- Fix for VU#209659 CVE-2011-4528: Unbound denial of service

vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- robust checks for next-closer NSEC3s.
- tag 1.4.14 created.

git-svn-id: file:///svn/unbound/trunk@2574 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 8ea7996d893b0df15b92c1406480405fbe61082f..b83e90bcab9c22409cf5ef03049fb56370d2dde0 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,10 @@
+19 December 2011: Wouter
+       - Fix for VU#209659 CVE-2011-4528: Unbound denial of service
+         vulnerabilities from nonstandard redirection and denial of existence
+         http://www.unbound.net/downloads/CVE-2011-4528.txt
+       - robust checks for next-closer NSEC3s.
+       - tag 1.4.14 created.
+
 15 December 2011: Wouter
        - remove uninit warning from cachedump code.
        - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.

diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c
index b0d137b527430e7847b7b6a7641ed6d098f13d9d..aa6d6450dcd9d208f46b8cb7d7c03139b0938db6 100644 (file)
--- a/iterator/iter_scrub.c
+++ b/iterator/iter_scrub.c
@@ -187,11 +187,14 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
        size_t* snamelen)
 {
        if(rrset->rr_count != 1) {
+               struct rr_parse* sig;
                verbose(VERB_ALGO, "Found CNAME rrset with "
                        "size > 1: %u", (unsigned)rrset->rr_count);
                /* use the first CNAME! */
                rrset->rr_count = 1;
                rrset->size = rrset->rr_first->size;
+               for(sig=rrset->rrsig_first; sig; sig=sig->next)
+                       rrset->size += sig->size;
                rrset->rr_last = rrset->rr_first;
                rrset->rr_first->next = NULL;
        }

diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c
index f5f93076e680ed884eb3abb5769e9f539d1cd598..a18e3ab31d068ea7ce7518c12a652c4adca542e0 100644 (file)
--- a/validator/val_nsec3.c
+++ b/validator/val_nsec3.c
@@ -1196,8 +1196,7 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
                        return sec_status_bogus;
                }
                /* everything is peachy keen, except for optout spans */
-               log_assert(ce.nc_rrset);
-               if(nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
+               if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
                        verbose(VERB_ALGO, "nsec3 nodata proof: matching "
                                "wildcard is in optout range, insecure");
                        return sec_status_insecure;
@@ -1209,6 +1208,10 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
        /* Due to forwarders, cnames, and other collating effects, we
         * can see the ordinary unsigned data from a zone beneath an
         * insecure delegation under an optout here */
+       if(!ce.nc_rrset) {
+               verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
+               return sec_status_bogus;
+       }
 
        /* We need to make sure that the covering NSEC3 is opt-out. */
        log_assert(ce.nc_rrset);
@@ -1383,6 +1386,13 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
                return sec_status_bogus;
        }
 
+       /* robust extra check */
+       if(!ce.nc_rrset) {
+               verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
+               *reason = "no NSEC3 next closer";
+               return sec_status_bogus;
+       }
+
        /* we had the closest encloser proof, then we need to check that the
         * covering NSEC3 was opt-out -- the proveClosestEncloser step already
         * checked to see if the closest encloser was a delegation or DNAME.