diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch new file mode 100644 index 0000000000..5393063c56 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch @@ -0,0 +1,90 @@ +From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 +From: Mark Andrews <marka@isc.org> +Date: Wed, 12 Oct 2016 19:52:59 +0900 +Subject: [PATCH] +4406. [security] getrrsetbyname with a non absolute name could + trigger an infinite recursion bug in lwresd + and named with lwres configured if when combined + with a search list entry the resulting name is + too long. (CVE-2016-2775) [RT #42694] + +Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the +v9.11.0_patch branch. + +CVE: CVE-2016-2775 +Upstream-Status: Backport + +Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> + +--- + CHANGES | 6 ++++++ + bin/named/lwdgrbn.c | 16 ++++++++++------ + bin/tests/system/lwresd/lwtest.c | 9 ++++++++- + 3 files changed, 24 insertions(+), 7 deletions(-) + +diff --git a/CHANGES b/CHANGES +index d2e3360..d0a9d12 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1,3 +1,9 @@ ++4406. [security] getrrsetbyname with a non absolute name could ++ trigger an infinite recursion bug in lwresd ++ and named with lwres configured if when combined ++ with a search list entry the resulting name is ++ too long. (CVE-2016-2775) [RT #42694] ++ + 4322. [security] Duplicate EDNS COOKIE options in a response could + trigger an assertion failure. (CVE-2016-2088) + [RT #41809] +diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c +index 3e7b15b..e1e9adc 100644 +--- a/bin/named/lwdgrbn.c ++++ b/bin/named/lwdgrbn.c +@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { + INSIST(client->lookup == NULL); + + dns_fixedname_init(&absname); +- result = ns_lwsearchctx_current(&client->searchctx, +- dns_fixedname_name(&absname)); ++ + /* +- * This will return failure if relative name + suffix is too long. +- * In this case, just go on to the next entry in the search path. ++ * Perform search across all search domains until success ++ * is returned. Return in case of failure. + */ +- if (result != ISC_R_SUCCESS) +- start_lookup(client); ++ while (ns_lwsearchctx_current(&client->searchctx, ++ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { ++ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { ++ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); ++ return; ++ } ++ } + + result = dns_lookup_create(cm->mctx, + dns_fixedname_name(&absname), +diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c +index ad9b551..3eb4a66 100644 +--- a/bin/tests/system/lwresd/lwtest.c ++++ b/bin/tests/system/lwresd/lwtest.c +@@ -768,7 +768,14 @@ main(void) { + test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); + test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); + test_getrrsetbyname("", 1, 1, 0, 0, 0); +- ++ test_getrrsetbyname("123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789.123456789.123456789.123456789." ++ "123456789", 1, 1, 0, 0, 0); ++ + if (fails == 0) + printf("I:ok\n"); + return (fails); +-- +2.7.4 + |