upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '2109-sig0-computation-could-be-wrong' into 'main'

Browse source 
Resolve "kind of use-after-free condition in SIG(0) signing"

Closes #2109

See merge request isc-projects/bind9!4168
This commit is contained in:
Mark Andrews 2020-09-23 01:12:57 +00:00
commit 3ed13455cc
6 changed files with 34 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -1,3 +1,6 @@
5507. [bug] Named could compute incorrect SIG(0) responses.
[GL #2109]
5506. [bug] Properly handle failed sysconf() calls, so we don't
report invalid memory size. [GL #2166]

10
lib/dns/include/dns/message.h
View file

@ -1486,6 +1486,16 @@ dns_message_setpadding(dns_message_t *msg, uint16_t padding);
* \li msg be a valid message.
*/
void
dns_message_clonebuffer(dns_message_t *msg);
/*%<
* Clone the query or saved buffers if they where not cloned
* when parsing.
*
* Requires:
* \li msg be a valid message.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_MESSAGE_H */

18
lib/dns/message.c
View file

@ -4749,3 +4749,21 @@ dns_message_setpadding(dns_message_t *msg, uint16_t padding) {
}
msg->padding = padding;
}
void
dns_message_clonebuffer(dns_message_t *msg) {
REQUIRE(DNS_MESSAGE_VALID(msg));
if (msg->free_saved == 0 && msg->saved.base != NULL) {
msg->saved.base =
memmove(isc_mem_get(msg->mctx, msg->saved.length),
msg->saved.base, msg->saved.length);
msg->free_saved = 1;
}
if (msg->free_query == 0 && msg->query.base != NULL) {
msg->query.base =
memmove(isc_mem_get(msg->mctx, msg->query.length),
msg->query.base, msg->query.length);
msg->free_query = 1;
}
}

1
lib/dns/win32/libdns.def.in
View file

@ -524,6 +524,7 @@ dns_master_styleflags
dns_message_addname
dns_message_buildopt
dns_message_checksig
dns_message_clonebuffer
dns_message_create
dns_message_currentname
dns_message_destroy

1
lib/ns/query.c
View file

@ -5897,6 +5897,7 @@ ns_query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
return (result);
}
dns_message_clonebuffer(client->message);
ns_client_recursing(client);
} else if ((client->attributes & NS_CLIENTATTR_RECURSING) == 0) {
client->attributes |= NS_CLIENTATTR_RECURSING;

1
lib/ns/update.c
View file

@ -1666,6 +1666,7 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
if (sigresult != ISC_R_SUCCESS) {
FAIL(sigresult);
}
dns_message_clonebuffer(client->message);
CHECK(send_update_event(client, zone));
break;
case dns_zone_slave: