4285. [security] Specific APL data could trigger a INSIST.

                        (CVE-2015-8704) [RT #41396]

(cherry picked from commit 1b3d21180244529f0099894fe9d29beb3f11efb3)

diff --git a/CHANGES b/CHANGES
index 2048e262ede39cc392e81cb3d5c6767c4c5dcef3..dbc385c7b9c5aefb153f42a16389f1b76fecbfb2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4285.  [security]      Specific APL data could trigger a INSIST.
+                       (CVE-2015-8704) [RT #41396]
+
        --- 9.9.8-P2 released ---
 
 4270.  [security]      Update allowed OpenSSL versions as named is

diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index ddd3153caab8a725f05c5b81b40b0ada74653bb8..40ed46997518c7a717dcabd3b12dca6087b89c30 100644 (file)
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -24,7 +24,7 @@
     </para>
     <para>
       BIND 9.9.8-P2 addresses security issues described in CVE-2015-3193
-      (OpenSSL), CVE-2015-8000 and CVE-2015-8461.
+      (OpenSSL), CVE-2015-8000, CVE-2015-8461 and CVE-2015-8704.
     </para>
     <para>
       BIND 9.9.8-P1 was incomplete and was withdrawn prior to publication.
@@ -66,6 +66,12 @@
          in CVE-2015-8000. [RT #40987]
        </para>
       </listitem>
+      <listitem>
+       <para>
+         Specfic APL data could trigger a INSIST.  This flaw was discovered
+         by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396]
+       </para>
+      </listitem>
     </itemizedlist>
   </sect2>
   <sect2 id="relnotes_features">

diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
index bedd38ebaab87efec683fa3c8b515447baaeece7..28eb7f280b3804af4760d980c0122a8995dbe2c3 100644 (file)
--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
        isc_uint8_t len;
        isc_boolean_t neg;
        unsigned char buf[16];
-       char txt[sizeof(" !64000")];
+       char txt[sizeof(" !64000:")];
        const char *sep = "";
        int n;
 
@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) {
                isc_region_consume(&sr, 1);
                INSIST(len <= sr.length);
                n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
-                            neg ? "!": "", afi);
+                            neg ? "!" : "", afi);
                INSIST(n < (int)sizeof(txt));
                RETERR(str_totext(txt, target));
                switch (afi) {