1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 12 Oct 2016 19:52:59 +0900
Subject: [PATCH]
4406. [security] getrrsetbyname with a non absolute name could
trigger an infinite recursion bug in lwresd
and named with lwres configured if when combined
with a search list entry the resulting name is
too long. (CVE-2016-2775) [RT #42694]
Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
v9.11.0_patch branch.
CVE: CVE-2016-2775
Upstream-Status: Backport
Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
---
CHANGES | 6 ++++++
bin/named/lwdgrbn.c | 16 ++++++++++------
bin/tests/system/lwresd/lwtest.c | 9 ++++++++-
3 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/CHANGES b/CHANGES
index d2e3360..d0a9d12 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+4406. [security] getrrsetbyname with a non absolute name could
+ trigger an infinite recursion bug in lwresd
+ and named with lwres configured if when combined
+ with a search list entry the resulting name is
+ too long. (CVE-2016-2775) [RT #42694]
+
4322. [security] Duplicate EDNS COOKIE options in a response could
trigger an assertion failure. (CVE-2016-2088)
[RT #41809]
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index 3e7b15b..e1e9adc 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
INSIST(client->lookup == NULL);
dns_fixedname_init(&absname);
- result = ns_lwsearchctx_current(&client->searchctx,
- dns_fixedname_name(&absname));
+
/*
- * This will return failure if relative name + suffix is too long.
- * In this case, just go on to the next entry in the search path.
+ * Perform search across all search domains until success
+ * is returned. Return in case of failure.
*/
- if (result != ISC_R_SUCCESS)
- start_lookup(client);
+ while (ns_lwsearchctx_current(&client->searchctx,
+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+ return;
+ }
+ }
result = dns_lookup_create(cm->mctx,
dns_fixedname_name(&absname),
diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
index ad9b551..3eb4a66 100644
--- a/bin/tests/system/lwresd/lwtest.c
+++ b/bin/tests/system/lwresd/lwtest.c
@@ -768,7 +768,14 @@ main(void) {
test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0);
-
+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789.123456789.123456789.123456789."
+ "123456789", 1, 1, 0, 0, 0);
+
if (fails == 0)
printf("I:ok\n");
return (fails);
--
2.7.4
|
