diff options
-rw-r--r-- | dns/bind8/files/patch-bind833.diff | 234 | ||||
-rw-r--r-- | net/bind8/files/patch-bind833.diff | 234 |
2 files changed, 468 insertions, 0 deletions
diff --git a/dns/bind8/files/patch-bind833.diff b/dns/bind8/files/patch-bind833.diff new file mode 100644 index 0000000..23b32b9 --- /dev/null +++ b/dns/bind8/files/patch-bind833.diff @@ -0,0 +1,234 @@ +diff -ur src-patched/CHANGES src/CHANGES +--- src-patched/CHANGES Wed Jun 26 21:25:08 2002 ++++ src/CHANGES Wed Nov 13 22:11:17 2002 +@@ -1,3 +1,23 @@ ++1469. [bug] buffer length calculation for PX was wrong. ++ ++1468. [bug] ns_name_ntol() could overwite a zero length buffer. ++ ++1467. [bug] off by one bug in ns_makecannon(). ++ ++1466. [bug] large ENDS UDP buffer size could trigger a assertion. ++ ++1465. [bug] possible NULL pointer dereference in db_sec.c ++ ++1464. [bug] the buffer used to construct the -ve record was not ++ big enough for all possible SOA records. use pointer ++ arithmetic to calculate the remaining size in this ++ buffer. ++ ++1463. [bug] use serial space arithmetic to determine if a SIG is ++ too old, in the future or has internally constistant ++ times. ++ ++1462. [bug] write buffer overflow in make_rr(). + + --- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002) + +diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h +--- src-patched/bin/named/db_defs.h Fri May 17 18:02:53 2002 ++++ src/bin/named/db_defs.h Wed Nov 13 22:11:17 2002 +@@ -78,7 +78,7 @@ + */ + + /* max length of data in RR data field */ +-#define MAXDATA (2*MAXDNAME + 5*INT32SZ) ++#define MAXDATA (3*MAXDNAME + 5*INT32SZ) + + /* max length of data in a TXT RR segment */ + #define MAXCHARSTRING 255 +diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c +--- src-patched/bin/named/db_sec.c Mon Jun 18 07:42:57 2001 ++++ src/bin/named/db_sec.c Wed Nov 13 22:11:17 2002 +@@ -479,7 +479,9 @@ + struct sig_record *sigdata; + struct dnode *sigdn; + struct databuf *sigdp; +- time_t now; ++ u_int32_t now; ++ u_int32_t exptime; ++ u_int32_t signtime; + char *signer; + u_char name_n[MAXDNAME]; + u_char *sig, *eom; +@@ -492,6 +494,7 @@ + int dnssec_failed = 0, dnssec_succeeded = 0; + int return_value; + int i; ++ int expired = 0; + + if (rrset == NULL || rrset->rr_name == NULL) { + ns_warning (ns_log_default, "verify_set: missing rrset/name"); +@@ -527,11 +530,14 @@ + * Don't verify a set if the SIG inception time is in + * the future. This should be fixed before 2038 (BEW) + */ +- if ((time_t)ntohl(sigdata->sig_time_n) > now) ++ signtime = ntohl(sigdata->sig_time_n); ++ if (SEQ_GT(signtime, now)) + continue; + + /* An expired set is dropped, but the data is not. */ +- if ((time_t)ntohl(sigdata->sig_exp_n) < now) { ++ exptime = ntohl(sigdata->sig_exp_n); ++ if (SEQ_GT(now, exptime)) { ++ expired++; + db_detach(&sigdn->dp); + sigdp = NULL; + continue; +@@ -723,7 +729,7 @@ + } + + end: +- if (dnssec_failed > 0) ++ if (dnssec_failed > 0 || expired > 0) + rrset_trim_sigs(rrset); + if (trustedkey == 0 && key != NULL) + dst_free_key(key); +diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h +--- src-patched/bin/named/ns_defs.h Tue Jun 25 20:27:19 2002 ++++ src/bin/named/ns_defs.h Wed Nov 13 22:11:17 2002 +@@ -469,7 +469,7 @@ + q_cmsglen, /* len of cname message */ + q_cmsgsize; /* allocated size of cname message */ + int16_t q_dfd; /* UDP file descriptor */ +- int16_t q_udpsize; /* UDP message size */ ++ u_int16_t q_udpsize; /* UDP message size */ + int q_distance; /* distance this query is from the + * original query that the server + * received. */ +diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c +--- src-patched/bin/named/ns_ncache.c Mon Jun 18 07:43:16 2001 ++++ src/bin/named/ns_ncache.c Wed Nov 13 22:11:17 2002 +@@ -66,7 +66,7 @@ + u_int16_t atype; + u_char *sp, *cp1; + u_char data[MAXDATA]; +- size_t len = sizeof data; ++ u_char *eod = data + sizeof(data); + #endif + + nameserIncr(from.sin_addr, nssRcvdNXD); +@@ -186,7 +186,7 @@ + rdatap = cp; + + /* origin */ +- n = dn_expand(msg, msg + msglen, cp, (char*)data, len); ++ n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data); + if (n < 0) { + ns_debug(ns_log_ncache, 3, + "ncache: origin form error"); +@@ -195,9 +195,8 @@ + cp += n; + n = strlen((char*)data) + 1; + cp1 = data + n; +- len -= n; + /* mail */ +- n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len); ++ n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1); + if (n < 0) { + ns_debug(ns_log_ncache, 3, "ncache: mail form error"); + return; +@@ -205,20 +204,20 @@ + cp += n; + n = strlen((char*)cp1) + 1; + cp1 += n; +- len -= n; + n = 5 * INT32SZ; ++ if (n > (eod - cp1)) /* Can't happen. See MAXDATA. */ ++ return; + BOUNDS_CHECK(cp, n); + memcpy(cp1, cp, n); + /* serial, refresh, retry, expire, min */ + cp1 += n; +- len -= n; + cp += n; + if (cp != rdatap + dlen) { + ns_debug(ns_log_ncache, 3, "ncache: form error"); + return; + } + /* store the zone of the soa record */ +- n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len); ++ n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1); + if (n < 0) { + ns_debug(ns_log_ncache, 3, "ncache: form error 2"); + return; +diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c +--- src-patched/bin/named/ns_req.c Sun May 12 16:41:52 2002 ++++ src/bin/named/ns_req.c Wed Nov 13 22:11:17 2002 +@@ -2195,7 +2195,7 @@ + + /* first just copy over the type_covered, algorithm, */ + /* labels, orig ttl, two timestamps, and the footprint */ +- if ((dp->d_size - 18) > buflen) ++ if (buflen < 18) + goto cleanup; /* out of room! */ + memcpy(cp, cp1, 18); + cp += 18; +diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c +--- src-patched/bin/named/ns_resp.c Wed Jun 26 20:09:19 2002 ++++ src/bin/named/ns_resp.c Wed Nov 13 22:11:17 2002 +@@ -2001,7 +2001,7 @@ + * to BOUNDS_CHECK() here. + */ + cp1 += (n = strlen((char *)cp1) + 1); +- n1 = sizeof(data) - n; ++ n1 = sizeof(data) - n - INT16SZ; + n = dn_expand(msg, eom, cp, (char *)cp1, n1); + if (n < 0) { + hp->rcode = FORMERR; +@@ -2043,8 +2043,18 @@ + ttl = origTTL; + } + ++ /* ++ * Check that expire and signature times are internally ++ * consistant. ++ */ ++ if (!SEQ_GT(exptime, signtime) && exptime != signtime) { ++ ns_debug(ns_log_default, 3, ++ "ignoring SIG: signature expires before it was signed"); ++ return ((cp - rrp) + dlen); ++ } ++ + /* Don't let bogus signers "sign" in the future. */ +- if (signtime > now) { ++ if (SEQ_GT(signtime, now)) { + ns_debug(ns_log_default, 3, + "ignoring SIG: signature date %s is in the future", + p_secstodate (signtime)); +@@ -2052,7 +2062,7 @@ + } + + /* Ignore received SIG RR's that are already expired. */ +- if (exptime <= now) { ++ if (SEQ_GT(now, exptime)) { + ns_debug(ns_log_default, 3, + "ignoring SIG: expiration %s is in the past", + p_secstodate (exptime)); +diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c +--- src-patched/lib/nameser/ns_name.c Thu May 23 22:10:40 2002 ++++ src/lib/nameser/ns_name.c Wed Nov 13 22:11:17 2002 +@@ -341,6 +341,10 @@ + dn = dst; + eom = dst + dstsiz; + ++ if (dn >= eom) { ++ errno = EMSGSIZE; ++ return (-1); ++ } + while ((n = *cp++) != 0) { + if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) { + /* Some kind of compression pointer. */ +diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c +--- src-patched/lib/nameser/ns_samedomain.c Fri Oct 15 14:06:51 1999 ++++ src/lib/nameser/ns_samedomain.c Wed Nov 13 22:11:17 2002 +@@ -166,7 +166,7 @@ + ns_makecanon(const char *src, char *dst, size_t dstsize) { + size_t n = strlen(src); + +- if (n + sizeof "." > dstsize) { ++ if (n + sizeof "." + 1 > dstsize) { + errno = EMSGSIZE; + return (-1); + } diff --git a/net/bind8/files/patch-bind833.diff b/net/bind8/files/patch-bind833.diff new file mode 100644 index 0000000..23b32b9 --- /dev/null +++ b/net/bind8/files/patch-bind833.diff @@ -0,0 +1,234 @@ +diff -ur src-patched/CHANGES src/CHANGES +--- src-patched/CHANGES Wed Jun 26 21:25:08 2002 ++++ src/CHANGES Wed Nov 13 22:11:17 2002 +@@ -1,3 +1,23 @@ ++1469. [bug] buffer length calculation for PX was wrong. ++ ++1468. [bug] ns_name_ntol() could overwite a zero length buffer. ++ ++1467. [bug] off by one bug in ns_makecannon(). ++ ++1466. [bug] large ENDS UDP buffer size could trigger a assertion. ++ ++1465. [bug] possible NULL pointer dereference in db_sec.c ++ ++1464. [bug] the buffer used to construct the -ve record was not ++ big enough for all possible SOA records. use pointer ++ arithmetic to calculate the remaining size in this ++ buffer. ++ ++1463. [bug] use serial space arithmetic to determine if a SIG is ++ too old, in the future or has internally constistant ++ times. ++ ++1462. [bug] write buffer overflow in make_rr(). + + --- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002) + +diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h +--- src-patched/bin/named/db_defs.h Fri May 17 18:02:53 2002 ++++ src/bin/named/db_defs.h Wed Nov 13 22:11:17 2002 +@@ -78,7 +78,7 @@ + */ + + /* max length of data in RR data field */ +-#define MAXDATA (2*MAXDNAME + 5*INT32SZ) ++#define MAXDATA (3*MAXDNAME + 5*INT32SZ) + + /* max length of data in a TXT RR segment */ + #define MAXCHARSTRING 255 +diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c +--- src-patched/bin/named/db_sec.c Mon Jun 18 07:42:57 2001 ++++ src/bin/named/db_sec.c Wed Nov 13 22:11:17 2002 +@@ -479,7 +479,9 @@ + struct sig_record *sigdata; + struct dnode *sigdn; + struct databuf *sigdp; +- time_t now; ++ u_int32_t now; ++ u_int32_t exptime; ++ u_int32_t signtime; + char *signer; + u_char name_n[MAXDNAME]; + u_char *sig, *eom; +@@ -492,6 +494,7 @@ + int dnssec_failed = 0, dnssec_succeeded = 0; + int return_value; + int i; ++ int expired = 0; + + if (rrset == NULL || rrset->rr_name == NULL) { + ns_warning (ns_log_default, "verify_set: missing rrset/name"); +@@ -527,11 +530,14 @@ + * Don't verify a set if the SIG inception time is in + * the future. This should be fixed before 2038 (BEW) + */ +- if ((time_t)ntohl(sigdata->sig_time_n) > now) ++ signtime = ntohl(sigdata->sig_time_n); ++ if (SEQ_GT(signtime, now)) + continue; + + /* An expired set is dropped, but the data is not. */ +- if ((time_t)ntohl(sigdata->sig_exp_n) < now) { ++ exptime = ntohl(sigdata->sig_exp_n); ++ if (SEQ_GT(now, exptime)) { ++ expired++; + db_detach(&sigdn->dp); + sigdp = NULL; + continue; +@@ -723,7 +729,7 @@ + } + + end: +- if (dnssec_failed > 0) ++ if (dnssec_failed > 0 || expired > 0) + rrset_trim_sigs(rrset); + if (trustedkey == 0 && key != NULL) + dst_free_key(key); +diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h +--- src-patched/bin/named/ns_defs.h Tue Jun 25 20:27:19 2002 ++++ src/bin/named/ns_defs.h Wed Nov 13 22:11:17 2002 +@@ -469,7 +469,7 @@ + q_cmsglen, /* len of cname message */ + q_cmsgsize; /* allocated size of cname message */ + int16_t q_dfd; /* UDP file descriptor */ +- int16_t q_udpsize; /* UDP message size */ ++ u_int16_t q_udpsize; /* UDP message size */ + int q_distance; /* distance this query is from the + * original query that the server + * received. */ +diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c +--- src-patched/bin/named/ns_ncache.c Mon Jun 18 07:43:16 2001 ++++ src/bin/named/ns_ncache.c Wed Nov 13 22:11:17 2002 +@@ -66,7 +66,7 @@ + u_int16_t atype; + u_char *sp, *cp1; + u_char data[MAXDATA]; +- size_t len = sizeof data; ++ u_char *eod = data + sizeof(data); + #endif + + nameserIncr(from.sin_addr, nssRcvdNXD); +@@ -186,7 +186,7 @@ + rdatap = cp; + + /* origin */ +- n = dn_expand(msg, msg + msglen, cp, (char*)data, len); ++ n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data); + if (n < 0) { + ns_debug(ns_log_ncache, 3, + "ncache: origin form error"); +@@ -195,9 +195,8 @@ + cp += n; + n = strlen((char*)data) + 1; + cp1 = data + n; +- len -= n; + /* mail */ +- n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len); ++ n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1); + if (n < 0) { + ns_debug(ns_log_ncache, 3, "ncache: mail form error"); + return; +@@ -205,20 +204,20 @@ + cp += n; + n = strlen((char*)cp1) + 1; + cp1 += n; +- len -= n; + n = 5 * INT32SZ; ++ if (n > (eod - cp1)) /* Can't happen. See MAXDATA. */ ++ return; + BOUNDS_CHECK(cp, n); + memcpy(cp1, cp, n); + /* serial, refresh, retry, expire, min */ + cp1 += n; +- len -= n; + cp += n; + if (cp != rdatap + dlen) { + ns_debug(ns_log_ncache, 3, "ncache: form error"); + return; + } + /* store the zone of the soa record */ +- n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len); ++ n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1); + if (n < 0) { + ns_debug(ns_log_ncache, 3, "ncache: form error 2"); + return; +diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c +--- src-patched/bin/named/ns_req.c Sun May 12 16:41:52 2002 ++++ src/bin/named/ns_req.c Wed Nov 13 22:11:17 2002 +@@ -2195,7 +2195,7 @@ + + /* first just copy over the type_covered, algorithm, */ + /* labels, orig ttl, two timestamps, and the footprint */ +- if ((dp->d_size - 18) > buflen) ++ if (buflen < 18) + goto cleanup; /* out of room! */ + memcpy(cp, cp1, 18); + cp += 18; +diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c +--- src-patched/bin/named/ns_resp.c Wed Jun 26 20:09:19 2002 ++++ src/bin/named/ns_resp.c Wed Nov 13 22:11:17 2002 +@@ -2001,7 +2001,7 @@ + * to BOUNDS_CHECK() here. + */ + cp1 += (n = strlen((char *)cp1) + 1); +- n1 = sizeof(data) - n; ++ n1 = sizeof(data) - n - INT16SZ; + n = dn_expand(msg, eom, cp, (char *)cp1, n1); + if (n < 0) { + hp->rcode = FORMERR; +@@ -2043,8 +2043,18 @@ + ttl = origTTL; + } + ++ /* ++ * Check that expire and signature times are internally ++ * consistant. ++ */ ++ if (!SEQ_GT(exptime, signtime) && exptime != signtime) { ++ ns_debug(ns_log_default, 3, ++ "ignoring SIG: signature expires before it was signed"); ++ return ((cp - rrp) + dlen); ++ } ++ + /* Don't let bogus signers "sign" in the future. */ +- if (signtime > now) { ++ if (SEQ_GT(signtime, now)) { + ns_debug(ns_log_default, 3, + "ignoring SIG: signature date %s is in the future", + p_secstodate (signtime)); +@@ -2052,7 +2062,7 @@ + } + + /* Ignore received SIG RR's that are already expired. */ +- if (exptime <= now) { ++ if (SEQ_GT(now, exptime)) { + ns_debug(ns_log_default, 3, + "ignoring SIG: expiration %s is in the past", + p_secstodate (exptime)); +diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c +--- src-patched/lib/nameser/ns_name.c Thu May 23 22:10:40 2002 ++++ src/lib/nameser/ns_name.c Wed Nov 13 22:11:17 2002 +@@ -341,6 +341,10 @@ + dn = dst; + eom = dst + dstsiz; + ++ if (dn >= eom) { ++ errno = EMSGSIZE; ++ return (-1); ++ } + while ((n = *cp++) != 0) { + if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) { + /* Some kind of compression pointer. */ +diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c +--- src-patched/lib/nameser/ns_samedomain.c Fri Oct 15 14:06:51 1999 ++++ src/lib/nameser/ns_samedomain.c Wed Nov 13 22:11:17 2002 +@@ -166,7 +166,7 @@ + ns_makecanon(const char *src, char *dst, size_t dstsize) { + size_t n = strlen(src); + +- if (n + sizeof "." > dstsize) { ++ if (n + sizeof "." + 1 > dstsize) { + errno = EMSGSIZE; + return (-1); + } |