]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
4286. [security] render_ecs errors were mishandled when printing out
authorMark Andrews <marka@isc.org>
Thu, 31 Dec 2015 11:17:37 +0000 (22:17 +1100)
committerMark Andrews <marka@isc.org>
Thu, 31 Dec 2015 11:19:46 +0000 (22:19 +1100)
                        a OPT record resulting in a assertion failure.
                        (CVE-2015-8705) [RT #41397]

(cherry picked from commit 3e0c1603a835c678b07f1147909bf196988ee0d3)

CHANGES
doc/arm/notes.xml
lib/dns/message.c

diff --git a/CHANGES b/CHANGES
index 1ea58e2f4f8e97d0cb47350233b61e435a1198cc..f32714b60cdc244e9153b39f2e3929cbabee5c33 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4286.  [security]      render_ecs errors were mishandled when printing out
+                       a OPT record resulting in a assertion failure.
+                       (CVE-2015-8705) [RT #41397]
+
 4285.  [security]      Specific APL data could trigger a INSIST.
                        (CVE-2015-8704) [RT #41396]
 
index 60108948b46c1aa08b9fe2569c1522c2e438fe80..7c6afaf4f86ccbe308c36d7e5b27c02c262b72eb 100644 (file)
          by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         render_ecs errors when printing out a OPT record were
+         mishandled resulting in a assertion failure. This flaw
+         was discovered by Brian Mitchell and is disclosed in
+         CVE-2015-8705. [RT #41396]
+       </para>
+      </listitem>
     </itemizedlist>
   </section>
   <section xml:id="relnotes_features"><info><title>New Features</title></info>
index a30e5edf894295c375dcbfb0f9fabad1be6037af..0fa0a0a4d8d9e99445ec7bdfbee97022f3419fcd 100644 (file)
@@ -3232,7 +3232,7 @@ dns_message_sectiontotext(dns_message_t *msg, dns_section_t section,
 }
 
 static isc_result_t
-render_ecs(isc_buffer_t *optbuf, isc_buffer_t *target) {
+render_ecs(isc_buffer_t *ecsbuf, isc_buffer_t *target) {
        int i;
        char addr[16], addr_text[64];
        isc_uint16_t family;
@@ -3242,20 +3242,20 @@ render_ecs(isc_buffer_t *optbuf, isc_buffer_t *target) {
         * Note: This routine needs to handle malformed ECS options.
         */
 
-       if (isc_buffer_remaininglength(optbuf) < 4)
+       if (isc_buffer_remaininglength(ecsbuf) < 4)
                return (DNS_R_OPTERR);
-       family = isc_buffer_getuint16(optbuf);
-       addrlen = isc_buffer_getuint8(optbuf);
-       scopelen = isc_buffer_getuint8(optbuf);
+       family = isc_buffer_getuint16(ecsbuf);
+       addrlen = isc_buffer_getuint8(ecsbuf);
+       scopelen = isc_buffer_getuint8(ecsbuf);
 
        addrbytes = (addrlen + 7) / 8;
-       if (isc_buffer_remaininglength(optbuf) < addrbytes)
+       if (isc_buffer_remaininglength(ecsbuf) < addrbytes)
                return (DNS_R_OPTERR);
 
        ADD_STRING(target, ": ");
        memset(addr, 0, sizeof(addr));
        for (i = 0; i < addrbytes; i ++)
-               addr[i] = isc_buffer_getuint8(optbuf);
+               addr[i] = isc_buffer_getuint8(ecsbuf);
 
        if (family == 1)
                inet_ntop(AF_INET, addr, addr_text, sizeof(addr_text));
@@ -3358,9 +3358,18 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
                        } else if (optcode == DNS_OPT_COOKIE) {
                                ADD_STRING(target, "; COOKIE");
                        } else if (optcode == DNS_OPT_CLIENT_SUBNET) {
+                               isc_buffer_t ecsbuf;
+
                                ADD_STRING(target, "; CLIENT-SUBNET");
-                               result = render_ecs(&optbuf, target);
+                               isc_buffer_init(&ecsbuf,
+                                               isc_buffer_current(&optbuf),
+                                               optlen);
+                               isc_buffer_add(&ecsbuf, optlen);
+                               result = render_ecs(&ecsbuf, target);
+                               if (result == ISC_R_NOSPACE)
+                                       return (result);
                                if (result == ISC_R_SUCCESS) {
+                                       isc_buffer_forward(&optbuf, optlen);
                                        ADD_STRING(target, "\n");
                                        continue;
                                }