summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--dns/bind8/files/patch-bind833.diff234
-rw-r--r--net/bind8/files/patch-bind833.diff234
2 files changed, 468 insertions, 0 deletions
diff --git a/dns/bind8/files/patch-bind833.diff b/dns/bind8/files/patch-bind833.diff
new file mode 100644
index 0000000..23b32b9
--- /dev/null
+++ b/dns/bind8/files/patch-bind833.diff
@@ -0,0 +1,234 @@
+diff -ur src-patched/CHANGES src/CHANGES
+--- src-patched/CHANGES Wed Jun 26 21:25:08 2002
++++ src/CHANGES Wed Nov 13 22:11:17 2002
+@@ -1,3 +1,23 @@
++1469. [bug] buffer length calculation for PX was wrong.
++
++1468. [bug] ns_name_ntol() could overwite a zero length buffer.
++
++1467. [bug] off by one bug in ns_makecannon().
++
++1466. [bug] large ENDS UDP buffer size could trigger a assertion.
++
++1465. [bug] possible NULL pointer dereference in db_sec.c
++
++1464. [bug] the buffer used to construct the -ve record was not
++ big enough for all possible SOA records. use pointer
++ arithmetic to calculate the remaining size in this
++ buffer.
++
++1463. [bug] use serial space arithmetic to determine if a SIG is
++ too old, in the future or has internally constistant
++ times.
++
++1462. [bug] write buffer overflow in make_rr().
+
+ --- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002)
+
+diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h
+--- src-patched/bin/named/db_defs.h Fri May 17 18:02:53 2002
++++ src/bin/named/db_defs.h Wed Nov 13 22:11:17 2002
+@@ -78,7 +78,7 @@
+ */
+
+ /* max length of data in RR data field */
+-#define MAXDATA (2*MAXDNAME + 5*INT32SZ)
++#define MAXDATA (3*MAXDNAME + 5*INT32SZ)
+
+ /* max length of data in a TXT RR segment */
+ #define MAXCHARSTRING 255
+diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c
+--- src-patched/bin/named/db_sec.c Mon Jun 18 07:42:57 2001
++++ src/bin/named/db_sec.c Wed Nov 13 22:11:17 2002
+@@ -479,7 +479,9 @@
+ struct sig_record *sigdata;
+ struct dnode *sigdn;
+ struct databuf *sigdp;
+- time_t now;
++ u_int32_t now;
++ u_int32_t exptime;
++ u_int32_t signtime;
+ char *signer;
+ u_char name_n[MAXDNAME];
+ u_char *sig, *eom;
+@@ -492,6 +494,7 @@
+ int dnssec_failed = 0, dnssec_succeeded = 0;
+ int return_value;
+ int i;
++ int expired = 0;
+
+ if (rrset == NULL || rrset->rr_name == NULL) {
+ ns_warning (ns_log_default, "verify_set: missing rrset/name");
+@@ -527,11 +530,14 @@
+ * Don't verify a set if the SIG inception time is in
+ * the future. This should be fixed before 2038 (BEW)
+ */
+- if ((time_t)ntohl(sigdata->sig_time_n) > now)
++ signtime = ntohl(sigdata->sig_time_n);
++ if (SEQ_GT(signtime, now))
+ continue;
+
+ /* An expired set is dropped, but the data is not. */
+- if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
++ exptime = ntohl(sigdata->sig_exp_n);
++ if (SEQ_GT(now, exptime)) {
++ expired++;
+ db_detach(&sigdn->dp);
+ sigdp = NULL;
+ continue;
+@@ -723,7 +729,7 @@
+ }
+
+ end:
+- if (dnssec_failed > 0)
++ if (dnssec_failed > 0 || expired > 0)
+ rrset_trim_sigs(rrset);
+ if (trustedkey == 0 && key != NULL)
+ dst_free_key(key);
+diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h
+--- src-patched/bin/named/ns_defs.h Tue Jun 25 20:27:19 2002
++++ src/bin/named/ns_defs.h Wed Nov 13 22:11:17 2002
+@@ -469,7 +469,7 @@
+ q_cmsglen, /* len of cname message */
+ q_cmsgsize; /* allocated size of cname message */
+ int16_t q_dfd; /* UDP file descriptor */
+- int16_t q_udpsize; /* UDP message size */
++ u_int16_t q_udpsize; /* UDP message size */
+ int q_distance; /* distance this query is from the
+ * original query that the server
+ * received. */
+diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c
+--- src-patched/bin/named/ns_ncache.c Mon Jun 18 07:43:16 2001
++++ src/bin/named/ns_ncache.c Wed Nov 13 22:11:17 2002
+@@ -66,7 +66,7 @@
+ u_int16_t atype;
+ u_char *sp, *cp1;
+ u_char data[MAXDATA];
+- size_t len = sizeof data;
++ u_char *eod = data + sizeof(data);
+ #endif
+
+ nameserIncr(from.sin_addr, nssRcvdNXD);
+@@ -186,7 +186,7 @@
+ rdatap = cp;
+
+ /* origin */
+- n = dn_expand(msg, msg + msglen, cp, (char*)data, len);
++ n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3,
+ "ncache: origin form error");
+@@ -195,9 +195,8 @@
+ cp += n;
+ n = strlen((char*)data) + 1;
+ cp1 = data + n;
+- len -= n;
+ /* mail */
+- n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len);
++ n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3, "ncache: mail form error");
+ return;
+@@ -205,20 +204,20 @@
+ cp += n;
+ n = strlen((char*)cp1) + 1;
+ cp1 += n;
+- len -= n;
+ n = 5 * INT32SZ;
++ if (n > (eod - cp1)) /* Can't happen. See MAXDATA. */
++ return;
+ BOUNDS_CHECK(cp, n);
+ memcpy(cp1, cp, n);
+ /* serial, refresh, retry, expire, min */
+ cp1 += n;
+- len -= n;
+ cp += n;
+ if (cp != rdatap + dlen) {
+ ns_debug(ns_log_ncache, 3, "ncache: form error");
+ return;
+ }
+ /* store the zone of the soa record */
+- n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len);
++ n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3, "ncache: form error 2");
+ return;
+diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c
+--- src-patched/bin/named/ns_req.c Sun May 12 16:41:52 2002
++++ src/bin/named/ns_req.c Wed Nov 13 22:11:17 2002
+@@ -2195,7 +2195,7 @@
+
+ /* first just copy over the type_covered, algorithm, */
+ /* labels, orig ttl, two timestamps, and the footprint */
+- if ((dp->d_size - 18) > buflen)
++ if (buflen < 18)
+ goto cleanup; /* out of room! */
+ memcpy(cp, cp1, 18);
+ cp += 18;
+diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c
+--- src-patched/bin/named/ns_resp.c Wed Jun 26 20:09:19 2002
++++ src/bin/named/ns_resp.c Wed Nov 13 22:11:17 2002
+@@ -2001,7 +2001,7 @@
+ * to BOUNDS_CHECK() here.
+ */
+ cp1 += (n = strlen((char *)cp1) + 1);
+- n1 = sizeof(data) - n;
++ n1 = sizeof(data) - n - INT16SZ;
+ n = dn_expand(msg, eom, cp, (char *)cp1, n1);
+ if (n < 0) {
+ hp->rcode = FORMERR;
+@@ -2043,8 +2043,18 @@
+ ttl = origTTL;
+ }
+
++ /*
++ * Check that expire and signature times are internally
++ * consistant.
++ */
++ if (!SEQ_GT(exptime, signtime) && exptime != signtime) {
++ ns_debug(ns_log_default, 3,
++ "ignoring SIG: signature expires before it was signed");
++ return ((cp - rrp) + dlen);
++ }
++
+ /* Don't let bogus signers "sign" in the future. */
+- if (signtime > now) {
++ if (SEQ_GT(signtime, now)) {
+ ns_debug(ns_log_default, 3,
+ "ignoring SIG: signature date %s is in the future",
+ p_secstodate (signtime));
+@@ -2052,7 +2062,7 @@
+ }
+
+ /* Ignore received SIG RR's that are already expired. */
+- if (exptime <= now) {
++ if (SEQ_GT(now, exptime)) {
+ ns_debug(ns_log_default, 3,
+ "ignoring SIG: expiration %s is in the past",
+ p_secstodate (exptime));
+diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c
+--- src-patched/lib/nameser/ns_name.c Thu May 23 22:10:40 2002
++++ src/lib/nameser/ns_name.c Wed Nov 13 22:11:17 2002
+@@ -341,6 +341,10 @@
+ dn = dst;
+ eom = dst + dstsiz;
+
++ if (dn >= eom) {
++ errno = EMSGSIZE;
++ return (-1);
++ }
+ while ((n = *cp++) != 0) {
+ if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+ /* Some kind of compression pointer. */
+diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c
+--- src-patched/lib/nameser/ns_samedomain.c Fri Oct 15 14:06:51 1999
++++ src/lib/nameser/ns_samedomain.c Wed Nov 13 22:11:17 2002
+@@ -166,7 +166,7 @@
+ ns_makecanon(const char *src, char *dst, size_t dstsize) {
+ size_t n = strlen(src);
+
+- if (n + sizeof "." > dstsize) {
++ if (n + sizeof "." + 1 > dstsize) {
+ errno = EMSGSIZE;
+ return (-1);
+ }
diff --git a/net/bind8/files/patch-bind833.diff b/net/bind8/files/patch-bind833.diff
new file mode 100644
index 0000000..23b32b9
--- /dev/null
+++ b/net/bind8/files/patch-bind833.diff
@@ -0,0 +1,234 @@
+diff -ur src-patched/CHANGES src/CHANGES
+--- src-patched/CHANGES Wed Jun 26 21:25:08 2002
++++ src/CHANGES Wed Nov 13 22:11:17 2002
+@@ -1,3 +1,23 @@
++1469. [bug] buffer length calculation for PX was wrong.
++
++1468. [bug] ns_name_ntol() could overwite a zero length buffer.
++
++1467. [bug] off by one bug in ns_makecannon().
++
++1466. [bug] large ENDS UDP buffer size could trigger a assertion.
++
++1465. [bug] possible NULL pointer dereference in db_sec.c
++
++1464. [bug] the buffer used to construct the -ve record was not
++ big enough for all possible SOA records. use pointer
++ arithmetic to calculate the remaining size in this
++ buffer.
++
++1463. [bug] use serial space arithmetic to determine if a SIG is
++ too old, in the future or has internally constistant
++ times.
++
++1462. [bug] write buffer overflow in make_rr().
+
+ --- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002)
+
+diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h
+--- src-patched/bin/named/db_defs.h Fri May 17 18:02:53 2002
++++ src/bin/named/db_defs.h Wed Nov 13 22:11:17 2002
+@@ -78,7 +78,7 @@
+ */
+
+ /* max length of data in RR data field */
+-#define MAXDATA (2*MAXDNAME + 5*INT32SZ)
++#define MAXDATA (3*MAXDNAME + 5*INT32SZ)
+
+ /* max length of data in a TXT RR segment */
+ #define MAXCHARSTRING 255
+diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c
+--- src-patched/bin/named/db_sec.c Mon Jun 18 07:42:57 2001
++++ src/bin/named/db_sec.c Wed Nov 13 22:11:17 2002
+@@ -479,7 +479,9 @@
+ struct sig_record *sigdata;
+ struct dnode *sigdn;
+ struct databuf *sigdp;
+- time_t now;
++ u_int32_t now;
++ u_int32_t exptime;
++ u_int32_t signtime;
+ char *signer;
+ u_char name_n[MAXDNAME];
+ u_char *sig, *eom;
+@@ -492,6 +494,7 @@
+ int dnssec_failed = 0, dnssec_succeeded = 0;
+ int return_value;
+ int i;
++ int expired = 0;
+
+ if (rrset == NULL || rrset->rr_name == NULL) {
+ ns_warning (ns_log_default, "verify_set: missing rrset/name");
+@@ -527,11 +530,14 @@
+ * Don't verify a set if the SIG inception time is in
+ * the future. This should be fixed before 2038 (BEW)
+ */
+- if ((time_t)ntohl(sigdata->sig_time_n) > now)
++ signtime = ntohl(sigdata->sig_time_n);
++ if (SEQ_GT(signtime, now))
+ continue;
+
+ /* An expired set is dropped, but the data is not. */
+- if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
++ exptime = ntohl(sigdata->sig_exp_n);
++ if (SEQ_GT(now, exptime)) {
++ expired++;
+ db_detach(&sigdn->dp);
+ sigdp = NULL;
+ continue;
+@@ -723,7 +729,7 @@
+ }
+
+ end:
+- if (dnssec_failed > 0)
++ if (dnssec_failed > 0 || expired > 0)
+ rrset_trim_sigs(rrset);
+ if (trustedkey == 0 && key != NULL)
+ dst_free_key(key);
+diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h
+--- src-patched/bin/named/ns_defs.h Tue Jun 25 20:27:19 2002
++++ src/bin/named/ns_defs.h Wed Nov 13 22:11:17 2002
+@@ -469,7 +469,7 @@
+ q_cmsglen, /* len of cname message */
+ q_cmsgsize; /* allocated size of cname message */
+ int16_t q_dfd; /* UDP file descriptor */
+- int16_t q_udpsize; /* UDP message size */
++ u_int16_t q_udpsize; /* UDP message size */
+ int q_distance; /* distance this query is from the
+ * original query that the server
+ * received. */
+diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c
+--- src-patched/bin/named/ns_ncache.c Mon Jun 18 07:43:16 2001
++++ src/bin/named/ns_ncache.c Wed Nov 13 22:11:17 2002
+@@ -66,7 +66,7 @@
+ u_int16_t atype;
+ u_char *sp, *cp1;
+ u_char data[MAXDATA];
+- size_t len = sizeof data;
++ u_char *eod = data + sizeof(data);
+ #endif
+
+ nameserIncr(from.sin_addr, nssRcvdNXD);
+@@ -186,7 +186,7 @@
+ rdatap = cp;
+
+ /* origin */
+- n = dn_expand(msg, msg + msglen, cp, (char*)data, len);
++ n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3,
+ "ncache: origin form error");
+@@ -195,9 +195,8 @@
+ cp += n;
+ n = strlen((char*)data) + 1;
+ cp1 = data + n;
+- len -= n;
+ /* mail */
+- n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len);
++ n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3, "ncache: mail form error");
+ return;
+@@ -205,20 +204,20 @@
+ cp += n;
+ n = strlen((char*)cp1) + 1;
+ cp1 += n;
+- len -= n;
+ n = 5 * INT32SZ;
++ if (n > (eod - cp1)) /* Can't happen. See MAXDATA. */
++ return;
+ BOUNDS_CHECK(cp, n);
+ memcpy(cp1, cp, n);
+ /* serial, refresh, retry, expire, min */
+ cp1 += n;
+- len -= n;
+ cp += n;
+ if (cp != rdatap + dlen) {
+ ns_debug(ns_log_ncache, 3, "ncache: form error");
+ return;
+ }
+ /* store the zone of the soa record */
+- n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len);
++ n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1);
+ if (n < 0) {
+ ns_debug(ns_log_ncache, 3, "ncache: form error 2");
+ return;
+diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c
+--- src-patched/bin/named/ns_req.c Sun May 12 16:41:52 2002
++++ src/bin/named/ns_req.c Wed Nov 13 22:11:17 2002
+@@ -2195,7 +2195,7 @@
+
+ /* first just copy over the type_covered, algorithm, */
+ /* labels, orig ttl, two timestamps, and the footprint */
+- if ((dp->d_size - 18) > buflen)
++ if (buflen < 18)
+ goto cleanup; /* out of room! */
+ memcpy(cp, cp1, 18);
+ cp += 18;
+diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c
+--- src-patched/bin/named/ns_resp.c Wed Jun 26 20:09:19 2002
++++ src/bin/named/ns_resp.c Wed Nov 13 22:11:17 2002
+@@ -2001,7 +2001,7 @@
+ * to BOUNDS_CHECK() here.
+ */
+ cp1 += (n = strlen((char *)cp1) + 1);
+- n1 = sizeof(data) - n;
++ n1 = sizeof(data) - n - INT16SZ;
+ n = dn_expand(msg, eom, cp, (char *)cp1, n1);
+ if (n < 0) {
+ hp->rcode = FORMERR;
+@@ -2043,8 +2043,18 @@
+ ttl = origTTL;
+ }
+
++ /*
++ * Check that expire and signature times are internally
++ * consistant.
++ */
++ if (!SEQ_GT(exptime, signtime) && exptime != signtime) {
++ ns_debug(ns_log_default, 3,
++ "ignoring SIG: signature expires before it was signed");
++ return ((cp - rrp) + dlen);
++ }
++
+ /* Don't let bogus signers "sign" in the future. */
+- if (signtime > now) {
++ if (SEQ_GT(signtime, now)) {
+ ns_debug(ns_log_default, 3,
+ "ignoring SIG: signature date %s is in the future",
+ p_secstodate (signtime));
+@@ -2052,7 +2062,7 @@
+ }
+
+ /* Ignore received SIG RR's that are already expired. */
+- if (exptime <= now) {
++ if (SEQ_GT(now, exptime)) {
+ ns_debug(ns_log_default, 3,
+ "ignoring SIG: expiration %s is in the past",
+ p_secstodate (exptime));
+diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c
+--- src-patched/lib/nameser/ns_name.c Thu May 23 22:10:40 2002
++++ src/lib/nameser/ns_name.c Wed Nov 13 22:11:17 2002
+@@ -341,6 +341,10 @@
+ dn = dst;
+ eom = dst + dstsiz;
+
++ if (dn >= eom) {
++ errno = EMSGSIZE;
++ return (-1);
++ }
+ while ((n = *cp++) != 0) {
+ if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+ /* Some kind of compression pointer. */
+diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c
+--- src-patched/lib/nameser/ns_samedomain.c Fri Oct 15 14:06:51 1999
++++ src/lib/nameser/ns_samedomain.c Wed Nov 13 22:11:17 2002
+@@ -166,7 +166,7 @@
+ ns_makecanon(const char *src, char *dst, size_t dstsize) {
+ size_t n = strlen(src);
+
+- if (n + sizeof "." > dstsize) {
++ if (n + sizeof "." + 1 > dstsize) {
+ errno = EMSGSIZE;
+ return (-1);
+ }
OpenPOWER on IntegriCloud