4318. [security] Malformed control messages can trigger assertions

author Mark Andrews <marka@isc.org>

Thu, 18 Feb 2016 01:11:27 +0000 (12:11 +1100)

committer Mark Andrews <marka@isc.org>

Thu, 18 Feb 2016 01:26:26 +0000 (12:26 +1100)
author Mark Andrews <marka@isc.org>
Thu, 18 Feb 2016 01:11:27 +0000 (12:11 +1100)
committer Mark Andrews <marka@isc.org>
Thu, 18 Feb 2016 01:26:26 +0000 (12:26 +1100)
diff --git a/CHANGES b/CHANGES

index 02c91b2405337d0a1f21c8fb36faf1635a335fe9..2dd4c05d7abc0ca1f3fb5106ccf1addfa6ef0ffd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4318.  [security]      Malformed control messages can trigger assertions
+                       in named and rndc. (CVE-2016-1285) [RT #41666]
+
         --- 9.9.8-P3 released ---
  
  4288.  [bug]           Fixed a regression in resolver.c:possibly_mark()
diff --git a/bin/named/control.c b/bin/named/control.c

index aacb0884fde0a85b3860f37c70714bde1e49ac22..7a9c6a001e88885bc8ad79178a304ca247875587 100644 (file)
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
  #endif
  
         data = isccc_alist_lookup(message, "_data");
-       if (data == NULL) {
+       if (!isccc_alist_alistp(data)) {
                 /*
                  * No data section.
                  */
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c

index a9d498401d496bf6c0f3cb78f79ac1390bdc5ccf..068478b13b9a3f09628f29a5c715d8e07ba2eb08 100644 (file)
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
          * Limit exposure to replay attacks.
          */
         _ctrl = isccc_alist_lookup(request, "_ctrl");
-       if (_ctrl == NULL) {
+       if (!isccc_alist_alistp(_ctrl)) {
                 log_invalid(&conn->ccmsg, ISC_R_FAILURE);
                 goto cleanup_request;
         }
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c

index c7d8fe1f84314ae07f903cf0d93ad67ef97863b9..ba3ac3af16e502882b1ca4d7876fadc030957c11 100644 (file)
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
         DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
  
         data = isccc_alist_lookup(response, "_data");
-       if (data == NULL)
-               fatal("no data section in response");
+       if (!isccc_alist_alistp(data))
+               fatal("bad or missing data section in response");
         result = isccc_cc_lookupstring(data, "err", &errormsg);
         if (result == ISC_R_SUCCESS) {
                 failed = ISC_TRUE;
@@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
         DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
  
         _ctrl = isccc_alist_lookup(response, "_ctrl");
-       if (_ctrl == NULL)
-               fatal("_ctrl section missing");
+       if (!isccc_alist_alistp(_ctrl))
+               fatal("bad or missing ctrl section in response");
         nonce = 0;
         if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
                 nonce = 0;
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml

index 2c4c605013930c867b62a92393dd1af5f45d2620..ed792192b26f83aad067fbb5c05034810f3a5e1e 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -22,6 +22,9 @@
      <para>
        This document summarizes changes since BIND 9.9.8:
      </para>
+    <para>
+      BIND 9.9.8-P4 addresses the security issue described in CVE-2016-1285.
+    </para>
      <para>
        BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704.
        It also fixes a serious regression in authoritative server selection
@@ -77,6 +80,13 @@
           lookup.  This flaw is disclosed in CVE-2015-8461. [RT#40945]
         </para>
        </listitem>
+      <listitem>
+       <para>
+         Malformed control messages can trigger assertions in named
+         and rndc. This flaw is disclosed in CVE-2016-1285. [RT
+         #41666]
+       </para>
+      </listitem>
      </itemizedlist>
    </sect2>
    <sect2 id="relnotes_features">
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c

index 30252336026d2ce2c8851aeadd7acc9ea923f89f..1024354ea635f4bfbb3fe5b616555c722fa60da3 100644 (file)
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -287,10 +287,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
          * Extract digest.
          */
         _auth = isccc_alist_lookup(alist, "_auth");
-       if (_auth == NULL)
+       if (!isccc_alist_alistp(_auth))
                 return (ISC_R_FAILURE);
         hmd5 = isccc_alist_lookup(_auth, "hmd5");
-       if (hmd5 == NULL)
+       if (!isccc_sexpr_binaryp(hmac))
                 return (ISC_R_FAILURE);
         /*
          * Compute digest.
@@ -545,7 +545,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
         REQUIRE(ackp != NULL && *ackp == NULL);
  
         _ctrl = isccc_alist_lookup(message, "_ctrl");
-       if (_ctrl == NULL ||
+       if (!isccc_alist_alistp(_ctrl) ||
             isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
             isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
                 return (ISC_R_FAILURE);
@@ -590,7 +590,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
         isccc_sexpr_t *_ctrl;
  
         _ctrl = isccc_alist_lookup(message, "_ctrl");
-       if (_ctrl == NULL)
+       if (!isccc_alist_alistp(_ctrl))
                 return (ISC_FALSE);
         if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
                 return (ISC_TRUE);
@@ -603,7 +603,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
         isccc_sexpr_t *_ctrl;
  
         _ctrl = isccc_alist_lookup(message, "_ctrl");
-       if (_ctrl == NULL)
+       if (!isccc_alist_alistp(_ctrl))
                 return (ISC_FALSE);
         if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
                 return (ISC_TRUE);
@@ -623,7 +623,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
  
         _ctrl = isccc_alist_lookup(message, "_ctrl");
         _data = isccc_alist_lookup(message, "_data");
-       if (_ctrl == NULL || _data == NULL ||
+       if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
             isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
             isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
                 return (ISC_R_FAILURE);
@@ -812,7 +812,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
         isccc_sexpr_t *_ctrl;
  
         _ctrl = isccc_alist_lookup(message, "_ctrl");
-       if (_ctrl == NULL ||
+       if (!isccc_alist_alistp(_ctrl) ||
             isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
             isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
                 return (ISC_R_FAILURE);
author	Mark Andrews <marka@isc.org>
	Thu, 18 Feb 2016 01:11:27 +0000 (12:11 +1100)
committer	Mark Andrews <marka@isc.org>
	Thu, 18 Feb 2016 01:26:26 +0000 (12:26 +1100)
CHANGES		patch \| blob \| blame \| history
bin/named/control.c		patch \| blob \| blame \| history
bin/named/controlconf.c		patch \| blob \| blame \| history
bin/rndc/rndc.c		patch \| blob \| blame \| history
doc/arm/notes.xml		patch \| blob \| blame \| history
lib/isccc/cc.c		patch \| blob \| blame \| history