diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch | 154 |
1 files changed, 0 insertions, 154 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch deleted file mode 100644 index 2149bd180d..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Thu, 18 Feb 2016 12:11:27 +1100 -Subject: [PATCH] 4318. [security] Malformed control messages can - trigger assertions in named and rndc. (CVE-2016-1285) - [RT #41666] - -(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) - -CVE: CVE-2016-1285 -Upstream-Status: Backport -[Removed doc/arm/notes.xml changes from upstream patch] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - CHANGES | 3 +++ - bin/named/control.c | 2 +- - bin/named/controlconf.c | 2 +- - bin/rndc/rndc.c | 8 ++++---- - doc/arm/notes.xml | 11 +++++++++++ - lib/isccc/cc.c | 14 +++++++------- - 6 files changed, 27 insertions(+), 13 deletions(-) - -diff --git a/CHANGES b/CHANGES -index b9bd9ef..2c727d5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4318. [security] Malformed control messages can trigger assertions -+ in named and rndc. (CVE-2016-1285) [RT #41666] -+ - --- 9.10.3-P3 released --- - - 4288. [bug] Fixed a regression in resolver.c:possibly_mark() -diff --git a/bin/named/control.c b/bin/named/control.c -index 8554335..81340ca 100644 ---- a/bin/named/control.c -+++ b/bin/named/control.c -@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { - #endif - - data = isccc_alist_lookup(message, "_data"); -- if (data == NULL) { -+ if (!isccc_alist_alistp(data)) { - /* - * No data section. - */ -diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 765afdd..a39ab8b 100644 ---- a/bin/named/controlconf.c -+++ b/bin/named/controlconf.c -@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); -- if (_ctrl == NULL) { -+ if (!isccc_alist_alistp(_ctrl)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup_request; - } -diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index cb17050..b6e05c8 100644 ---- a/bin/rndc/rndc.c -+++ b/bin/rndc/rndc.c -@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - data = isccc_alist_lookup(response, "_data"); -- if (data == NULL) -- fatal("no data section in response"); -+ if (!isccc_alist_alistp(data)) -+ fatal("bad or missing data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; -@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); -- if (_ctrl == NULL) -- fatal("_ctrl section missing"); -+ if (!isccc_alist_alistp(_ctrl)) -+ fatal("bad or missing ctrl section in response"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 47a3b74..2bb961e 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - * Extract digest. - */ - _auth = isccc_alist_lookup(alist, "_auth"); -- if (_auth == NULL) -+ if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - if (algorithm == ISCCC_ALG_HMACMD5) - hmac = isccc_alist_lookup(_auth, "hmd5"); - else - hmac = isccc_alist_lookup(_auth, "hsha"); -- if (hmac == NULL) -+ if (!isccc_sexpr_binaryp(hmac)) - return (ISC_R_FAILURE); - /* - * Compute digest. -@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, - REQUIRE(ackp != NULL && *ackp == NULL); - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, - - _ctrl = isccc_alist_lookup(message, "_ctrl"); - _data = isccc_alist_lookup(message, "_data"); -- if (_ctrl == NULL || _data == NULL || -+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); --- -1.9.1 - |