Module Name: src
Committed By: bouyer
Date: Sat Jun 18 10:36:32 UTC 2011
Modified Files:
src/dist/bind [netbsd-4]: CHANGES version
src/dist/bind/lib/dns [netbsd-4]: api ncache.c rdataset.c validator.c
src/dist/bind/lib/dns/include/dns [netbsd-4]: rdataset.h
Log Message:
Apply patch, requested by spz in ticket #1430:
dist/bind/CHANGES: patch
dist/bind/version: patch
dist/bind/lib/dns/api: patch
dist/bind/lib/dns/ncache.c: patch
dist/bind/lib/dns/rdataset.c: patch
dist/bind/lib/dns/validator.c: patch
dist/bind/lib/dns/include/dns/rdataset.h: patch
Fix security issue: An authoritative name server sending a negative
response containing a very large RRset could
trigger an off-by-one error in the ncache code
and crash named.
Fix bug: Named could fail to validate zones listed in a DLV
that validated insecure without using DLV and had
DS records in the parent zone.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.4.6 -r1.1.1.4.4.7 src/dist/bind/CHANGES
cvs rdiff -u -r1.1.1.4.4.7 -r1.1.1.4.4.8 src/dist/bind/version
cvs rdiff -u -r1.1.1.4.4.5 -r1.1.1.4.4.6 src/dist/bind/lib/dns/api
cvs rdiff -u -r1.1.1.3.4.2 -r1.1.1.3.4.3 src/dist/bind/lib/dns/ncache.c \
src/dist/bind/lib/dns/rdataset.c
cvs rdiff -u -r1.4.4.5 -r1.4.4.6 src/dist/bind/lib/dns/validator.c
cvs rdiff -u -r1.1.1.3.4.2 -r1.1.1.3.4.3 \
src/dist/bind/lib/dns/include/dns/rdataset.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/bind/CHANGES
diff -u src/dist/bind/CHANGES:1.1.1.4.4.6 src/dist/bind/CHANGES:1.1.1.4.4.7
--- src/dist/bind/CHANGES:1.1.1.4.4.6 Sun Jan 23 21:47:02 2011
+++ src/dist/bind/CHANGES Sat Jun 18 10:36:30 2011
@@ -1,3 +1,14 @@
+ --- 9.4-ESV-R4-P1 released ---
+
+3121. [security] An authoritative name server sending a negative
+ response containing a very large RRset could
+ trigger an off-by-one error in the ncache code
+ and crash named. [RT #24650]
+
+3120. [bug] Named could fail to validate zones listed in a DLV
+ that validated insecure without using DLV and had
+ DS records in the parent zone. [RT #24631]
+
--- 9.4-ESV-R4 released ---
2970. [security] Adding a NO DATA negative cache entry failed to clear
Index: src/dist/bind/version
diff -u src/dist/bind/version:1.1.1.4.4.7 src/dist/bind/version:1.1.1.4.4.8
--- src/dist/bind/version:1.1.1.4.4.7 Sun Jan 23 21:47:07 2011
+++ src/dist/bind/version Sat Jun 18 10:36:30 2011
@@ -1,4 +1,4 @@
-# Id: version,v 1.29.134.32 2010/11/18 01:34:50 marka Exp
+# $Id: version,v 1.1.1.4.4.8 2011/06/18 10:36:30 bouyer Exp $
#
# This file must follow /bin/sh rules. It is imported directly via
# configure.
@@ -7,4 +7,4 @@
MINORVER=4
PATCHVER=
RELEASETYPE=-ESV
-RELEASEVER=-R4
+RELEASEVER=-R4-P1
Index: src/dist/bind/lib/dns/api
diff -u src/dist/bind/lib/dns/api:1.1.1.4.4.5 src/dist/bind/lib/dns/api:1.1.1.4.4.6
--- src/dist/bind/lib/dns/api:1.1.1.4.4.5 Sun Jan 23 21:47:37 2011
+++ src/dist/bind/lib/dns/api Sat Jun 18 10:36:31 2011
@@ -1,3 +1,3 @@
LIBINTERFACE = 39
-LIBREVISION = 1
+LIBREVISION = 3
LIBAGE = 1
Index: src/dist/bind/lib/dns/ncache.c
diff -u src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.2 src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.3
--- src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.2 Sun Jan 23 21:47:38 2011
+++ src/dist/bind/lib/dns/ncache.c Sat Jun 18 10:36:31 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: ncache.c,v 1.1.1.3.4.2 2011/01/23 21:47:38 bouyer Exp $ */
+/* $NetBSD: ncache.c,v 1.1.1.3.4.3 2011/06/18 10:36:31 bouyer Exp $ */
/*
* Copyright (C) 2004, 2005, 2010 Internet Systems Consortium, Inc. ("ISC")
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: ncache.c,v 1.36.18.8 2010/06/03 23:46:10 tbox Exp */
+/* Id: ncache.c,v 1.36.18.8.10.1 2011-05-26 23:56:27 each Exp */
/*! \file */
@@ -177,7 +177,7 @@
*/
isc_buffer_availableregion(&buffer,
&r);
- if (r.length < 2)
+ if (r.length < 3)
return (ISC_R_NOSPACE);
isc_buffer_putuint16(&buffer,
rdataset->type);
Index: src/dist/bind/lib/dns/rdataset.c
diff -u src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.2 src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.3
--- src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.2 Sun Jan 23 21:47:39 2011
+++ src/dist/bind/lib/dns/rdataset.c Sat Jun 18 10:36:31 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: rdataset.c,v 1.1.1.3.4.2 2011/01/23 21:47:39 bouyer Exp $ */
+/* $NetBSD: rdataset.c,v 1.1.1.3.4.3 2011/06/18 10:36:31 bouyer Exp $ */
/*
* Copyright (C) 2004-2006, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: rdataset.c,v 1.72.18.9 2010/02/26 23:46:36 tbox Exp */
+/* Id: rdataset.c,v 1.72.18.9.10.1 2011-05-26 23:56:27 each Exp */
/*! \file */
@@ -36,6 +36,26 @@
#include <dns/rdataset.h>
#include <dns/compress.h>
+static const char *trustnames[] = {
+ "none",
+ "pending-additional",
+ "pending-answer",
+ "additional",
+ "glue",
+ "answer",
+ "authauthority",
+ "authanswer",
+ "secure",
+ "local" /* aka ultimate */
+};
+
+const char *
+dns_trust_totext(dns_trust_t trust) {
+ if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+ return ("bad");
+ return (trustnames[trust]);
+}
+
void
dns_rdataset_init(dns_rdataset_t *rdataset) {
Index: src/dist/bind/lib/dns/validator.c
diff -u src/dist/bind/lib/dns/validator.c:1.4.4.5 src/dist/bind/lib/dns/validator.c:1.4.4.6
--- src/dist/bind/lib/dns/validator.c:1.4.4.5 Sun Jan 23 21:47:39 2011
+++ src/dist/bind/lib/dns/validator.c Sat Jun 18 10:36:31 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: validator.c,v 1.4.4.5 2011/01/23 21:47:39 bouyer Exp $ */
+/* $NetBSD: validator.c,v 1.4.4.6 2011/06/18 10:36:31 bouyer Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: validator.c,v 1.119.18.60 2010/11/16 04:17:44 marka Exp */
+/* Id: validator.c,v 1.119.18.60.6.1 2011-05-26 23:56:27 each Exp */
/*! \file */
@@ -333,7 +333,8 @@
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d", rdataset->trust);
+ "keyset with trust %s",
+ dns_trust_totext(rdataset->trust));
/*
* Only extract the dst key if the keyset is secure.
*/
@@ -410,7 +411,8 @@
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "dsset with trust %d", rdataset->trust);
+ "dsset with trust %s",
+ dns_trust_totext(rdataset->trust));
val->dsset = &val->frdataset;
result = validatezonekey(val);
if (result != DNS_R_WAIT)
@@ -564,7 +566,8 @@
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d", val->frdataset.trust);
+ "keyset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
/*
* Only extract the dst key if the keyset is secure.
*/
@@ -635,10 +638,10 @@
isc_boolean_t have_dsset;
dns_name_t *name;
validator_log(val, ISC_LOG_DEBUG(3),
- "%s with trust %d",
+ "%s with trust %s",
val->frdataset.type == dns_rdatatype_ds ?
"dsset" : "ds non-existance",
- val->frdataset.trust);
+ dns_trust_totext(val->frdataset.trust));
have_dsset = ISC_TF(val->frdataset.type == dns_rdatatype_ds);
name = dns_fixedname_name(&val->fname);
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
@@ -995,8 +998,8 @@
INSIST(type == dns_rdatatype_dlv);
if (val->frdataset.trust != dns_trust_secure) {
validator_log(val, ISC_LOG_DEBUG(3),
- "covering nsec: trust %u",
- val->frdataset.trust);
+ "covering nsec: trust %s",
+ dns_trust_totext(val->frdataset.trust));
goto notfound;
}
result = dns_rdataset_first(&val->frdataset);
@@ -1313,8 +1316,8 @@
* See if we've got the key used in the signature.
*/
validator_log(val, ISC_LOG_DEBUG(3),
- "keyset with trust %d",
- val->frdataset.trust);
+ "keyset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
result = get_dst_key(val, siginfo, val->keyset);
if (result != ISC_R_SUCCESS) {
/*
@@ -2018,8 +2021,11 @@
"must be secure failure");
return (DNS_R_MUSTBESECURE);
}
- markanswer(val, "validatezonekey (2)");
- return (ISC_R_SUCCESS);
+ if (val->view->dlv == NULL || DLVTRIED(val)) {
+ markanswer(val, "validatezonekey (2)");
+ return (ISC_R_SUCCESS);
+ }
+ return (startfinddlvsep(val, val->event->name));
}
/*
@@ -2627,7 +2633,8 @@
validator_done(val, ISC_R_CANCELED);
} else if (eresult == ISC_R_SUCCESS) {
validator_log(val, ISC_LOG_DEBUG(3),
- "dlvset with trust %d", val->frdataset.trust);
+ "dlvset with trust %s",
+ dns_trust_totext(val->frdataset.trust));
dns_rdataset_clone(&val->frdataset, &val->dlv);
val->havedlvsep = ISC_TRUE;
if (dlv_algorithm_supported(val))
Index: src/dist/bind/lib/dns/include/dns/rdataset.h
diff -u src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.2 src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.3
--- src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.2 Sun Jan 23 21:47:41 2011
+++ src/dist/bind/lib/dns/include/dns/rdataset.h Sat Jun 18 10:36:32 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: rdataset.h,v 1.1.1.3.4.2 2011/01/23 21:47:41 bouyer Exp $ */
+/* $NetBSD: rdataset.h,v 1.1.1.3.4.3 2011/06/18 10:36:32 bouyer Exp $ */
/*
* Copyright (C) 2004-2006, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: rdataset.h,v 1.51.18.11 2010/02/26 23:46:37 tbox Exp */
+/* Id: rdataset.h,v 1.51.18.11.10.1 2011-05-26 23:56:27 each Exp */
#ifndef DNS_RDATASET_H
#define DNS_RDATASET_H 1
@@ -610,6 +610,12 @@
* Mark the rdataset to be expired in the backing database.
*/
+const char *
+dns_trust_totext(dns_trust_t trust);
+/*
+ * * Display trust in textual form.
+ * */
+
ISC_LANG_ENDDECLS
#endif /* DNS_RDATASET_H */
