3121. [security] An authoritative name server sending a negative

response containing a very large RRset could trigger an off-by-one error in the ncache code and crash named. [RT #24650]
2011-05-26 23:11:15 +00:00
parent df4193696f
commit fbe2cff19f
2 changed files with 7 additions and 2 deletions
--- a/5
+++ b/5
@@ -1,3 +1,8 @@
+3121.   [security]      An authoritative name server sending a negative
+                        response containing a very large RRset could
+                        trigger an off-by-one error in the ncache code
+                        and crash named. [RT #24650]
+
 3120.	[bug]		Named could fail to validate zones listed in a DLV
 			that validated insecure without using DLV and had
 			DS records in the parent zone. [RT #24631]
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: ncache.c,v 1.52 2011/02/03 12:18:11 tbox Exp $ */
+/* $Id: ncache.c,v 1.53 2011/05/26 23:11:15 each Exp $ */

 /*! \file */

@@ -186,7 +186,7 @@ dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
 					 */
 					isc_buffer_availableregion(&buffer,
 								   &r);
-					if (r.length < 2)
+					if (r.length < 3)
 						return (ISC_R_NOSPACE);
 					isc_buffer_putuint16(&buffer,
 							     rdataset->type);