import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch - openbmc/openbmc - Gitiles

 From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
 From: Mark Andrews <marka@isc.org>
 Date: Wed, 12 Oct 2016 20:36:52 +0900
 Subject: [PATCH]
 4467.   [security]      It was possible to trigger an assertion when
                         rendering a message. (CVE-2016-2776) [RT #43139]

 Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
 v9.11.0_patch branch.

 CVE: CVE-2016-2776
 Upstream-Status: Backport

 Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>

 ---
  CHANGES           |  3 +++
  lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
  2 files changed, 34 insertions(+), 11 deletions(-)

 diff --git a/CHANGES b/CHANGES
 index d0a9d12..5c8c61a 100644
 --- a/CHANGES
 +++ b/CHANGES
 @@ -1,3 +1,6 @@
 +4467.   [security]      It was possible to trigger an assertion when
 +                        rendering a message. (CVE-2016-2776) [RT #43139]
 +
  4406.   [security]      getrrsetbyname with a non absolute name could
                          trigger an infinite recursion bug in lwresd
                          and named with lwres configured if when combined
 diff --git a/lib/dns/message.c b/lib/dns/message.c
 index 6b5b4bb..b74dc81 100644
 --- a/lib/dns/message.c
 +++ b/lib/dns/message.c
 @@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
  	if (r.length < DNS_MESSAGE_HEADERLEN)
  		return (ISC_R_NOSPACE);

 -	if (r.length < msg->reserved)
 +        if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
  		return (ISC_R_NOSPACE);

  	/*
 @@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,

  	return (ISC_TRUE);
  }
 -
  #endif
 +
 +static isc_result_t
 +renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 +         dns_compress_t *cctx, isc_buffer_t *target,
 +         unsigned int reserved, unsigned int options, unsigned int *countp)
 +{
 +       isc_result_t result;
 +
 +       /*
 +        * Shrink the space in the buffer by the reserved amount.
 +        */
 +       if (target->length - target->used < reserved)
 +               return (ISC_R_NOSPACE);
 +
 +       target->length -= reserved;
 +       result = dns_rdataset_towire(rdataset, owner_name,
 +                                    cctx, target, options, countp);
 +       target->length += reserved;
 +
 +       return (result);
 +}
 +
  isc_result_t
  dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
  			  unsigned int options)
 @@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
  	/*
  	 * Shrink the space in the buffer by the reserved amount.
  	 */
 +        if (msg->buffer->length - msg->buffer->used < msg->reserved)
 +                return (ISC_R_NOSPACE);
  	msg->buffer->length -= msg->reserved;

  	total = 0;
 @@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
  		 * Render.
  		 */
  		count = 0;
 -		result = dns_rdataset_towire(msg->opt, dns_rootname,
 -					     msg->cctx, msg->buffer, 0,
 -					     &count);
 +                result = renderset(msg->opt, dns_rootname, msg->cctx,
 +                                   msg->buffer, msg->reserved, 0, &count);
  		msg->counts[DNS_SECTION_ADDITIONAL] += count;
  		if (result != ISC_R_SUCCESS)
  			return (result);
 @@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
  		if (result != ISC_R_SUCCESS)
  			return (result);
  		count = 0;
 -		result = dns_rdataset_towire(msg->tsig, msg->tsigname,
 -					     msg->cctx, msg->buffer, 0,
 -					     &count);
 +                result = renderset(msg->tsig, msg->tsigname, msg->cctx,
 +                                   msg->buffer, msg->reserved, 0, &count);
  		msg->counts[DNS_SECTION_ADDITIONAL] += count;
  		if (result != ISC_R_SUCCESS)
  			return (result);
 @@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
  		 * the owner name of a SIG(0) is irrelevant, and will not
  		 * be set in a message being rendered.
  		 */
 -		result = dns_rdataset_towire(msg->sig0, dns_rootname,
 -					     msg->cctx, msg->buffer, 0,
 -					     &count);
 +                result = renderset(msg->sig0, dns_rootname, msg->cctx,
 +                                   msg->buffer, msg->reserved, 0, &count);
  		msg->counts[DNS_SECTION_ADDITIONAL] += count;
  		if (result != ISC_R_SUCCESS)
  			return (result);
 --
 2.7.4
	From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
	From: Mark Andrews <marka@isc.org>
	Date: Wed, 12 Oct 2016 20:36:52 +0900
	Subject: [PATCH]
	4467. [security] It was possible to trigger an assertion when
	rendering a message. (CVE-2016-2776) [RT #43139]

	Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
	v9.11.0_patch branch.

	CVE: CVE-2016-2776
	Upstream-Status: Backport

	Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>

	---
	CHANGES \| 3 +++
	lib/dns/message.c \| 42 +++++++++++++++++++++++++++++++-----------
	2 files changed, 34 insertions(+), 11 deletions(-)

	diff --git a/CHANGES b/CHANGES
	index d0a9d12..5c8c61a 100644
	--- a/CHANGES
	+++ b/CHANGES
	@@ -1,3 +1,6 @@
	+4467. [security] It was possible to trigger an assertion when
	+ rendering a message. (CVE-2016-2776) [RT #43139]
	+
	4406. [security] getrrsetbyname with a non absolute name could
	trigger an infinite recursion bug in lwresd
	and named with lwres configured if when combined
	diff --git a/lib/dns/message.c b/lib/dns/message.c
	index 6b5b4bb..b74dc81 100644
	--- a/lib/dns/message.c
	+++ b/lib/dns/message.c
	@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t msg, dns_compress_t cctx,
	if (r.length < DNS_MESSAGE_HEADERLEN)
	return (ISC_R_NOSPACE);

	- if (r.length < msg->reserved)
	+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
	return (ISC_R_NOSPACE);

	/*
	@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,

	return (ISC_TRUE);
	}
	-
	#endif
	+
	+static isc_result_t
	+renderset(dns_rdataset_t rdataset, dns_name_t owner_name,
	+ dns_compress_t cctx, isc_buffer_t target,
	+ unsigned int reserved, unsigned int options, unsigned int *countp)
	+{
	+ isc_result_t result;
	+
	+ /*
	+ * Shrink the space in the buffer by the reserved amount.
	+ */
	+ if (target->length - target->used < reserved)
	+ return (ISC_R_NOSPACE);
	+
	+ target->length -= reserved;
	+ result = dns_rdataset_towire(rdataset, owner_name,
	+ cctx, target, options, countp);
	+ target->length += reserved;
	+
	+ return (result);
	+}
	+
	isc_result_t
	dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
	unsigned int options)
	@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
	/*
	* Shrink the space in the buffer by the reserved amount.
	*/
	+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
	+ return (ISC_R_NOSPACE);
	msg->buffer->length -= msg->reserved;

	total = 0;
	@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
	* Render.
	*/
	count = 0;
	- result = dns_rdataset_towire(msg->opt, dns_rootname,
	- msg->cctx, msg->buffer, 0,
	- &count);
	+ result = renderset(msg->opt, dns_rootname, msg->cctx,
	+ msg->buffer, msg->reserved, 0, &count);
	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	if (result != ISC_R_SUCCESS)
	return (result);
	@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
	if (result != ISC_R_SUCCESS)
	return (result);
	count = 0;
	- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
	- msg->cctx, msg->buffer, 0,
	- &count);
	+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
	+ msg->buffer, msg->reserved, 0, &count);
	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	if (result != ISC_R_SUCCESS)
	return (result);
	@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
	* the owner name of a SIG(0) is irrelevant, and will not
	* be set in a message being rendered.
	*/
	- result = dns_rdataset_towire(msg->sig0, dns_rootname,
	- msg->cctx, msg->buffer, 0,
	- &count);
	+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
	+ msg->buffer, msg->reserved, 0, &count);
	msg->counts[DNS_SECTION_ADDITIONAL] += count;
	if (result != ISC_R_SUCCESS)
	return (result);
	--
	2.7.4