upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix for VU#209659 CVE-2011-4528: Unbound denial of service

Browse source 
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- robust checks for next-closer NSEC3s.
- tag 1.4.14 created.


git-svn-id: file:///svn/unbound/trunk@2574 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2011-12-19 10:55:32 +00:00
parent 65ad15da56
commit 0916e1d0ea
3 changed files with 22 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
doc/Changelog
View file

@ -1,3 +1,10 @@
19 December 2011: Wouter
- Fix for VU#209659 CVE-2011-4528: Unbound denial of service
vulnerabilities from nonstandard redirection and denial of existence
http://www.unbound.net/downloads/CVE-2011-4528.txt
- robust checks for next-closer NSEC3s.
- tag 1.4.14 created.
15 December 2011: Wouter 15 December 2011: Wouter
- remove uninit warning from cachedump code. - remove uninit warning from cachedump code.
- Fix parse error on negative SOA RRSIGs if badly ordered in the packet. - Fix parse error on negative SOA RRSIGs if badly ordered in the packet.

3
iterator/iter_scrub.c
View file

@ -187,11 +187,14 @@ parse_get_cname_target(struct rrset_parse* rrset, uint8_t** sname,
size_t* snamelen) size_t* snamelen)
{ {
if(rrset->rr_count != 1) { if(rrset->rr_count != 1) {
struct rr_parse* sig;
verbose(VERB_ALGO, "Found CNAME rrset with " verbose(VERB_ALGO, "Found CNAME rrset with "
"size > 1: %u", (unsigned)rrset->rr_count); "size > 1: %u", (unsigned)rrset->rr_count);
/* use the first CNAME! */ /* use the first CNAME! */
rrset->rr_count = 1; rrset->rr_count = 1;
rrset->size = rrset->rr_first->size; rrset->size = rrset->rr_first->size;
for(sig=rrset->rrsig_first; sig; sig=sig->next)
rrset->size += sig->size;
rrset->rr_last = rrset->rr_first; rrset->rr_last = rrset->rr_first;
rrset->rr_first->next = NULL; rrset->rr_first->next = NULL;
} }

14
validator/val_nsec3.c
View file

@ -1196,8 +1196,7 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
return sec_status_bogus; return sec_status_bogus;
} }
/* everything is peachy keen, except for optout spans */ /* everything is peachy keen, except for optout spans */
log_assert(ce.nc_rrset); if(ce.nc_rrset && nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
if(nsec3_has_optout(ce.nc_rrset, ce.nc_rr)) {
verbose(VERB_ALGO, "nsec3 nodata proof: matching " verbose(VERB_ALGO, "nsec3 nodata proof: matching "
"wildcard is in optout range, insecure"); "wildcard is in optout range, insecure");
return sec_status_insecure; return sec_status_insecure;
@ -1209,6 +1208,10 @@ nsec3_do_prove_nodata(struct module_env* env, struct nsec3_filter* flt,
/* Due to forwarders, cnames, and other collating effects, we /* Due to forwarders, cnames, and other collating effects, we
* can see the ordinary unsigned data from a zone beneath an * can see the ordinary unsigned data from a zone beneath an
* insecure delegation under an optout here */ * insecure delegation under an optout here */
if(!ce.nc_rrset) {
verbose(VERB_ALGO, "nsec3 nodata proof: no next closer nsec3");
return sec_status_bogus;
}
/* We need to make sure that the covering NSEC3 is opt-out. */ /* We need to make sure that the covering NSEC3 is opt-out. */
log_assert(ce.nc_rrset); log_assert(ce.nc_rrset);
@ -1383,6 +1386,13 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve,
return sec_status_bogus; return sec_status_bogus;
} }
/* robust extra check */
if(!ce.nc_rrset) {
verbose(VERB_ALGO, "nsec3 nods proof: no next closer nsec3");
*reason = "no NSEC3 next closer";
return sec_status_bogus;
}
/* we had the closest encloser proof, then we need to check that the /* we had the closest encloser proof, then we need to check that the
* covering NSEC3 was opt-out -- the proveClosestEncloser step already * covering NSEC3 was opt-out -- the proveClosestEncloser step already
* checked to see if the closest encloser was a delegation or DNAME. * checked to see if the closest encloser was a delegation or DNAME.