From: Mark Andrews <marka@isc.org>
Date: Fri, 24 Mar 2017 15:00:17 +0000 (+1100)
Subject: 4582.   [security]      'rndc ""' could trigger a assertion failure in named.
X-Git-Tag: v9.9.9-P8~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc448082904ce2eae78603c4c6e4849582c26c29;p=thirdparty%2Fbind9.git

4582.   [security]      'rndc ""' could trigger a assertion failure in named.
                        (CVE-2017-3138) [RT #44924]

(cherry picked from commit 8e8dfc5941e2375f2f8dadf3706258dd0db5f2e6)
---

diff --git a/CHANGES b/CHANGES
index 12d0ebe3adc..280d3e54a8d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,8 @@
 	--- 9.9.9-P8 released ---
 
+4582.	[security]	'rndc ""' could trigger a assertion failure in named.
+			(CVE-2017-3138) [RT #44924]
+
 4580.	[bug]		4578 introduced a regression when handling CNAME to
 			referral below the current domain. [RT #44850]
 
diff --git a/bin/tests/system/rndc/tests.sh b/bin/tests/system/rndc/tests.sh
index 6029e08d39a..8b318486f48 100644
--- a/bin/tests/system/rndc/tests.sh
+++ b/bin/tests/system/rndc/tests.sh
@@ -297,5 +297,13 @@ sleep 1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:check 'rndc \"\"' is handled ($n)"
+ret=0
+$RNDCCMD "" > rndc.out.test$n 2>&1 && ret=1
+grep "rndc: '' failed: failure" rndc.out.test$n > /dev/null
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
index 8612150991b..81af3af17af 100644
--- a/lib/isc/include/isc/lex.h
+++ b/lib/isc/include/isc/lex.h
@@ -152,8 +152,6 @@ isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp);
  * Requires:
  *\li	'*lexp' is a valid lexer.
  *
- *\li	max_token > 0.
- *
  * Ensures:
  *\li	On success, *lexp is attached to the newly created lexer.
  *
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index ce1c5599412..fa6e03fed82 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -94,9 +94,10 @@ isc_lex_create(isc_mem_t *mctx, size_t max_token, isc_lex_t **lexp) {
 	/*
 	 * Create a lexer.
 	 */
-
 	REQUIRE(lexp != NULL && *lexp == NULL);
-	REQUIRE(max_token > 0U);
+
+	if (max_token == 0U)
+		max_token = 1;
 
 	lex = isc_mem_get(mctx, sizeof(*lex));
 	if (lex == NULL)