From 35025b6e88b726ae89caacbb312d1b40e5c20b4d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 08:41:26 +1100 Subject: [PATCH 1/4] silently ignore additional keytag options --- lib/ns/client.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/ns/client.c b/lib/ns/client.c index b71aa73eaa..321818bd27 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { return (DNS_R_OPTERR); } + /* Silently drop additional keytag options. */ + if (client->keytag != NULL) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); + } + client->keytag = isc_mem_get(client->mctx, optlen); if (client->keytag != NULL) { client->keytag_len = (uint16_t)optlen; From fe4810f1f8f75a4d5a96542fc6085109c94a3ee5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 13:33:54 +1100 Subject: [PATCH 2/4] check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory --- bin/tests/system/dnssec/tests.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 3192f3fe19..82adbee0f8 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3593,12 +3593,23 @@ status=$((status+ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" +ret=0 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +$PERL $SYSTEMTESTTOP/stop.pl . ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1 || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 From 9ae991751cd29d83b1c17ed5c8dbedb9df21270d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 09:13:05 +1100 Subject: [PATCH 3/4] add CHANGES and release note entries --- CHANGES | 3 ++- doc/arm/notes.xml | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 0fef5cd366..0839f62122 100644 --- a/CHANGES +++ b/CHANGES @@ -184,7 +184,8 @@ 5111. [bug] Occluded DNSKEY records could make it into the delegating NSEC/NSEC3 bitmap. [GL #742] -5110. [placeholder] +5110. [security] Named leaked memory if there were multiple Key Tag + EDNS options present. (CVE-2018-5744) [GL #772] 5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index e7ebbd0fb2..79256ea5c1 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -148,6 +148,15 @@ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] + + + named leaked memory when processing a + request with multiple Key Tag EDNS options present. ISC + would like to thank Toshifumi Sakaguchi for bringing this + to our attention. This flaw is disclosed in CVE-2018-5744. + [GL #772] + + From 747035dcc50369eafc7723013942717b6d9124a7 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 2 Jan 2019 16:47:06 -0800 Subject: [PATCH 4/4] fix test error --- bin/tests/system/dnssec/ns3/sign.sh | 2 +- bin/tests/system/dnssec/tests.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 390dadb7d8..055cd9444d 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 82adbee0f8..1f39bd535b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3604,8 +3604,8 @@ ret=0 dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 -$PERL $SYSTEMTESTTOP/stop.pl . ns1 || ret=1 -$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1 || ret=1 +$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1 n=$(($n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret))