diff --git a/CHANGES b/CHANGES index 669b4a7e49..8c037bc7bc 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6224. [bug] Check the If-Modified-Since value length to prevent + out-of-bounds write. [GL #4124] + 6220. [func] Deprecate the 'dialup' and 'heartbeat-interval' options. [GL #3700] diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh index d8e4a84a42..3318f45b0c 100644 --- a/bin/tests/system/statschannel/tests.sh +++ b/bin/tests/system/statschannel/tests.sh @@ -74,8 +74,23 @@ loadkeys_on() { status=0 n=1 + +echo_i "Prepare for if-modified-since test ($n)" ret=0 +i=0 +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + ${CURL} --silent --show-error --fail --output bind9.xsl.1 $URL + ret=$? +else + echo_i "skipping test: requires libxml2 and curl" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n + 1)) + echo_i "checking consistency between named.stats and xml/json ($n)" +ret=0 rm -f ns2/named.stats $DIGCMD +tcp example ns > dig.out.$n || ret=1 $RNDCCMD 10.53.0.2 stats 2>&1 | sed 's/^/I:ns1 /' @@ -560,5 +575,27 @@ if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) n=$((n + 1)) +echo_i "Check if-modified-since works ($n)" +ret=0 +if $FEATURETEST --have-libxml2 && [ -x "${CURL}" ] ; then + URL="http://10.53.0.3:${EXTRAPORT1}/bind9.xsl" + # ensure over-long time stamps are ignored + ${CURL} --silent --show-error --fail --output bind9.xsl.2 $URL \ + --header 'If-Modified-Since: 0123456789 0123456789 0123456789 0123456789 0123456789 0123456789' + if ! [ bind9.xsl.2 -nt bind9.xsl.1 ] || + ! ${CURL} --silent --show-error --fail \ + --output bind9.xsl.3 $URL \ + --time-cond bind9.xsl.1 || + [ -f bind9.xsl.3 ] + then + ret=1 + fi +else + echo_i "skipping test: requires libxml2 and curl" +fi +if [ $ret != 0 ]; then echo_i "failed"; fi +status=$((status + ret)) +n=$((n + 1)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 2cd8105186..e8e2cabdfb 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -37,6 +37,14 @@ Bug Fixes - None. +- The value of If-Modified-Since header in statistics channel was not checked + for length leading to possible buffer overflow by an authorized user. We + would like to emphasize that statistics channel must be properly setup to + allow access only from authorized users of the system. :gl:`#4124` + + This was reported independently by Eric Sesterhenn of X41 D-SEC and Cameron + Whitehead. + Known Issues ~~~~~~~~~~~~ diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c index 4e3ab59523..d370112aa4 100644 --- a/lib/isc/httpd.c +++ b/lib/isc/httpd.c @@ -458,7 +458,9 @@ process_request(isc_httpd_t *httpd, size_t last_len) { if (value_match(header, "deflate")) { httpd->flags |= ACCEPT_DEFLATE; } - } else if (name_match(header, "If-Modified-Since")) { + } else if (name_match(header, "If-Modified-Since") && + header->value_len < ISC_FORMATHTTPTIMESTAMP_SIZE) + { char timestamp[ISC_FORMATHTTPTIMESTAMP_SIZE + 1]; memmove(timestamp, header->value, header->value_len); timestamp[header->value_len] = 0;