Brad Bishop | 64c979e | 2019-11-04 13:55:29 -0500 | [diff] [blame^] | 1 | Backport patch to fix CVE-2019-6471. |
| 2 | |
| 3 | Ref: |
| 4 | https://security-tracker.debian.org/tracker/CVE-2019-6471 |
| 5 | |
| 6 | CVE: CVE-2019-6471 |
| 7 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb] |
| 8 | |
| 9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 10 | |
| 11 | From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001 |
| 12 | From: Mark Andrews <marka@isc.org> |
| 13 | Date: Tue, 19 Mar 2019 14:14:21 +1100 |
| 14 | Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext() |
| 15 | |
| 16 | (cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712) |
| 17 | --- |
| 18 | lib/dns/dispatch.c | 12 ++++++++---- |
| 19 | 1 file changed, 8 insertions(+), 4 deletions(-) |
| 20 | |
| 21 | diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c |
| 22 | index 408beda367..3278db4a07 100644 |
| 23 | --- a/lib/dns/dispatch.c |
| 24 | +++ b/lib/dns/dispatch.c |
| 25 | @@ -134,7 +134,7 @@ struct dns_dispentry { |
| 26 | isc_task_t *task; |
| 27 | isc_taskaction_t action; |
| 28 | void *arg; |
| 29 | - bool item_out; |
| 30 | + bool item_out; |
| 31 | dispsocket_t *dispsocket; |
| 32 | ISC_LIST(dns_dispatchevent_t) items; |
| 33 | ISC_LINK(dns_dispentry_t) link; |
| 34 | @@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { |
| 35 | disp = resp->disp; |
| 36 | REQUIRE(VALID_DISPATCH(disp)); |
| 37 | |
| 38 | - REQUIRE(resp->item_out == true); |
| 39 | - resp->item_out = false; |
| 40 | - |
| 41 | ev = *sockevent; |
| 42 | *sockevent = NULL; |
| 43 | |
| 44 | LOCK(&disp->lock); |
| 45 | + |
| 46 | + REQUIRE(resp->item_out == true); |
| 47 | + resp->item_out = false; |
| 48 | + |
| 49 | if (ev->buffer.base != NULL) |
| 50 | free_buffer(disp, ev->buffer.base, ev->buffer.length); |
| 51 | free_devent(disp, ev); |
| 52 | @@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, |
| 53 | isc_task_send(disp->task[0], &disp->ctlevent); |
| 54 | } |
| 55 | |
| 56 | +/* |
| 57 | + * disp must be locked. |
| 58 | + */ |
| 59 | static void |
| 60 | do_cancel(dns_dispatch_t *disp) { |
| 61 | dns_dispatchevent_t *ev; |
| 62 | -- |
| 63 | 2.20.1 |
| 64 | |