3121. [security] An authoritative name server sending a negative

                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]

diff --git a/CHANGES b/CHANGES
index 86dbb169cfe60f17391a0ea78c78f539d4febbf7..4976698573c9a353a96c55fa1d25609b0074b31e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
 
        --- 9.6-ESV-R5rc1 released ---
 

diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 12336500edba64322ece2a54ef0c8599c19cbd8e..e489feb01bc22750f65a40c2072f63418f5aa01d 100644 (file)
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.43.48.7 2010/05/19 09:53:46 marka Exp $ */
+/* $Id: ncache.c,v 1.43.48.8 2011/05/26 23:12:06 each Exp $ */
 
 /*! \file */
 
@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
                                         */
                                        isc_buffer_availableregion(&buffer,
                                                                   &r);
-                                       if (r.length < 2)
+                                       if (r.length < 3)
                                                return (ISC_R_NOSPACE);
                                        isc_buffer_putuint16(&buffer,
                                                             rdataset->type);