERR)
++ return NULL;
++
++ if ((pb = (CAST(file_pushbuf_t *, malloc(sizeof(*pb))))) == NULL)
++ return NULL;
++
++ pb->buf = ms->o.buf;
++ pb->offset = ms->offset;
++
++ ms->o.buf = NULL;
++ ms->offset = 0;
++
++ return pb;
++}
++
++protected char *
++file_pop_buffer(struct magic_set *ms, file_pushbuf_t *pb)
++{
++ char *rbuf;
++
++ if (ms->event_flags & EVENT_HAD_ERR) {
++ free(pb->buf);
++ free(pb);
++ return NULL;
++ }
++
++ rbuf = ms->o.buf;
++
++ ms->o.buf = pb->buf;
++ ms->offset = pb->offset;
++
++ free(pb);
++ return rbuf;
++}
+Index: contrib/file/src/readelf.c
+===================================================================
+--- contrib/file/src/readelf.c (revision 275629)
++++ contrib/file/src/readelf.c (working copy)
+@@ -60,6 +60,18 @@ private uint16_t getu16(int, uint16_t);
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+
++#define MAX_PHNUM 256
++#define MAX_SHNUM 1024
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++ if (file_printf(ms, ", too many %s header sections (%u)", name, num
++ ) == -1)
++ return -1;
++ return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -477,6 +489,13 @@ donote(struct magic_set *ms, void *vbuf, size_t of
+ uint32_t namesz, descsz;
+ unsigned char *nbuf = CAST(unsigned char *, vbuf);
+
++ if (xnh_sizeof + offset > size) {
++ /*
++ * We're out of note headers.
++ */
++ return xnh_sizeof + offset;
++ }
++
+ (void)memcpy(xnh_addr, &nbuf[offset], xnh_sizeof);
+ offset += xnh_sizeof;
+
+@@ -492,13 +511,13 @@ donote(struct magic_set *ms, void *vbuf, size_t of
+ if (namesz & 0x80000000) {
+ (void)file_printf(ms, ", bad note name size 0x%lx",
+ (unsigned long)namesz);
+- return offset;
++ return 0;
+ }
+
+ if (descsz & 0x80000000) {
+ (void)file_printf(ms, ", bad note description size 0x%lx",
+ (unsigned long)descsz);
+- return offset;
++ return 0;
+ }
+
+
+@@ -900,6 +919,7 @@ doshn(struct magic_set *ms, int clazz, int swap, i
+ Elf32_Shdr sh32;
+ Elf64_Shdr sh64;
+ int stripped = 1;
++ size_t nbadcap = 0;
+ void *nbuf;
+ off_t noff, coff, name_off;
+ uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
+@@ -988,6 +1008,8 @@ doshn(struct magic_set *ms, int clazz, int swap, i
+ goto skip;
+ }
+
++ if (nbadcap > 5)
++ break;
+ if (lseek(fd, xsh_offset, SEEK_SET) == (off_t)-1) {
+ file_badseek(ms);
+ return -1;
+@@ -1053,6 +1075,8 @@ doshn(struct magic_set *ms, int clazz, int swap, i
+ (unsigned long long)xcap_tag,
+ (unsigned long long)xcap_val) == -1)
+ return -1;
++ if (nbadcap++ > 2)
++ coff = xsh_size;
+ break;
+ }
+ }
+@@ -1233,7 +1257,7 @@ file_tryelf(struct magic_set *ms, int fd, const un
+ int flags = 0;
+ Elf32_Ehdr elf32hdr;
+ Elf64_Ehdr elf64hdr;
+- uint16_t type;
++ uint16_t type, phnum, shnum;
+
+ if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ return 0;
+Index: contrib/file/src/softmagic.c
+===================================================================
+--- contrib/file/src/softmagic.c (revision 275629)
++++ contrib/file/src/softmagic.c (working copy)
+@@ -67,6 +67,9 @@ private void cvt_32(union VALUETYPE *, const struc
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+
+ #define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
++
++#define MAX_RECURSION_LEVEL 10
++
+ /*
+ * softmagic - lookup one file in parsed, in-memory copy of database
+ * Passed the name and FILE * of one file to be typed.
+@@ -1193,14 +1196,15 @@ mget(struct magic_set *ms, const unsigned char *s,
+ int flip, int recursion_level, int *printed_something,
+ int *need_separator, int *returnval)
+ {
+- uint32_t soffset, offset = ms->offset;
++ uint32_t offset = ms->offset;
+ uint32_t lhs;
++ file_pushbuf_t *pb;
+ int rv, oneed_separator, in_type;
+- char *sbuf, *rbuf;
++ char *rbuf;
+ union VALUETYPE *p = &ms->ms_value;
+ struct mlist ml;
+
+- if (recursion_level >= 20) {
++ if (recursion_level >= MAX_RECURSION_LEVEL) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
+@@ -1644,19 +1648,23 @@ mget(struct magic_set *ms, const unsigned char *s,
+ case FILE_INDIRECT:
+ if (offset == 0)
+ return 0;
++
+ if (nbytes < offset)
+ return 0;
+- sbuf = ms->o.buf;
+- soffset = ms->offset;
+- ms->o.buf = NULL;
+- ms->offset = 0;
++
++ if ((pb = file_push_buffer(ms)) == NULL)
++ return -1;
++
+ rv = file_softmagic(ms, s + offset, nbytes - offset,
+ recursion_level, BINTEST, text);
++
+ if ((ms->flags & MAGIC_DEBUG) != 0)
+ fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+- rbuf = ms->o.buf;
+- ms->o.buf = sbuf;
+- ms->offset = soffset;
++
++ rbuf = file_pop_buffer(ms, pb);
++ if (rbuf == NULL && ms->event_flags & EVENT_HAD_ERR)
++ return -1;
++
+ if (rv == 1) {
+ if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+ file_printf(ms, F(ms, m, "%u"), offset) == -1) {
+@@ -1674,13 +1682,13 @@ mget(struct magic_set *ms, const unsigned char *s,
+ case FILE_USE:
+ if (nbytes < offset)
+ return 0;
+- sbuf = m->value.s;
+- if (*sbuf == '^') {
+- sbuf++;
++ rbuf = m->value.s;
++ if (*rbuf == '^') {
++ rbuf++;
+ flip = !flip;
+ }
+- if (file_magicfind(ms, sbuf, &ml) == -1) {
+- file_error(ms, 0, "cannot find entry `%s'", sbuf);
++ if (file_magicfind(ms, rbuf, &ml) == -1) {
++ file_error(ms, 0, "cannot find entry `%s'", rbuf);
+ return -1;
+ }
+
Added: user/cperciva/freebsd-update-build/patches/10.1-RELEASE/2-SA-14:30.unbound
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/10.1-RELEASE/2-SA-14:30.unbound Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,149 @@
+Index: contrib/unbound/iterator/iterator.c
+===================================================================
+--- contrib/unbound/iterator/iterator.c (revision 275717)
++++ contrib/unbound/iterator/iterator.c (working copy)
+@@ -117,6 +117,7 @@ iter_new(struct module_qstate* qstate, int id)
+ iq->query_restart_count = 0;
+ iq->referral_count = 0;
+ iq->sent_count = 0;
++ iq->target_count = NULL;
+ iq->wait_priming_stub = 0;
+ iq->refetch_glue = 0;
+ iq->dnssec_expected = 0;
+@@ -442,6 +443,26 @@ handle_cname_response(struct module_qstate* qstate
+ return 1;
+ }
+
++/** create target count structure for this query */
++static void
++target_count_create(struct iter_qstate* iq)
++{
++ if(!iq->target_count) {
++ iq->target_count = (int*)calloc(2, sizeof(int));
++ /* if calloc fails we simply do not track this number */
++ if(iq->target_count)
++ iq->target_count[0] = 1;
++ }
++}
++
++static void
++target_count_increase(struct iter_qstate* iq, int num)
++{
++ target_count_create(iq);
++ if(iq->target_count)
++ iq->target_count[1] += num;
++}
++
+ /**
+ * Generate a subrequest.
+ * Generate a local request event. Local events are tied to this module, and
+@@ -513,6 +534,10 @@ generate_sub_request(uint8_t* qname, size_t qnamel
+ subiq = (struct iter_qstate*)subq->minfo[id];
+ memset(subiq, 0, sizeof(*subiq));
+ subiq->num_target_queries = 0;
++ target_count_create(iq);
++ subiq->target_count = iq->target_count;
++ if(iq->target_count)
++ iq->target_count[0] ++; /* extra reference */
+ subiq->num_current_queries = 0;
+ subiq->depth = iq->depth+1;
+ outbound_list_init(&subiq->outlist);
+@@ -1339,6 +1364,12 @@ query_for_targets(struct module_qstate* qstate, st
+
+ if(iq->depth == ie->max_dependency_depth)
+ return 0;
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return 0;
++ }
+
+ iter_mark_cycle_targets(qstate, iq->dp);
+ missing = (int)delegpt_count_missing_targets(iq->dp);
+@@ -1487,6 +1518,7 @@ processLastResort(struct module_qstate* qstate, st
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ if(qs != 0) {
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0; /* and wait for them */
+@@ -1496,6 +1528,12 @@ processLastResort(struct module_qstate* qstate, st
+ verbose(VERB_QUERY, "maxdepth and need more nameservers, fail");
+ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
++ if(iq->depth > 0 && iq->target_count &&
++ iq->target_count[1] > MAX_TARGET_COUNT) {
++ verbose(VERB_QUERY, "request has exceeded the maximum "
++ "number of glue fetches %d", iq->target_count[1]);
++ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL);
++ }
+ /* mark cycle targets for parent-side lookups */
+ iter_mark_pside_cycle_targets(qstate, iq->dp);
+ /* see if we can issue queries to get nameserver addresses */
+@@ -1525,6 +1563,7 @@ processLastResort(struct module_qstate* qstate, st
+ if(query_count != 0) { /* suspend to await results */
+ verbose(VERB_ALGO, "try parent-side glue lookup");
+ iq->num_target_queries += query_count;
++ target_count_increase(iq, query_count);
+ qstate->ext_state[id] = module_wait_subquery;
+ return 0;
+ }
+@@ -1680,6 +1719,7 @@ processQueryTargets(struct module_qstate* qstate,
+ return error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ }
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ if(iq->num_target_queries > 0) {
+ /* wait to get all targets, we want to try em */
+ verbose(VERB_ALGO, "wait for all targets for fallback");
+@@ -1720,6 +1760,7 @@ processQueryTargets(struct module_qstate* qstate,
+ /* errors ignored, these targets are not strictly necessary for
+ * this result, we do not have to reply with SERVFAIL */
+ iq->num_target_queries += extra;
++ target_count_increase(iq, extra);
+ }
+
+ /* Add the current set of unused targets to our queue. */
+@@ -1765,6 +1806,7 @@ processQueryTargets(struct module_qstate* qstate,
+ return 1;
+ }
+ iq->num_target_queries += qs;
++ target_count_increase(iq, qs);
+ }
+ /* Since a target query might have been made, we
+ * need to check again. */
+@@ -2847,6 +2889,8 @@ iter_clear(struct module_qstate* qstate, int id)
+ iq = (struct iter_qstate*)qstate->minfo[id];
+ if(iq) {
+ outbound_list_clear(&iq->outlist);
++ if(iq->target_count && --iq->target_count[0] == 0)
++ free(iq->target_count);
+ iq->num_current_queries = 0;
+ }
+ qstate->minfo[id] = NULL;
+Index: contrib/unbound/iterator/iterator.h
+===================================================================
+--- contrib/unbound/iterator/iterator.h (revision 275717)
++++ contrib/unbound/iterator/iterator.h (working copy)
+@@ -52,6 +52,8 @@ struct iter_donotq;
+ struct iter_prep_list;
+ struct iter_priv;
+
++/** max number of targets spawned for a query and its subqueries */
++#define MAX_TARGET_COUNT 32
+ /** max number of query restarts. Determines max number of CNAME chain. */
+ #define MAX_RESTART_COUNT 8
+ /** max number of referrals. Makes sure resolver does not run away */
+@@ -254,6 +256,10 @@ struct iter_qstate {
+
+ /** number of queries fired off */
+ int sent_count;
++
++ /** number of target queries spawned in [1], for this query and its
++ * subqueries, the malloced-array is shared, [0] refcount. */
++ int* target_count;
+
+ /**
+ * The query must store NS records from referrals as parentside RRs
Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:28.file
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:28.file Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,146 @@
+Index: contrib/file/elfclass.h
+===================================================================
+--- contrib/file/elfclass.h.orig
++++ contrib/file/elfclass.h
+@@ -35,9 +35,11 @@
+ switch (type) {
+ #ifdef ELFCORE
+ case ET_CORE:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
+ if (dophn_core(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+ fsize, &flags) == -1)
+ return -1;
+@@ -45,18 +47,24 @@
+ #endif
+ case ET_EXEC:
+ case ET_DYN:
++ phnum = elf_getu16(swap, elfhdr.e_phnum);
++ if (phnum > MAX_PHNUM)
++ return toomany(ms, "program", phnum);
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (dophn_exec(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_phoff),
+- elf_getu16(swap, elfhdr.e_phnum),
++ (off_t)elf_getu(swap, elfhdr.e_phoff), phnum,
+ (size_t)elf_getu16(swap, elfhdr.e_phentsize),
+- fsize, &flags, elf_getu16(swap, elfhdr.e_shnum))
+- == -1)
++ fsize, &flags, shnum) == -1)
+ return -1;
+ /*FALLTHROUGH*/
+ case ET_REL:
++ shnum = elf_getu16(swap, elfhdr.e_shnum);
++ if (shnum > MAX_SHNUM)
++ return toomany(ms, "section", shnum);
+ if (doshn(ms, clazz, swap, fd,
+- (off_t)elf_getu(swap, elfhdr.e_shoff),
+- elf_getu16(swap, elfhdr.e_shnum),
++ (off_t)elf_getu(swap, elfhdr.e_shoff), shnum,
+ (size_t)elf_getu16(swap, elfhdr.e_shentsize),
+ &flags,
+ elf_getu16(swap, elfhdr.e_machine)) == -1)
+Index: contrib/file/readelf.c
+===================================================================
+--- contrib/file/readelf.c.orig
++++ contrib/file/readelf.c
+@@ -60,6 +60,18 @@
+ private uint32_t getu32(int, uint32_t);
+ private uint64_t getu64(int, uint64_t);
+
++#define MAX_PHNUM 256
++#define MAX_SHNUM 1024
++
++private int
++toomany(struct magic_set *ms, const char *name, uint16_t num)
++{
++ if (file_printf(ms, ", too many %s header sections (%u)", name, num
++ ) == -1)
++ return -1;
++ return 0;
++}
++
+ private uint16_t
+ getu16(int swap, uint16_t value)
+ {
+@@ -391,13 +403,13 @@
+ if (namesz & 0x80000000) {
+ (void)file_printf(ms, ", bad note name size 0x%lx",
+ (unsigned long)namesz);
+- return offset;
++ return 0;
+ }
+
+ if (descsz & 0x80000000) {
+ (void)file_printf(ms, ", bad note description size 0x%lx",
+ (unsigned long)descsz);
+- return offset;
++ return 0;
+ }
+
+
+@@ -821,6 +833,7 @@
+ Elf32_Shdr sh32;
+ Elf64_Shdr sh64;
+ int stripped = 1;
++ size_t nbadcap = 0;
+ void *nbuf;
+ off_t noff;
+ uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
+@@ -893,6 +906,8 @@
+ case SHT_SUNW_cap:
+ {
+ off_t coff;
++ if (nbadcap > 5)
++ break;
+ if ((off = lseek(fd, (off_t)0, SEEK_CUR)) ==
+ (off_t)-1) {
+ file_badread(ms);
+@@ -933,6 +948,8 @@
+ (unsigned long long)xcap_tag,
+ (unsigned long long)xcap_val) == -1)
+ return -1;
++ if (nbadcap++ > 2)
++ coff = xsh_size;
+ break;
+ }
+ }
+@@ -1139,7 +1156,7 @@
+ int flags = 0;
+ Elf32_Ehdr elf32hdr;
+ Elf64_Ehdr elf64hdr;
+- uint16_t type;
++ uint16_t type, phnum, shnum;
+
+ if (ms->flags & (MAGIC_MIME|MAGIC_APPLE))
+ return 0;
+Index: contrib/file/softmagic.c
+===================================================================
+--- contrib/file/softmagic.c.orig
++++ contrib/file/softmagic.c
+@@ -61,6 +61,9 @@
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+
+ #define OFFSET_OOB(n, o, i) ((n) < (o) || (i) > ((n) - (o)))
++
++#define MAX_RECURSION_LEVEL 10
++
+ /*
+ * softmagic - lookup one file in parsed, in-memory copy of database
+ * Passed the name and FILE * of one file to be typed.
+@@ -1030,7 +1033,7 @@
+ uint32_t count = m->str_range;
+ union VALUETYPE *p = &ms->ms_value;
+
+- if (recursion_level >= 20) {
++ if (recursion_level >= MAX_RECURSION_LEVEL) {
+ file_error(ms, 0, "recursion nesting exceeded");
+ return -1;
+ }
Added: user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:29.bind
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ user/cperciva/freebsd-update-build/patches/8.4-RELEASE/20-SA-14:29.bind Thu Dec 18 19:33:28 2014 (r275917)
@@ -0,0 +1,956 @@
+Index: contrib/bind9/CHANGES
+===================================================================
+--- contrib/bind9/CHANGES.orig
++++ contrib/bind9/CHANGES
+@@ -1,3 +1,15 @@
++4006. [security] A flaw in delegation handling could be exploited
++ to put named into an infinite loop. This has
++ been addressed by placing limits on the number
++ of levels of recursion named will allow (default 7),
++ and the number of iterative queries that it will
++ send (default 50) before terminating a recursive
++ query (CVE-2014-8500).
++
++ The recursion depth limit is configured via the
++ "max-recursion-depth" option, and the query limit
++ via the "max-recursion-queries" option. [RT #37580]
++
+ --- 9.8.4-P2 released ---
+
+ 3516. [security] Removed the check for regex.h in configure in order
+Index: contrib/bind9/bin/named/config.c
+===================================================================
+--- contrib/bind9/bin/named/config.c.orig
++++ contrib/bind9/bin/named/config.c
+@@ -15,8 +15,6 @@
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+-/* $Id: config.c,v 1.113.16.2 2011/02/28 01:19:58 tbox Exp $ */
+-
+ /*! \file */
+
+ #include <config.h>
+@@ -158,6 +156,8 @@
+ dnssec-accept-expired no;\n\
+ clients-per-query 10;\n\
+ max-clients-per-query 100;\n\
++ max-recursion-depth 7;\n\
++ max-recursion-queries 50;\n\
+ zero-no-soa-ttl-cache no;\n\
+ nsec3-test-zone no;\n\
+ allow-new-zones no;\n\
+Index: contrib/bind9/bin/named/query.c
+===================================================================
+--- contrib/bind9/bin/named/query.c.orig
++++ contrib/bind9/bin/named/query.c
+@@ -3755,12 +3755,11 @@
+ peeraddr = &client->peeraddr;
+ else
+ peeraddr = NULL;
+- result = dns_resolver_createfetch2(client->view->resolver,
++ result = dns_resolver_createfetch3(client->view->resolver,
+ qname, qtype, qdomain, nameservers,
+ NULL, peeraddr, client->message->id,
+- client->query.fetchoptions,
+- client->task,
+- query_resume, client,
++ client->query.fetchoptions, 0, NULL,
++ client->task, query_resume, client,
+ rdataset, sigrdataset,
+ &client->query.fetch);
+
+Index: contrib/bind9/bin/named/server.c
+===================================================================
+--- contrib/bind9/bin/named/server.c.orig
++++ contrib/bind9/bin/named/server.c
+@@ -2580,6 +2580,16 @@
+ cfg_obj_asuint32(obj),
+ max_clients_per_query);
+
++ obj = NULL;
++ result = ns_config_get(maps, "max-recursion-depth", &obj);
++ INSIST(result == ISC_R_SUCCESS);
++ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
++
++ obj = NULL;
++ result = ns_config_get(maps, "max-recursion-queries", &obj);
++ INSIST(result == ISC_R_SUCCESS);
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-user
mailing list