1 files changed, 90 insertions, 0 deletions

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
new file mode 100644
index 0000000000..5393063c56
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
@@ -0,0 +1,90 @@
+From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 12 Oct 2016 19:52:59 +0900
+Subject: [PATCH]
+4406.   [security]      getrrsetbyname with a non absolute name could
+                        trigger an infinite recursion bug in lwresd
+                        and named with lwres configured if when combined
+                        with a search list entry the resulting name is
+                        too long. (CVE-2016-2775) [RT #42694]
+
+Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
+v9.11.0_patch branch.
+
+CVE: CVE-2016-2775
+Upstream-Status: Backport
+
+Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
+
+---
+ CHANGES                          |  6 ++++++
+ bin/named/lwdgrbn.c              | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c |  9 ++++++++-
+ 3 files changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index d2e3360..d0a9d12 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,9 @@
++4406.   [security]      getrrsetbyname with a non absolute name could
++                        trigger an infinite recursion bug in lwresd
++                        and named with lwres configured if when combined
++                        with a search list entry the resulting name is
++                        too long. (CVE-2016-2775) [RT #42694]
++
+ 4322.  [security]      Duplicate EDNS COOKIE options in a response could
+                        trigger an assertion failure. (CVE-2016-2088)
+                        [RT #41809]
+diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
+index 3e7b15b..e1e9adc 100644
+--- a/bin/named/lwdgrbn.c
++++ b/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ 	INSIST(client->lookup == NULL);
+ 
+ 	dns_fixedname_init(&absname);
+-	result = ns_lwsearchctx_current(&client->searchctx,
+-					dns_fixedname_name(&absname));
++
+ 	/*
+-	 * This will return failure if relative name + suffix is too long.
+-	 * In this case, just go on to the next entry in the search path.
++         * Perform search across all search domains until success
++         * is returned. Return in case of failure.
+ 	 */
+-	if (result != ISC_R_SUCCESS)
+-		start_lookup(client);
++        while (ns_lwsearchctx_current(&client->searchctx,
++                        dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++                if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++                        ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++                        return;
++                }
++        }
+ 
+ 	result = dns_lookup_create(cm->mctx,
+ 				   dns_fixedname_name(&absname),
+diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
+index ad9b551..3eb4a66 100644
+--- a/bin/tests/system/lwresd/lwtest.c
++++ b/bin/tests/system/lwresd/lwtest.c
+@@ -768,7 +768,14 @@ main(void) {
+ 	test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
+ 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
+-
++        test_getrrsetbyname("123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789.123456789.123456789.123456789."
++                            "123456789", 1, 1, 0, 0, 0);
++ 
+ 	if (fails == 0)
+ 		printf("I:ok\n");
+ 	return (fails);
+-- 
+2.7.4
+