From: Evan Hunt <each@isc.org>
Date: Thu, 26 May 2011 23:12:06 +0000 (+0000)
Subject: 3121.   [security]      An authoritative name server sending a negative
X-Git-Tag: v9.6-ESV-R5~51
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=f32e77571742a70e5d71cf3b23bb9fe6823b6007;p=thirdparty%2Fbind9.git

3121.   [security]      An authoritative name server sending a negative
                        response containing a very large RRset could
                        trigger an off-by-one error in the ncache code
                        and crash named. [RT #24650]
---

diff --git a/CHANGES b/CHANGES
index 86dbb169cfe..4976698573c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
 
 	--- 9.6-ESV-R5rc1 released ---
 
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 12336500edb..e489feb01bc 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.43.48.7 2010/05/19 09:53:46 marka Exp $ */
+/* $Id: ncache.c,v 1.43.48.8 2011/05/26 23:12:06 each Exp $ */
 
 /*! \file */
 
@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);