]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4484a9c)
3488. [bug] Use after free error with DH generated keys. [RT #32649]
authorMark Andrews <marka@isc.org>
Mon, 18 Feb 2013 09:24:24 +0000 (20:24 +1100)
committerMark Andrews <marka@isc.org>
Mon, 18 Feb 2013 09:26:08 +0000 (20:26 +1100)
CHANGES patch | blob | blame | history
bin/tests/system/tkey/tests.sh patch | blob | blame | history
lib/dns/tkey.c patch | blob | blame | history
lib/dns/tsig.c patch | blob | blame | history

diff --git a/CHANGES b/CHANGES
index 9b7b21cd8a6b500e035bb4d3dc1f27fc1d64041c..654cbb3e2d7abea277dad4ff24a9f7ae21659fa9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+3488.  [bug]           Use after free error with DH generated keys. [RT #32649]
+
 3487.  [bug]           Change 3444 was not complete.  There was a additional
                        place where the NOQNAME proof needed to be saved.
                         [RT #32629]
diff --git a/bin/tests/system/tkey/tests.sh b/bin/tests/system/tkey/tests.sh
index 3a4e2d97453e757908007a358ffa3cece4d4a6ef..f60fe7a2f4fd2b4848854c298c602fddb496a9f3 100644 (file)
--- a/bin/tests/system/tkey/tests.sh
+++ b/bin/tests/system/tkey/tests.sh
@@ -31,6 +31,7 @@ ret=0
 dhkeyname=`$KEYGEN -T KEY -a DH -b 768 -n host -r $RANDFILE client` || ret=1
 if [ $ret != 0 ]; then
        echo "I:failed"
+       status=`expr $status + $ret`
        echo "I:exit status: $status"
        exit $status
 fi
@@ -43,6 +44,7 @@ do
        keyname=`./keycreate $dhkeyname $owner` || ret=1
        if [ $ret != 0 ]; then
                echo "I:failed"
+               status=`expr $status + $ret`
                echo "I:exit status: $status"
                exit $status
        fi
@@ -84,6 +86,7 @@ ret=0
 keyname=`./keycreate $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
+       status=`expr $status + $ret`
         echo "I:exit status: $status"
         exit $status
 fi
@@ -124,6 +127,7 @@ ret=0
 keyname=`./keycreate $dhkeyname bar.example.` || ret=1
 if [ $ret != 0 ]; then
         echo "I:failed"
+       status=`expr $status + $ret`
         echo "I:exit status: $status"
         exit $status
 fi
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 0112f7ec760eda3044794d137412d91f2d427051..7719db18084796abedfb73782acaa0b112bb596b 100644 (file)
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -991,8 +991,13 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 
        ISC_LIST_INIT(namelist);
        RETERR(add_rdata_to_list(msg, &keyname, rdata, 0, &namelist));
-       dns_message_addname(msg, ISC_LIST_HEAD(namelist),
-                           DNS_SECTION_ADDITIONAL);
+       name = ISC_LIST_HEAD(namelist);
+       while (name != NULL) {
+               dns_name_t *next = ISC_LIST_NEXT(name, link);
+               ISC_LIST_UNLINK(namelist, name, link);
+               dns_message_addname(msg, name, DNS_SECTION_ADDITIONAL);
+               name = next;
+       }
 
        return (ISC_R_SUCCESS);
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 72969a694823ca675c311ec8d64b8bcdc2907be7..c7768f4c788a4e60f15de0faf1749661bb51d82d 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -240,7 +240,7 @@ adjust_lru(dns_tsigkey_t *tkey) {
                 * removing the read lock and aquiring the write lock.
                 */
                if (ISC_LINK_LINKED(tkey, link) &&
-                   (tkey->ring->lru).head != tkey)
+                   tkey->ring->lru.tail != tkey)
                {
                        ISC_LIST_UNLINK(tkey->ring->lru, tkey, link);
                        ISC_LIST_APPEND(tkey->ring->lru, tkey, link);
@@ -1768,11 +1768,15 @@ static void
 free_tsignode(void *node, void *_unused) {
        dns_tsigkey_t *key;
 
-       UNUSED(_unused);
-
        REQUIRE(node != NULL);
 
+       UNUSED(_unused);
+
        key = node;
+       if (key->generated) {
+               if (ISC_LINK_LINKED(key, link))
+                       ISC_LIST_UNLINK(key->ring->lru, key, link);
+       }
        dns_tsigkey_detach(&key);
 }
 
Mirror of https://gitlab.isc.org/isc-projects/bind9.git