Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-6]: src/dist/bind/bin/named Pull up revision 1.4 (requested by ...
details: https://anonhg.NetBSD.org/src/rev/b5bfa7b8e013
branches: netbsd-1-6
changeset: 529350:b5bfa7b8e013
user: lukem <lukem%NetBSD.org@localhost>
date: Fri Nov 15 00:47:56 2002 +0000
description:
Pull up revision 1.4 (requested by itojun in ticket #989):
apply http://www.isc.org/products/BIND/patches/bind833.diff to fix recent
vulnerabilities:
* BIND: Remote Execution of Code (BIND 4 & 8)
* BIND: Multiple Denial of Service (BIND 8 only)
diffstat:
dist/bind/bin/named/db_sec.c | 16 +++++++++++-----
dist/bind/bin/named/ns_ncache.c | 15 +++++++--------
2 files changed, 18 insertions(+), 13 deletions(-)
diffs (116 lines):
diff -r 69e9cbb225c8 -r b5bfa7b8e013 dist/bind/bin/named/db_sec.c
--- a/dist/bind/bin/named/db_sec.c Fri Nov 15 00:47:45 2002 +0000
+++ b/dist/bind/bin/named/db_sec.c Fri Nov 15 00:47:56 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: db_sec.c,v 1.2.2.1 2002/06/28 11:30:52 lukem Exp $ */
+/* $NetBSD: db_sec.c,v 1.2.2.2 2002/11/15 00:47:56 lukem Exp $ */
#if !defined(lint) && !defined(SABER)
@@ -481,7 +481,9 @@
struct sig_record *sigdata;
struct dnode *sigdn;
struct databuf *sigdp;
- time_t now;
+ u_int32_t now;
+ u_int32_t exptime;
+ u_int32_t signtime;
char *signer;
u_char name_n[MAXDNAME];
u_char *sig, *eom;
@@ -494,6 +496,7 @@
int dnssec_failed = 0, dnssec_succeeded = 0;
int return_value;
int i;
+ int expired = 0;
if (rrset == NULL || rrset->rr_name == NULL) {
ns_warning (ns_log_default, "verify_set: missing rrset/name");
@@ -529,11 +532,14 @@
* Don't verify a set if the SIG inception time is in
* the future. This should be fixed before 2038 (BEW)
*/
- if ((time_t)ntohl(sigdata->sig_time_n) > now)
+ signtime = ntohl(sigdata->sig_time_n);
+ if (SEQ_GT(signtime, now))
continue;
/* An expired set is dropped, but the data is not. */
- if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
+ exptime = ntohl(sigdata->sig_exp_n);
+ if (SEQ_GT(now, exptime)) {
+ expired++;
db_detach(&sigdn->dp);
sigdp = NULL;
continue;
@@ -725,7 +731,7 @@
}
end:
- if (dnssec_failed > 0)
+ if (dnssec_failed > 0 || expired > 0)
rrset_trim_sigs(rrset);
if (trustedkey == 0 && key != NULL)
dst_free_key(key);
diff -r 69e9cbb225c8 -r b5bfa7b8e013 dist/bind/bin/named/ns_ncache.c
--- a/dist/bind/bin/named/ns_ncache.c Fri Nov 15 00:47:45 2002 +0000
+++ b/dist/bind/bin/named/ns_ncache.c Fri Nov 15 00:47:56 2002 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ns_ncache.c,v 1.2.2.1 2002/06/28 11:33:47 lukem Exp $ */
+/* $NetBSD: ns_ncache.c,v 1.2.2.2 2002/11/15 00:47:56 lukem Exp $ */
#if !defined(lint) && !defined(SABER)
static const char rcsid[] = "Id: ns_ncache.c,v 8.29 2001/06/18 14:43:16 marka Exp";
@@ -68,7 +68,7 @@
u_int16_t atype;
u_char *sp, *cp1;
u_char data[MAXDATA];
- size_t len = sizeof data;
+ u_char *eod = data + sizeof(data);
#endif
nameserIncr(from.sin_addr, nssRcvdNXD);
@@ -188,7 +188,7 @@
rdatap = cp;
/* origin */
- n = dn_expand(msg, msg + msglen, cp, (char*)data, len);
+ n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data);
if (n < 0) {
ns_debug(ns_log_ncache, 3,
"ncache: origin form error");
@@ -197,9 +197,8 @@
cp += n;
n = strlen((char*)data) + 1;
cp1 = data + n;
- len -= n;
/* mail */
- n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len);
+ n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1);
if (n < 0) {
ns_debug(ns_log_ncache, 3, "ncache: mail form error");
return;
@@ -207,20 +206,20 @@
cp += n;
n = strlen((char*)cp1) + 1;
cp1 += n;
- len -= n;
n = 5 * INT32SZ;
+ if (n > (eod - cp1)) /* Can't happen. See MAXDATA. */
+ return;
BOUNDS_CHECK(cp, n);
memcpy(cp1, cp, n);
/* serial, refresh, retry, expire, min */
cp1 += n;
- len -= n;
cp += n;
if (cp != rdatap + dlen) {
ns_debug(ns_log_ncache, 3, "ncache: form error");
return;
}
/* store the zone of the soa record */
- n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len);
+ n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1);
if (n < 0) {
ns_debug(ns_log_ncache, 3, "ncache: form error 2");
return;
Home |
Main Index |
Thread Index |
Old Index