svn commit: r227603 - in stable/7/contrib/bind9: . bin/named lib/dns

[ Available lists | Index of svn-src-stable | Month of Nov 2011 | Week of 17 Nov 2011 | Raw email | View thread | Wrap long lines | Reply | Tag ]
From
Doug Barton <dougb@FreeBSD.org>
Date
17 Nov 2011 01:10:16
Subject
svn commit: r227603 - in stable/7/contrib/bind9: . bin/named lib/dns
Message-ID
201111170110.pAH1AGCP075058@svn.freebsd.org


[ Hide this part ] 
Author: dougb
Date: Thu Nov 17 01:10:16 2011
New Revision: 227603
URL: http://svn.freebsd.org/changeset/base/227603
 
Log:
  Upgrade to BIND 9.4-ESV-R5-P1 to address the following DDOS bug:
 
  Recursive name servers are failing with an assertion:
  INSIST(! dns_rdataset_isassociated(sigrdataset))
 
  At this time it is not thought that authoritative-only servers
  are affected, but information about this bug is evolving rapidly.
 
  Because it may be possible to trigger this bug even on networks
  that do not allow untrusted users to access the recursive name
  servers (perhaps via specially crafted e-mail messages, and/or
  malicious web sites) it is recommended that ALL operators of
  recursive name servers upgrade immediately.
 
  For more information see:
  https://www.isc.org/software/bind/advisories/cve-2011-tbd
  which will be updated as more information becomes available.
 
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313
 
Modified:
  stable/7/contrib/bind9/CHANGES
  stable/7/contrib/bind9/bin/named/query.c
  stable/7/contrib/bind9/lib/dns/rbtdb.c
  stable/7/contrib/bind9/version
Directory Properties:
  stable/7/contrib/bind9/   (props changed)
 
Modified: stable/7/contrib/bind9/CHANGES
==============================================================================
--- stable/7/contrib/bind9/CHANGES	Thu Nov 17 01:05:57 2011	(r227602)
+++ stable/7/contrib/bind9/CHANGES	Thu Nov 17 01:10:16 2011	(r227603)
@@ -1,3 +1,9 @@
+	--- 9.4-ESV-R5-P1 released ---
+
+3218.	[security]	Cache lookup could return RRSIG data associated with
+			nonexistent records, leading to an assertion
+			failure. [RT #26590]
+
 	--- 9.4-ESV-R5 released ---
 
 3135.	[port]		FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.
 
Modified: stable/7/contrib/bind9/bin/named/query.c
==============================================================================
--- stable/7/contrib/bind9/bin/named/query.c	Thu Nov 17 01:05:57 2011	(r227602)
+++ stable/7/contrib/bind9/bin/named/query.c	Thu Nov 17 01:10:16 2011	(r227603)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.257.18.56 2010-11-17 10:21:01 marka Exp $ */
+/* $Id: query.c,v 1.257.18.56.12.1 2011-11-16 09:33:40 each Exp $ */
 
 /*! \file */
 
@@ -1251,11 +1251,9 @@ query_addadditional(void *arg, dns_name_
 			goto addname;
 		if (result == DNS_R_NCACHENXRRSET) {
 			dns_rdataset_disassociate(rdataset);
-			/*
-			 * Negative cache entries don't have sigrdatasets.
-			 */
-			INSIST(sigrdataset == NULL ||
-			       ! dns_rdataset_isassociated(sigrdataset));
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
 			mname = NULL;
@@ -1296,8 +1294,9 @@ query_addadditional(void *arg, dns_name_
 			goto addname;
 		if (result == DNS_R_NCACHENXRRSET) {
 			dns_rdataset_disassociate(rdataset);
-			INSIST(sigrdataset == NULL ||
-			       ! dns_rdataset_isassociated(sigrdataset));
+			if (sigrdataset != NULL &&
+			    dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
 		}
 		if (result == ISC_R_SUCCESS) {
 			mname = NULL;
@@ -1746,10 +1745,8 @@ query_addadditional2(void *arg, dns_name
 		goto setcache;
 	if (result == DNS_R_NCACHENXRRSET) {
 		dns_rdataset_disassociate(rdataset);
-		/*
-		 * Negative cache entries don't have sigrdatasets.
-		 */
-		INSIST(! dns_rdataset_isassociated(sigrdataset));
+		if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
 	}
 	if (result == ISC_R_SUCCESS) {
 		/* Remember the result as a cache */
 
Modified: stable/7/contrib/bind9/lib/dns/rbtdb.c
==============================================================================
--- stable/7/contrib/bind9/lib/dns/rbtdb.c	Thu Nov 17 01:05:57 2011	(r227602)
+++ stable/7/contrib/bind9/lib/dns/rbtdb.c	Thu Nov 17 01:10:16 2011	(r227603)
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.196.18.67 2011-06-09 00:42:47 each Exp $ */
+/* $Id: rbtdb.c,v 1.196.18.67.2.1 2011-11-16 09:33:41 each Exp $ */
 
 /*! \file */
 
@@ -3672,7 +3672,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
 	    result == DNS_R_NCACHENXRRSET) {
 		bind_rdataset(search.rbtdb, node, found, search.now,
 			      rdataset);
-		if (foundsig != NULL)
+		if (!NEGATIVE(found) && foundsig != NULL)
 			bind_rdataset(search.rbtdb, node, foundsig, search.now,
 				      sigrdataset);
 	}
@@ -4258,7 +4258,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn
 	}
 	if (found != NULL) {
 		bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-		if (foundsig != NULL)
+		if (!NEGATIVE(found) && foundsig != NULL)
 			bind_rdataset(rbtdb, rbtnode, foundsig, now,
 				      sigrdataset);
 	}
 
Modified: stable/7/contrib/bind9/version
==============================================================================
--- stable/7/contrib/bind9/version	Thu Nov 17 01:05:57 2011	(r227602)
+++ stable/7/contrib/bind9/version	Thu Nov 17 01:10:16 2011	(r227603)
@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.35 2011-07-21 02:11:00 marka Exp $
+# $Id: version,v 1.29.134.35.2.1 2011-11-16 09:33:40 each Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=4
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R5
+RELEASEVER=-R5-P1
Elapsed time: 0.100 seconds