1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
|
From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 18 Feb 2016 12:11:27 +1100
Subject: [PATCH] 4318. [security] Malformed control messages can
trigger assertions in named and rndc. (CVE-2016-1285)
[RT #41666]
(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
CVE: CVE-2016-1285
Upstream-Status: Backport
[Removed doc/arm/notes.xml changes from upstream patch]
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
CHANGES | 3 +++
bin/named/control.c | 2 +-
bin/named/controlconf.c | 2 +-
bin/rndc/rndc.c | 8 ++++----
doc/arm/notes.xml | 11 +++++++++++
lib/isccc/cc.c | 14 +++++++-------
6 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/CHANGES b/CHANGES
index b9bd9ef..2c727d5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4318. [security] Malformed control messages can trigger assertions
+ in named and rndc. (CVE-2016-1285) [RT #41666]
+
--- 9.10.3-P3 released ---
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
diff --git a/bin/named/control.c b/bin/named/control.c
index 8554335..81340ca 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
#endif
data = isccc_alist_lookup(message, "_data");
- if (data == NULL) {
+ if (!isccc_alist_alistp(data)) {
/*
* No data section.
*/
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index 765afdd..a39ab8b 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Limit exposure to replay attacks.
*/
_ctrl = isccc_alist_lookup(request, "_ctrl");
- if (_ctrl == NULL) {
+ if (!isccc_alist_alistp(_ctrl)) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index cb17050..b6e05c8 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
data = isccc_alist_lookup(response, "_data");
- if (data == NULL)
- fatal("no data section in response");
+ if (!isccc_alist_alistp(data))
+ fatal("bad or missing data section in response");
result = isccc_cc_lookupstring(data, "err", &errormsg);
if (result == ISC_R_SUCCESS) {
failed = ISC_TRUE;
@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
_ctrl = isccc_alist_lookup(response, "_ctrl");
- if (_ctrl == NULL)
- fatal("_ctrl section missing");
+ if (!isccc_alist_alistp(_ctrl))
+ fatal("bad or missing ctrl section in response");
nonce = 0;
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
nonce = 0;
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index 47a3b74..2bb961e 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
* Extract digest.
*/
_auth = isccc_alist_lookup(alist, "_auth");
- if (_auth == NULL)
+ if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
if (algorithm == ISCCC_ALG_HMACMD5)
hmac = isccc_alist_lookup(_auth, "hmd5");
else
hmac = isccc_alist_lookup(_auth, "hsha");
- if (hmac == NULL)
+ if (!isccc_sexpr_binaryp(hmac))
return (ISC_R_FAILURE);
/*
* Compute digest.
@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
REQUIRE(ackp != NULL && *ackp == NULL);
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL)
+ if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
_ctrl = isccc_alist_lookup(message, "_ctrl");
_data = isccc_alist_lookup(message, "_data");
- if (_ctrl == NULL || _data == NULL ||
+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
- if (_ctrl == NULL ||
+ if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
--
1.9.1
|
