From 873c704de924d996183190aa6ffe28fe28cfd1c8 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 08:41:26 +1100 Subject: [PATCH 1/4] silently ignore additional keytag options --- lib/ns/client.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/ns/client.c b/lib/ns/client.c index b71aa73eaa..321818bd27 100644 --- a/lib/ns/client.c +++ b/lib/ns/client.c @@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { return (DNS_R_OPTERR); } + /* Silently drop additional keytag options. */ + if (client->keytag != NULL) { + isc_buffer_forward(buf, (unsigned int)optlen); + return (ISC_R_SUCCESS); + } + client->keytag = isc_mem_get(client->mctx, optlen); if (client->keytag != NULL) { client->keytag_len = (uint16_t)optlen; From d68adfea9ce6d4e96bcd23681682c60d05624b89 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 13:33:54 +1100 Subject: [PATCH 2/4] check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory --- bin/tests/system/dnssec/tests.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 3192f3fe19..82adbee0f8 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3593,12 +3593,23 @@ status=$((status+ret)) echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" ret=0 -dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 +dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)" +ret=0 +dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 +grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 +$PERL $SYSTEMTESTTOP/stop.pl . ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1 || ret=1 +n=$(($n+1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + echo_i "check that the view is logged in messages from the validator when using views ($n)" ret=0 grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 From 7d5b7192ec0d60605682cdc6bf6d112f768c3109 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 10 Dec 2018 09:13:05 +1100 Subject: [PATCH 3/4] add CHANGES and release note entries --- CHANGES | 3 ++- doc/arm/notes.xml | 9 +++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/CHANGES b/CHANGES index 790d28111d..2f43c993cc 100644 --- a/CHANGES +++ b/CHANGES @@ -182,7 +182,8 @@ 5111. [bug] Occluded DNSKEY records could make it into the delegating NSEC/NSEC3 bitmap. [GL #742] -5110. [placeholder] +5110. [security] Named leaked memory if there were multiple Key Tag + EDNS options present. (CVE-2018-5744) [GL #772] 5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index e7ebbd0fb2..79256ea5c1 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -148,6 +148,15 @@ by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] + + + named leaked memory when processing a + request with multiple Key Tag EDNS options present. ISC + would like to thank Toshifumi Sakaguchi for bringing this + to our attention. This flaw is disclosed in CVE-2018-5744. + [GL #772] + + From a47d2850c05a4b4bf22601fc684e9900b1c30ef0 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 2 Jan 2019 16:47:06 -0800 Subject: [PATCH 4/4] fix test error --- bin/tests/system/dnssec/ns3/sign.sh | 2 +- bin/tests/system/dnssec/tests.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 390dadb7d8..055cd9444d 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 -"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" +"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 # # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 82adbee0f8..1f39bd535b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3604,8 +3604,8 @@ ret=0 dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1 grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1 -$PERL $SYSTEMTESTTOP/stop.pl . ns1 || ret=1 -$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} . ns1 || ret=1 +$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1 +$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1 n=$(($n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret))