| From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 |
| From: Mark Andrews <marka@isc.org> |
| Date: Wed, 12 Oct 2016 19:52:59 +0900 |
| Subject: [PATCH] |
| 4406. [security] getrrsetbyname with a non absolute name could |
| trigger an infinite recursion bug in lwresd |
| and named with lwres configured if when combined |
| with a search list entry the resulting name is |
| too long. (CVE-2016-2775) [RT #42694] |
| |
| Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the |
| v9.11.0_patch branch. |
| |
| CVE: CVE-2016-2775 |
| Upstream-Status: Backport |
| |
| Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> |
| |
| --- |
| CHANGES | 6 ++++++ |
| bin/named/lwdgrbn.c | 16 ++++++++++------ |
| bin/tests/system/lwresd/lwtest.c | 9 ++++++++- |
| 3 files changed, 24 insertions(+), 7 deletions(-) |
| |
| diff --git a/CHANGES b/CHANGES |
| index d2e3360..d0a9d12 100644 |
| --- a/CHANGES |
| +++ b/CHANGES |
| @@ -1,3 +1,9 @@ |
| +4406. [security] getrrsetbyname with a non absolute name could |
| + trigger an infinite recursion bug in lwresd |
| + and named with lwres configured if when combined |
| + with a search list entry the resulting name is |
| + too long. (CVE-2016-2775) [RT #42694] |
| + |
| 4322. [security] Duplicate EDNS COOKIE options in a response could |
| trigger an assertion failure. (CVE-2016-2088) |
| [RT #41809] |
| diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c |
| index 3e7b15b..e1e9adc 100644 |
| --- a/bin/named/lwdgrbn.c |
| +++ b/bin/named/lwdgrbn.c |
| @@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { |
| INSIST(client->lookup == NULL); |
| |
| dns_fixedname_init(&absname); |
| - result = ns_lwsearchctx_current(&client->searchctx, |
| - dns_fixedname_name(&absname)); |
| + |
| /* |
| - * This will return failure if relative name + suffix is too long. |
| - * In this case, just go on to the next entry in the search path. |
| + * Perform search across all search domains until success |
| + * is returned. Return in case of failure. |
| */ |
| - if (result != ISC_R_SUCCESS) |
| - start_lookup(client); |
| + while (ns_lwsearchctx_current(&client->searchctx, |
| + dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { |
| + if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { |
| + ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); |
| + return; |
| + } |
| + } |
| |
| result = dns_lookup_create(cm->mctx, |
| dns_fixedname_name(&absname), |
| diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c |
| index ad9b551..3eb4a66 100644 |
| --- a/bin/tests/system/lwresd/lwtest.c |
| +++ b/bin/tests/system/lwresd/lwtest.c |
| @@ -768,7 +768,14 @@ main(void) { |
| test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); |
| test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); |
| test_getrrsetbyname("", 1, 1, 0, 0, 0); |
| - |
| + test_getrrsetbyname("123456789.123456789.123456789.123456789." |
| + "123456789.123456789.123456789.123456789." |
| + "123456789.123456789.123456789.123456789." |
| + "123456789.123456789.123456789.123456789." |
| + "123456789.123456789.123456789.123456789." |
| + "123456789.123456789.123456789.123456789." |
| + "123456789", 1, 1, 0, 0, 0); |
| + |
| if (fails == 0) |
| printf("I:ok\n"); |
| return (fails); |
| -- |
| 2.7.4 |
| |