4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
This commit is contained in:
Mark Andrews
3
CHANGES
3
CHANGES
@@ -1,3 +1,6 @@
|
||||
4318. [security] Malformed control messages can trigger assertions
|
||||
in named and rndc. (CVE-2016-1285) [RT #41666]
|
||||
|
||||
4317. [bug] Age all unused servers on fetch timeout. [RT #41597]
|
||||
|
||||
4316. [func] Add option to tools to print RRs in unknown
|
||||
|
||||
@@ -91,7 +91,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_boolean_t readonly,
|
||||
#endif
|
||||
|
||||
data = isccc_alist_lookup(message, "_data");
|
||||
if (data == NULL) {
|
||||
if (!isccc_alist_alistp(data)) {
|
||||
/*
|
||||
* No data section.
|
||||
*/
|
||||
|
||||
@@ -405,7 +405,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
|
||||
* Limit exposure to replay attacks.
|
||||
*/
|
||||
_ctrl = isccc_alist_lookup(request, "_ctrl");
|
||||
if (_ctrl == NULL) {
|
||||
if (!isccc_alist_alistp(_ctrl)) {
|
||||
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
|
||||
goto cleanup_request;
|
||||
}
|
||||
|
||||
@@ -279,8 +279,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
|
||||
isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
||||
|
||||
data = isccc_alist_lookup(response, "_data");
|
||||
if (data == NULL)
|
||||
fatal("no data section in response");
|
||||
if (!isccc_alist_alistp(data))
|
||||
fatal("bad or missing data section in response");
|
||||
result = isccc_cc_lookupstring(data, "err", &errormsg);
|
||||
if (result == ISC_R_SUCCESS) {
|
||||
failed = ISC_TRUE;
|
||||
@@ -353,8 +353,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
|
||||
isccc_cc_fromwire(&source, &response, algorithm, &secret));
|
||||
|
||||
_ctrl = isccc_alist_lookup(response, "_ctrl");
|
||||
if (_ctrl == NULL)
|
||||
fatal("_ctrl section missing");
|
||||
if (!isccc_alist_alistp(_ctrl))
|
||||
fatal("bad or missing ctrl section in response");
|
||||
nonce = 0;
|
||||
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
|
||||
nonce = 0;
|
||||
|
||||
@@ -167,7 +167,15 @@
|
||||
This flaw is disclosed in CVE-2015-8705. [RT #41397]
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
Malformed control messages can trigger assertions in named
|
||||
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
|
||||
#41666]
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
</section>
|
||||
<section xml:id="relnotes_features"><info><title>New Features</title></info>
|
||||
|
||||
|
||||
@@ -422,13 +422,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
|
||||
* Extract digest.
|
||||
*/
|
||||
_auth = isccc_alist_lookup(alist, "_auth");
|
||||
if (_auth == NULL)
|
||||
if (!isccc_alist_alistp(_auth))
|
||||
return (ISC_R_FAILURE);
|
||||
if (algorithm == ISCCC_ALG_HMACMD5)
|
||||
hmac = isccc_alist_lookup(_auth, "hmd5");
|
||||
else
|
||||
hmac = isccc_alist_lookup(_auth, "hsha");
|
||||
if (hmac == NULL)
|
||||
if (!isccc_sexpr_binaryp(hmac))
|
||||
return (ISC_R_FAILURE);
|
||||
/*
|
||||
* Compute digest.
|
||||
@@ -745,7 +745,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
|
||||
REQUIRE(ackp != NULL && *ackp == NULL);
|
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl");
|
||||
if (_ctrl == NULL ||
|
||||
if (!isccc_alist_alistp(_ctrl) ||
|
||||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
|
||||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
|
||||
return (ISC_R_FAILURE);
|
||||
@@ -789,7 +789,7 @@ isccc_cc_isack(isccc_sexpr_t *message) {
|
||||
isccc_sexpr_t *_ctrl;
|
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl");
|
||||
if (_ctrl == NULL)
|
||||
if (!isccc_alist_alistp(_ctrl))
|
||||
return (ISC_FALSE);
|
||||
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
|
||||
return (ISC_TRUE);
|
||||
@@ -801,7 +801,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) {
|
||||
isccc_sexpr_t *_ctrl;
|
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl");
|
||||
if (_ctrl == NULL)
|
||||
if (!isccc_alist_alistp(_ctrl))
|
||||
return (ISC_FALSE);
|
||||
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
|
||||
return (ISC_TRUE);
|
||||
@@ -821,7 +821,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
|
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl");
|
||||
_data = isccc_alist_lookup(message, "_data");
|
||||
if (_ctrl == NULL || _data == NULL ||
|
||||
if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
|
||||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
|
||||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
|
||||
return (ISC_R_FAILURE);
|
||||
@@ -1002,7 +1002,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
|
||||
isccc_sexpr_t *_ctrl;
|
||||
|
||||
_ctrl = isccc_alist_lookup(message, "_ctrl");
|
||||
if (_ctrl == NULL ||
|
||||
if (!isccc_alist_alistp(_ctrl) ||
|
||||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
|
||||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
|
||||
return (ISC_R_FAILURE);
|
||||
|
||||
Reference in New Issue
Block a user