From: Evan Hunt <each@isc.org>
Date: Thu, 26 May 2011 23:13:38 +0000 (+0000)
Subject: 3121.   [security]      An authoritative name server sending a negative
X-Git-Tag: v9.4-ESV-R5~53
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=37739b94ddb750ee43a9c0071d52f7c6fbff949d;p=thirdparty%2Fbind9.git

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]
---

diff --git a/CHANGES b/CHANGES
index 1cbae39e103..d4d6dcce2fa 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
 
 	--- 9.4-ESV-R5rc1 released ---
 
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 5ee79bfc9ff..7b1000c3746 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.36.18.8 2010/06/03 23:46:10 tbox Exp $ */
+/* $Id: ncache.c,v 1.36.18.9 2011/05/26 23:13:38 each Exp $ */
 
 /*! \file */
 
@@ -175,7 +175,7 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);