Module Name: src
Committed By: riz
Date: Sat Jul 16 00:45:39 UTC 2011
Modified Files:
src/dist/bind/lib/dns [netbsd-4]: masterdump.c message.c ncache.c
rbtdb.c rdataset.c resolver.c validator.c
src/dist/bind/lib/dns/include/dns [netbsd-4]: rdataset.h
Log Message:
dist/bind/lib/dns/masterdump.c patch
dist/bind/lib/dns/message.c patch
dist/bind/lib/dns/ncache.c patch
dist/bind/lib/dns/rbtdb.c patch
dist/bind/lib/dns/rdataset.c patch
dist/bind/lib/dns/resolver.c patch
dist/bind/lib/dns/validator.c patch
dist/bind/lib/dns/include/dns/rdataset.h patch
Patch bind to address CVE-2011-2464.
[spz, ticket #1431]
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4.4.3 -r1.1.1.4.4.4 src/dist/bind/lib/dns/masterdump.c
cvs rdiff -u -r1.2.4.3 -r1.2.4.4 src/dist/bind/lib/dns/message.c
cvs rdiff -u -r1.1.1.3.4.3 -r1.1.1.3.4.4 src/dist/bind/lib/dns/ncache.c \
src/dist/bind/lib/dns/rdataset.c
cvs rdiff -u -r1.1.1.4.4.4 -r1.1.1.4.4.5 src/dist/bind/lib/dns/rbtdb.c
cvs rdiff -u -r1.2.2.6 -r1.2.2.7 src/dist/bind/lib/dns/resolver.c
cvs rdiff -u -r1.4.4.6 -r1.4.4.7 src/dist/bind/lib/dns/validator.c
cvs rdiff -u -r1.1.1.3.4.3 -r1.1.1.3.4.4 \
src/dist/bind/lib/dns/include/dns/rdataset.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/dist/bind/lib/dns/masterdump.c
diff -u src/dist/bind/lib/dns/masterdump.c:1.1.1.4.4.3 src/dist/bind/lib/dns/masterdump.c:1.1.1.4.4.4
--- src/dist/bind/lib/dns/masterdump.c:1.1.1.4.4.3 Sun Jan 23 21:47:38 2011
+++ src/dist/bind/lib/dns/masterdump.c Sat Jul 16 00:45:36 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: masterdump.c,v 1.1.1.4.4.3 2011/01/23 21:47:38 bouyer Exp $ */
+/* $NetBSD: masterdump.c,v 1.1.1.4.4.4 2011/07/16 00:45:36 riz Exp $ */
/*
- * Copyright (C) 2004-2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006, 2008, 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: masterdump.c,v 1.73.18.19 2009/11/25 04:50:24 marka Exp */
+/* Id: masterdump.h,v 1.31.14.7 2011-05-27 23:49:08 tbox Exp */
/*! \file */
@@ -357,6 +357,7 @@
isc_uint32_t current_ttl;
isc_boolean_t current_ttl_valid;
dns_rdatatype_t type;
+ unsigned int type_start;
REQUIRE(DNS_RDATASET_VALID(rdataset));
@@ -438,29 +439,26 @@
* Type.
*/
- if (rdataset->type == 0) {
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
type = rdataset->covers;
} else {
type = rdataset->type;
}
- {
- unsigned int type_start;
- INDENT_TO(type_column);
- type_start = target->used;
- if (rdataset->type == 0)
- RETERR(str_totext("\\-", target));
- result = dns_rdatatype_totext(type, target);
- if (result != ISC_R_SUCCESS)
- return (result);
- column += (target->used - type_start);
- }
+ INDENT_TO(type_column);
+ type_start = target->used;
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+ RETERR(str_totext("\\-", target));
+ result = dns_rdatatype_totext(type, target);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ column += (target->used - type_start);
/*
* Rdata.
*/
INDENT_TO(rdata_column);
- if (rdataset->type == 0) {
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
if (NXDOMAIN(rdataset))
RETERR(str_totext(";-$NXDOMAIN\n", target));
else
@@ -831,7 +829,7 @@
sizeof(trustnames[0])));
fprintf(f, "; %s\n", trustnames[trust]);
}
- if (rds->type == 0 &&
+ if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
(ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
/* Omit negative cache entries */
} else {
@@ -987,7 +985,7 @@
dns_rdataset_init(&rdataset);
dns_rdatasetiter_current(rdsiter, &rdataset);
- if (rdataset.type == 0 &&
+ if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
(ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
/* Omit negative cache entries */
} else {
Index: src/dist/bind/lib/dns/message.c
diff -u src/dist/bind/lib/dns/message.c:1.2.4.3 src/dist/bind/lib/dns/message.c:1.2.4.4
--- src/dist/bind/lib/dns/message.c:1.2.4.3 Sun Jan 23 21:47:38 2011
+++ src/dist/bind/lib/dns/message.c Sat Jul 16 00:45:37 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: message.c,v 1.2.4.3 2011/01/23 21:47:38 bouyer Exp $ */
+/* $NetBSD: message.c,v 1.2.4.4 2011/07/16 00:45:37 riz Exp $ */
/*
* Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: message.c,v 1.222.18.18 2009/01/19 23:46:15 tbox Exp */
+/* Id: message.c,v 1.222.18.20 2011-06-09 07:12:57 tbox Exp */
/*! \file */
@@ -2439,7 +2439,7 @@
isc_result_t
dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
- unsigned int first_section;
+ unsigned int clear_after;
isc_result_t result;
REQUIRE(DNS_MESSAGE_VALID(msg));
@@ -2453,11 +2453,11 @@
if (want_question_section) {
if (!msg->question_ok)
return (DNS_R_FORMERR);
- first_section = DNS_SECTION_ANSWER;
+ clear_after = DNS_SECTION_ANSWER;
} else
- first_section = DNS_SECTION_QUESTION;
+ clear_after = DNS_SECTION_QUESTION;
msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
- msgresetnames(msg, first_section);
+ msgresetnames(msg, clear_after);
msgresetopt(msg);
msgresetsigs(msg, ISC_TRUE);
msginitprivate(msg);
Index: src/dist/bind/lib/dns/ncache.c
diff -u src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.3 src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.4
--- src/dist/bind/lib/dns/ncache.c:1.1.1.3.4.3 Sat Jun 18 10:36:31 2011
+++ src/dist/bind/lib/dns/ncache.c Sat Jul 16 00:45:37 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: ncache.c,v 1.1.1.3.4.3 2011/06/18 10:36:31 bouyer Exp $ */
+/* $NetBSD: ncache.c,v 1.1.1.3.4.4 2011/07/16 00:45:37 riz Exp $ */
/*
- * Copyright (C) 2004, 2005, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -182,7 +182,7 @@
isc_buffer_putuint16(&buffer,
rdataset->type);
isc_buffer_putuint8(&buffer,
- rdataset->trust);
+ (unsigned char)rdataset->trust);
/*
* Copy the rdataset into the buffer.
*/
@@ -259,7 +259,7 @@
trust = dns_trust_authauthority;
} else
trust = dns_trust_additional;
- isc_buffer_putuint8(&buffer, trust); /* trust */
+ isc_buffer_putuint8(&buffer, (unsigned char)trust); /* trust */
isc_buffer_putuint16(&buffer, 0); /* count */
/*
@@ -285,6 +285,7 @@
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
+ ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
@@ -313,6 +314,7 @@
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == 0);
+ REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
savedbuffer = *target;
count = 0;
@@ -505,7 +507,7 @@
rdataset_settrust(dns_rdataset_t *rdataset, dns_trust_t trust) {
unsigned char *raw = rdataset->private3;
- raw[-1] = trust;
+ raw[-1] = (unsigned char)trust;
}
static dns_rdatasetmethods_t rdataset_methods = {
@@ -539,6 +541,7 @@
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
REQUIRE(type != dns_rdatatype_rrsig);
@@ -615,6 +618,7 @@
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
@@ -714,6 +718,7 @@
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(found != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
Index: src/dist/bind/lib/dns/rdataset.c
diff -u src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.3 src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.4
--- src/dist/bind/lib/dns/rdataset.c:1.1.1.3.4.3 Sat Jun 18 10:36:31 2011
+++ src/dist/bind/lib/dns/rdataset.c Sat Jul 16 00:45:37 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: rdataset.c,v 1.1.1.3.4.3 2011/06/18 10:36:31 bouyer Exp $ */
+/* $NetBSD: rdataset.c,v 1.1.1.3.4.4 2011/07/16 00:45:37 riz Exp $ */
/*
- * Copyright (C) 2004-2006, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006, 2009, 2010, 2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* Id: rdataset.c,v 1.72.18.9.10.1 2011-05-26 23:56:27 each Exp */
+/* Id: rdataset.c,v 1.72.18.12 2011-06-09 00:42:48 each Exp */
/*! \file */
@@ -344,7 +344,7 @@
count = 1;
result = dns_rdataset_first(rdataset);
INSIST(result == ISC_R_NOMORE);
- } else if (rdataset->type == 0) {
+ } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
/*
* This is a negative caching rdataset.
*/
Index: src/dist/bind/lib/dns/rbtdb.c
diff -u src/dist/bind/lib/dns/rbtdb.c:1.1.1.4.4.4 src/dist/bind/lib/dns/rbtdb.c:1.1.1.4.4.5
--- src/dist/bind/lib/dns/rbtdb.c:1.1.1.4.4.4 Sun Jan 23 21:47:38 2011
+++ src/dist/bind/lib/dns/rbtdb.c Sat Jul 16 00:45:37 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: rbtdb.c,v 1.1.1.4.4.4 2011/01/23 21:47:38 bouyer Exp $ */
+/* $NetBSD: rbtdb.c,v 1.1.1.4.4.5 2011/07/16 00:45:37 riz Exp $ */
/*
* Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
@@ -246,6 +246,7 @@
#define RDATASET_ATTR_IGNORE 0x0004
#define RDATASET_ATTR_RETAIN 0x0008
#define RDATASET_ATTR_NXDOMAIN 0x0010
+#define RDATASET_ATTR_NEGATIVE 0x0100
typedef struct acache_cbarg {
dns_rdatasetadditional_t type;
@@ -280,6 +281,8 @@
(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
#define NXDOMAIN(header) \
(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define NEGATIVE(header) \
+ (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
#define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */
#define DEFAULT_CACHE_NODE_LOCK_COUNT 1009 /*%< Should be prime. */
@@ -1875,6 +1878,8 @@
rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
rdataset->ttl = header->ttl - now;
rdataset->trust = header->trust;
+ if (NEGATIVE(header))
+ rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
if (NXDOMAIN(header))
rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
rdataset->private1 = rbtdb;
@@ -3636,7 +3641,7 @@
*nodep = node;
}
- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+ if (NEGATIVE(found)) {
/*
* We found a negative cache entry.
*/
@@ -4260,7 +4265,7 @@
if (found == NULL)
return (ISC_R_NOTFOUND);
- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+ if (NEGATIVE(found)) {
/*
* We found a negative cache entry.
*/
@@ -4458,7 +4463,7 @@
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
- if (rdtype == 0) {
+ if (NEGATIVE(newheader)) {
/*
* We're adding a negative cache entry.
*/
@@ -4886,6 +4891,8 @@
now = 0;
} else {
newheader->serial = 1;
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+ newheader->attributes |= RDATASET_ATTR_NEGATIVE;
if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
@@ -5981,7 +5988,7 @@
type = header->type;
rdtype = RBTDB_RDATATYPE_BASE(header->type);
- if (rdtype == 0) {
+ if (NEGATIVE(header)) {
covers = RBTDB_RDATATYPE_EXT(header->type);
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
} else
Index: src/dist/bind/lib/dns/resolver.c
diff -u src/dist/bind/lib/dns/resolver.c:1.2.2.6 src/dist/bind/lib/dns/resolver.c:1.2.2.7
--- src/dist/bind/lib/dns/resolver.c:1.2.2.6 Sun Jan 23 21:47:39 2011
+++ src/dist/bind/lib/dns/resolver.c Sat Jul 16 00:45:38 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: resolver.c,v 1.2.2.6 2011/01/23 21:47:39 bouyer Exp $ */
+/* $NetBSD: resolver.c,v 1.2.2.7 2011/07/16 00:45:38 riz Exp $ */
/*
- * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -403,6 +403,7 @@
FCTX_ADDRINFO_FORWARDER) != 0)
#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
#define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0)
@@ -988,7 +989,7 @@
* Negative results must be indicated in event->result.
*/
if (dns_rdataset_isassociated(event->rdataset) &&
- event->rdataset->type == dns_rdatatype_none) {
+ NEGATIVE(event->rdataset)) {
INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
event->result == DNS_R_NCACHENXRRSET);
}
@@ -3953,7 +3954,7 @@
if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED)
goto noanswer_response;
- if (ardataset != NULL && ardataset->type == 0) {
+ if (ardataset != NULL && NEGATIVE(ardataset)) {
if (NXDOMAIN(ardataset))
eresult = DNS_R_NCACHENXDOMAIN;
else
@@ -4274,7 +4275,7 @@
result = ISC_R_SUCCESS;
if (!need_validation &&
ardataset != NULL &&
- ardataset->type == 0) {
+ NEGATIVE(ardataset)) {
/*
* The answer in the cache is
* better than the answer we
@@ -4404,7 +4405,7 @@
if (result == DNS_R_UNCHANGED) {
if (ANSWER(rdataset) &&
ardataset != NULL &&
- ardataset->type == 0) {
+ NEGATIVE(ardataset)) {
/*
* The answer in the cache is better
* than the answer we found, and is
@@ -4434,7 +4435,7 @@
* Negative results must be indicated in event->result.
*/
if (dns_rdataset_isassociated(event->rdataset) &&
- event->rdataset->type == dns_rdatatype_none) {
+ NEGATIVE(event->rdataset)) {
INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
eresult == DNS_R_NCACHENXRRSET);
}
@@ -4514,7 +4515,7 @@
* care about whether it is DNS_R_NCACHENXDOMAIN or
* DNS_R_NCACHENXRRSET then extract it.
*/
- if (ardataset->type == 0) {
+ if (NEGATIVE(ardataset)) {
/*
* The cache data is a negative cache entry.
*/
Index: src/dist/bind/lib/dns/validator.c
diff -u src/dist/bind/lib/dns/validator.c:1.4.4.6 src/dist/bind/lib/dns/validator.c:1.4.4.7
--- src/dist/bind/lib/dns/validator.c:1.4.4.6 Sat Jun 18 10:36:31 2011
+++ src/dist/bind/lib/dns/validator.c Sat Jul 16 00:45:38 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: validator.c,v 1.4.4.6 2011/06/18 10:36:31 bouyer Exp $ */
+/* $NetBSD: validator.c,v 1.4.4.7 2011/07/16 00:45:38 riz Exp $ */
/*
- * Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2000-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -123,6 +123,8 @@
#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
static void
destroy(dns_validator_t *val);
@@ -646,7 +648,7 @@
name = dns_fixedname_name(&val->fname);
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
val->frdataset.covers == dns_rdatatype_ds &&
- val->frdataset.type == 0 &&
+ NEGATIVE(&val->frdataset) &&
isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
@@ -3315,7 +3317,7 @@
val->attributes |= VALATTR_NEEDNODATA;
result = nsecvalidate(val, ISC_FALSE);
} else if (val->event->rdataset != NULL &&
- val->event->rdataset->type == 0)
+ NEGATIVE(val->event->rdataset))
{
/*
* This is a nonexistence validation.
Index: src/dist/bind/lib/dns/include/dns/rdataset.h
diff -u src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.3 src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.4
--- src/dist/bind/lib/dns/include/dns/rdataset.h:1.1.1.3.4.3 Sat Jun 18 10:36:32 2011
+++ src/dist/bind/lib/dns/include/dns/rdataset.h Sat Jul 16 00:45:38 2011
@@ -1,7 +1,7 @@
-/* $NetBSD: rdataset.h,v 1.1.1.3.4.3 2011/06/18 10:36:32 bouyer Exp $ */
+/* $NetBSD: rdataset.h,v 1.1.1.3.4.4 2011/07/16 00:45:38 riz Exp $ */
/*
- * Copyright (C) 2004-2006, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2006, 2009-2011 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
@@ -189,6 +189,7 @@
#define DNS_RDATASETATTR_CHECKNAMES 0x00008000 /*%< Used by resolver. */
#define DNS_RDATASETATTR_REQUIREDGLUE 0x00010000
#define DNS_RDATASETATTR_LOADORDER 0x00020000
+#define DNS_RDATASETATTR_NEGATIVE 0x00200000
/*%
* _OMITDNSSEC:
@@ -613,8 +614,8 @@
const char *
dns_trust_totext(dns_trust_t trust);
/*
- * * Display trust in textual form.
- * */
+ * Display trust in textual form.
+ */
ISC_LANG_ENDDECLS
