diff --git a/CHANGES b/CHANGES index 0fef5cd366..0839f62122 100644 --- a/CHANGES +++ b/CHANGES @@ -184,7 +184,8 @@ 5111. [bug] Occluded DNSKEY records could make it into the delegating NSEC/NSEC3 bitmap. [GL #742] -5110. [placeholder] +5110. [security] Named leaked memory if there were multiple Key Tag + EDNS options present. (CVE-2018-5744) [GL #772] 5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 390dadb7d8..055cd9444d 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 3192f3fe19..1f39bd535b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3593,12 +3593,23 @@ status=$((status+ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" +ret=0 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index e7ebbd0fb2..79256ea5c1 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -148,6 +148,15 @@ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] + + + named leaked memory when processing a + request with multiple Key Tag EDNS options present. ISC + would like to thank Toshifumi Sakaguchi for bringing this + to our attention. This flaw is disclosed in CVE-2018-5744. + [GL #772] + + diff --git a/lib/ns/client.c b/lib/ns/client.c index b71aa73eaa..321818bd27 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { return (DNS_R_OPTERR); } + /* Silently drop additional keytag options. */ + if (client->keytag != NULL) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); + } + client->keytag = isc_mem_get(client->mctx, optlen); if (client->keytag != NULL) { client->keytag_len = (uint16_t)optlen;