Author: dougb
Date: Tue Jul 24 19:04:35 2012
New Revision: 238749
URL: http://svn.freebsd.org/changeset/base/238749
Log:
Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion Failure
in BIND9
High numbers of queries with DNSSEC validation enabled can cause an
assertion failure in named, caused by using a "bad cache" data structure
before it has been initialized.
CVE: CVE-2012-3817
Posting date: 24 July, 2012
Modified:
stable/8/contrib/bind9/CHANGES
stable/8/contrib/bind9/lib/dns/resolver.c
stable/8/contrib/bind9/lib/dns/zone.c
stable/8/contrib/bind9/lib/isc/random.c
stable/8/contrib/bind9/version
Directory Properties:
stable/8/contrib/bind9/ (props changed)
Modified: stable/8/contrib/bind9/CHANGES
==============================================================================
--- stable/8/contrib/bind9/CHANGES Tue Jul 24 19:00:56 2012
(r238748)
+++ stable/8/contrib/bind9/CHANGES Tue Jul 24 19:04:35 2012
(r238749)
@@ -1,3 +1,14 @@
+ --- 9.6-ESV-R7-P2 released ---
+
+3346. [security] Bad-cache data could be used before it was
+ initialized, causing an assert. [RT #30025]
+
+3343. [bug] Relax isc_random_jitter() REQUIRE tests. [RT #29821]
+
+3342. [bug] Change #3314 broke saving of stub zones to disk
+ resulting in excessive cpu usage in some cases.
+ [RT #29952]
+
--- 9.6-ESV-R7-P1 released ---
3331. [security] dns_rdataslab_fromrdataset could produce bad
Modified: stable/8/contrib/bind9/lib/dns/resolver.c
==============================================================================
--- stable/8/contrib/bind9/lib/dns/resolver.c Tue Jul 24 19:00:56 2012
(r238748)
+++ stable/8/contrib/bind9/lib/dns/resolver.c Tue Jul 24 19:04:35 2012
(r238749)
@@ -8124,6 +8124,7 @@ dns_resolver_addbadcache(dns_resolver_t
goto cleanup;
bad->type = type;
bad->hashval = hashval;
+ bad->expire = *expire;
isc_buffer_init(&buffer, bad + 1, name->length);
dns_name_init(&bad->name, NULL);
dns_name_copy(name, &bad->name, &buffer);
@@ -8135,8 +8136,8 @@ dns_resolver_addbadcache(dns_resolver_t
if (resolver->badcount < resolver->badhash * 2 &&
resolver->badhash > DNS_BADCACHE_SIZE)
resizehash(resolver, &now, ISC_FALSE);
- }
- bad->expire = *expire;
+ } else
+ bad->expire = *expire;
cleanup:
UNLOCK(&resolver->lock);
}
Modified: stable/8/contrib/bind9/lib/dns/zone.c
==============================================================================
--- stable/8/contrib/bind9/lib/dns/zone.c Tue Jul 24 19:00:56 2012
(r238748)
+++ stable/8/contrib/bind9/lib/dns/zone.c Tue Jul 24 19:04:35 2012
(r238749)
@@ -6054,6 +6054,7 @@ zone_maintenance(dns_zone_t *zone) {
switch (zone->type) {
case dns_zone_master:
case dns_zone_slave:
+ case dns_zone_stub:
LOCK_ZONE(zone);
if (zone->masterfile != NULL &&
isc_time_compare(&now, &zone->dumptime) >= 0 &&
@@ -6395,7 +6396,7 @@ zone_dump(dns_zone_t *zone, isc_boolean_
goto fail;
}
- if (compact) {
+ if (compact && zone->type != dns_zone_stub) {
dns_zone_t *dummy = NULL;
LOCK_ZONE(zone);
zone_iattach(zone, &dummy);
@@ -7251,7 +7252,7 @@ stub_callback(isc_task_t *task, isc_even
dns_zone_t *zone = NULL;
char master[ISC_SOCKADDR_FORMATSIZE];
char source[ISC_SOCKADDR_FORMATSIZE];
- isc_uint32_t nscnt, cnamecnt;
+ isc_uint32_t nscnt, cnamecnt, refresh, retry, expire;
isc_result_t result;
isc_time_t now;
isc_boolean_t exiting = ISC_FALSE;
@@ -7399,19 +7400,32 @@ stub_callback(isc_task_t *task, isc_even
ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_write);
if (zone->db == NULL)
zone_attachdb(zone, stub->db);
+ result = zone_get_from_db(zone, zone->db, NULL, NULL, NULL, &refresh,
+ &retry, &expire, NULL, NULL);
+ if (result == ISC_R_SUCCESS) {
+ zone->refresh = RANGE(refresh, zone->minrefresh,
+ zone->maxrefresh);
+ zone->retry = RANGE(retry, zone->minretry, zone->maxretry);
+ zone->expire = RANGE(expire, zone->refresh + zone->retry,
+ DNS_MAX_EXPIRE);
+ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_HAVETIMERS);
+ }
ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write);
dns_db_detach(&stub->db);
- if (zone->masterfile != NULL)
- zone_needdump(zone, 0);
-
dns_message_destroy(&msg);
isc_event_free(&event);
dns_request_destroy(&zone->request);
+
DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESH);
+ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED);
DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
isc_interval_set(&i, zone->expire, 0);
DNS_ZONE_TIME_ADD(&now, zone->expire, &zone->expiretime);
+
+ if (zone->masterfile != NULL)
+ zone_needdump(zone, 0);
+
zone_settimer(zone, &now);
goto free_stub;
Modified: stable/8/contrib/bind9/lib/isc/random.c
==============================================================================
--- stable/8/contrib/bind9/lib/isc/random.c Tue Jul 24 19:00:56 2012
(r238748)
+++ stable/8/contrib/bind9/lib/isc/random.c Tue Jul 24 19:04:35 2012
(r238749)
@@ -103,7 +103,7 @@ isc_uint32_t
isc_random_jitter(isc_uint32_t max, isc_uint32_t jitter) {
isc_uint32_t rnd;
- REQUIRE(jitter < max);
+ REQUIRE(jitter < max || (jitter == 0 && max == 0));
if (jitter == 0)
return (max);
Modified: stable/8/contrib/bind9/version
==============================================================================
--- stable/8/contrib/bind9/version Tue Jul 24 19:00:56 2012
(r238748)
+++ stable/8/contrib/bind9/version Tue Jul 24 19:04:35 2012
(r238749)
@@ -7,4 +7,4 @@ MAJORVER=9
MINORVER=6
PATCHVER=
RELEASETYPE=-ESV
-RELEASEVER=-R7-P1
+RELEASEVER=-R7-P2
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
