From: Wouter Wijngaards Date: Mon, 19 Dec 2011 10:55:32 +0000 (+0000) Subject: - Fix for VU#209659 CVE-2011-4528: Unbound denial of service X-Git-Tag: release-1.4.14^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0916e1d0ea19f82b6c3dfe06ce8fab9bae6c0316;p=thirdparty%2Funbound.git - Fix for VU#209659 CVE-2011-4528: Unbound denial of service vulnerabilities from nonstandard redirection and denial of existence http://www.unbound.net/downloads/CVE-2011-4528.txt - robust checks for next-closer NSEC3s. - tag 1.4.14 created. git-svn-id: file:///svn/unbound/trunk@2574 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index 8ea7996d8..b83e90bca 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,10 @@ +19 December 2011: Wouter + - Fix for VU#209659 CVE-2011-4528: Unbound denial of service + vulnerabilities from nonstandard redirection and denial of existence + http://www.unbound.net/downloads/CVE-2011-4528.txt + - robust checks for next-closer NSEC3s. + - tag 1.4.14 created. + 15 December 2011: Wouter - remove uninit warning from cachedump code. - Fix parse error on negative SOA RRSIGs if badly ordered in the packet. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index b0d137b52..aa6d6450d 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -187,11 +187,14 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname, size_t* snamelen) { if(rrset->rr_count != 1) { + struct rr_parse* sig; verbose(VERB_ALGO, "Found CNAME rrset with " "size > 1: %u", (unsigned)rrset->rr_count); /* use the first CNAME! */ rrset->rr_count = 1; rrset->size = rrset->rr_first->size; + for(sig=rrset->rrsig_first; sig; sig=sig->next) + rrset->size += sig->size; rrset->rr_last = rrset->rr_first; rrset->rr_first->next = NULL; } diff --git a/validator/val_nsec3.c b/validator/val_nsec3.c index f5f93076e..a18e3ab31 100644 --- a/validator/val_nsec3.c +++ b/validator/val_nsec3.c @@ -1196,8 +1196,7 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt, return sec_status_bogus; } /* everything is peachy keen, except for optout spans */ - log_assert(ce.nc_rrset); - if(nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) { + if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) { verbose(VERB_ALGO, "nsec3 nodata proof: matching " "wildcard is in optout range, insecure"); return sec_status_insecure; @@ -1209,6 +1208,10 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt, /* Due to forwarders, cnames, and other collating effects, we * can see the ordinary unsigned data from a zone beneath an * insecure delegation under an optout here */ + if(!ce.nc_rrset) { + verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3"); + return sec_status_bogus; + } /* We need to make sure that the covering NSEC3 is opt-out. */ log_assert(ce.nc_rrset); @@ -1383,6 +1386,13 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, return sec_status_bogus; } + /* robust extra check */ + if(!ce.nc_rrset) { + verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3"); + *reason = "no NSEC3 next closer"; + return sec_status_bogus; + } + /* we had the closest encloser proof, then we need to check that the * covering NSEC3 was opt-out -- the proveClosestEncloser step already * checked to see if the closest encloser was a delegation or DNAME.