From: Mark Andrews Date: Thu, 18 Feb 2016 01:11:27 +0000 (+1100) Subject: 4318. [security] Malformed control messages can trigger assertions X-Git-Tag: v9.9.8-P4~21 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=2078a505dddc60259ca8443fe04eda9d392f50d4;p=thirdparty%2Fbind9.git 4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666] (cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) --- diff --git a/CHANGES b/CHANGES index 02c91b24053..2dd4c05d7ab 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4318. [security] Malformed control messages can trigger assertions + in named and rndc. (CVE-2016-1285) [RT #41666] + --- 9.9.8-P3 released --- 4288. [bug] Fixed a regression in resolver.c:possibly_mark() diff --git a/bin/named/control.c b/bin/named/control.c index aacb0884fde..7a9c6a001e8 100644 --- a/bin/named/control.c +++ b/bin/named/control.c @@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { #endif data = isccc_alist_lookup(message, "_data"); - if (data == NULL) { + if (!isccc_alist_alistp(data)) { /* * No data section. */ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index a9d498401d4..068478b13b9 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -397,7 +397,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { * Limit exposure to replay attacks. */ _ctrl = isccc_alist_lookup(request, "_ctrl"); - if (_ctrl == NULL) { + if (!isccc_alist_alistp(_ctrl)) { log_invalid(&conn->ccmsg, ISC_R_FAILURE); goto cleanup_request; } diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c index c7d8fe1f843..ba3ac3af16e 100644 --- a/bin/rndc/rndc.c +++ b/bin/rndc/rndc.c @@ -249,8 +249,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); data = isccc_alist_lookup(response, "_data"); - if (data == NULL) - fatal("no data section in response"); + if (!isccc_alist_alistp(data)) + fatal("bad or missing data section in response"); result = isccc_cc_lookupstring(data, "err", &errormsg); if (result == ISC_R_SUCCESS) { failed = ISC_TRUE; @@ -313,8 +313,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { DO("parse message", isccc_cc_fromwire(&source, &response, &secret)); _ctrl = isccc_alist_lookup(response, "_ctrl"); - if (_ctrl == NULL) - fatal("_ctrl section missing"); + if (!isccc_alist_alistp(_ctrl)) + fatal("bad or missing ctrl section in response"); nonce = 0; if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) nonce = 0; diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 2c4c6050139..ed792192b26 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -22,6 +22,9 @@ This document summarizes changes since BIND 9.9.8: + + BIND 9.9.8-P4 addresses the security issue described in CVE-2016-1285. + BIND 9.9.8-P3 addresses the security issue described in CVE-2015-8704. It also fixes a serious regression in authoritative server selection @@ -77,6 +80,13 @@ lookup. This flaw is disclosed in CVE-2015-8461. [RT#40945] + + + Malformed control messages can trigger assertions in named + and rndc. This flaw is disclosed in CVE-2016-1285. [RT + #41666] + + diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c index 30252336026..1024354ea63 100644 --- a/lib/isccc/cc.c +++ b/lib/isccc/cc.c @@ -287,10 +287,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, * Extract digest. */ _auth = isccc_alist_lookup(alist, "_auth"); - if (_auth == NULL) + if (!isccc_alist_alistp(_auth)) return (ISC_R_FAILURE); hmd5 = isccc_alist_lookup(_auth, "hmd5"); - if (hmd5 == NULL) + if (!isccc_sexpr_binaryp(hmac)) return (ISC_R_FAILURE); /* * Compute digest. @@ -545,7 +545,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, REQUIRE(ackp != NULL && *ackp == NULL); _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -590,7 +590,7 @@ isccc_cc_isack(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -603,7 +603,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL) + if (!isccc_alist_alistp(_ctrl)) return (ISC_FALSE); if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) return (ISC_TRUE); @@ -623,7 +623,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, _ctrl = isccc_alist_lookup(message, "_ctrl"); _data = isccc_alist_lookup(message, "_data"); - if (_ctrl == NULL || _data == NULL || + if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) return (ISC_R_FAILURE); @@ -812,7 +812,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, isccc_sexpr_t *_ctrl; _ctrl = isccc_alist_lookup(message, "_ctrl"); - if (_ctrl == NULL || + if (!isccc_alist_alistp(_ctrl) || isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) return (ISC_R_FAILURE);