diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch | 123 |
1 files changed, 0 insertions, 123 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch deleted file mode 100644 index 738bf60058..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Wed, 12 Oct 2016 20:36:52 +0900 -Subject: [PATCH] -4467. [security] It was possible to trigger an assertion when - rendering a message. (CVE-2016-2776) [RT #43139] - -Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the -v9.11.0_patch branch. - -CVE: CVE-2016-2776 -Upstream-Status: Backport - -Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> - ---- - CHANGES | 3 +++ - lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- - 2 files changed, 34 insertions(+), 11 deletions(-) - -diff --git a/CHANGES b/CHANGES -index d0a9d12..5c8c61a 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4467. [security] It was possible to trigger an assertion when -+ rendering a message. (CVE-2016-2776) [RT #43139] -+ - 4406. [security] getrrsetbyname with a non absolute name could - trigger an infinite recursion bug in lwresd - and named with lwres configured if when combined -diff --git a/lib/dns/message.c b/lib/dns/message.c -index 6b5b4bb..b74dc81 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, - if (r.length < DNS_MESSAGE_HEADERLEN) - return (ISC_R_NOSPACE); - -- if (r.length < msg->reserved) -+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) - return (ISC_R_NOSPACE); - - /* -@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options, - - return (ISC_TRUE); - } -- - #endif -+ -+static isc_result_t -+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, -+ dns_compress_t *cctx, isc_buffer_t *target, -+ unsigned int reserved, unsigned int options, unsigned int *countp) -+{ -+ isc_result_t result; -+ -+ /* -+ * Shrink the space in the buffer by the reserved amount. -+ */ -+ if (target->length - target->used < reserved) -+ return (ISC_R_NOSPACE); -+ -+ target->length -= reserved; -+ result = dns_rdataset_towire(rdataset, owner_name, -+ cctx, target, options, countp); -+ target->length += reserved; -+ -+ return (result); -+} -+ - isc_result_t - dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, - unsigned int options) -@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, - /* - * Shrink the space in the buffer by the reserved amount. - */ -+ if (msg->buffer->length - msg->buffer->used < msg->reserved) -+ return (ISC_R_NOSPACE); - msg->buffer->length -= msg->reserved; - - total = 0; -@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) { - * Render. - */ - count = 0; -- result = dns_rdataset_towire(msg->opt, dns_rootname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->opt, dns_rootname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); -@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) { - if (result != ISC_R_SUCCESS) - return (result); - count = 0; -- result = dns_rdataset_towire(msg->tsig, msg->tsigname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->tsig, msg->tsigname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); -@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) { - * the owner name of a SIG(0) is irrelevant, and will not - * be set in a message being rendered. - */ -- result = dns_rdataset_towire(msg->sig0, dns_rootname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->sig0, dns_rootname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); --- -2.7.4 - |