9.6-ESV-R7-P3

3364. [security] Named could die on specially crafted record.
[RT #30416]
2012-08-24 14:34:54 +10:00 · 2012-08-16 13:36:44 +10:00 · 2012-08-05 13:07:51 +10:00 · 2012-08-05 01:45:23 +10:00
12 changed files with 3360 additions and 59 deletions
--- a/8
+++ b/8
@@ -1,3 +1,11 @@
+	--- 9.6-ESV-R7-P3 released ---
+
+3364.	[security]	Named could die on specially crafted record.
+			[RT #30416]
+
+3358	[bug]		Fix declaration of fatal in bin/named/server.c
+			and bin/nsupdate/main.c. [RT #30522]
+
 	--- 9.6-ESV-R7-P2 released ---

 3346.	[security]	Bad-cache data could be used before it was
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -228,7 +228,7 @@ static const struct {
 	{ NULL, ISC_FALSE }
 };

-ISC_PLATFORM_NORETURN_POST static void
+ISC_PLATFORM_NORETURN_PRE static void
 fatal(const char *msg, isc_result_t result) ISC_PLATFORM_NORETURN_POST;

 static void
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -174,7 +174,7 @@ typedef struct nsu_requestinfo {
 static void
 sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 	    dns_message_t *msg, dns_request_t **request);
-ISC_PLATFORM_NORETURN_POST static void
+ISC_PLATFORM_NORETURN_PRE static void
 fatal(const char *format, ...)
 ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;

--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -127,6 +127,17 @@ struct dns_rdata {
 #define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
 #define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */

+/*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH	65512U
+
 /*
 * Flags affecting rdata formatting style.  Flags 0xFFFF0000
 * are used by masterfile-level formatting and defined elsewhere.
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -75,7 +75,7 @@
 /*%
 * max message size - header - root - type - class - ttl - rdlen
 */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*%
 * Size for tokens in the presentation format,
 * The largest tokens are the base64 blocks in KEY and CERT records,
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -414,6 +414,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;

 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -443,6 +444,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		}
 	}

+	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
 	/*
 	 * We should have consumed all of our buffer.
 	 */
@@ -451,8 +460,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass,

 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}

@@ -587,6 +595,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;

 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -658,10 +667,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 		}
 	} while (1);

+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -789,6 +801,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;

 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -803,10 +816,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 	if (use_default)
 		(void)NULL;

+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -298,6 +298,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		length = x[i].rdata.length;
 		if (rdataset->type == dns_rdatatype_rrsig)
 			length++;
+		INSIST(length <= 0xffff);
 		*rawbuf++ = (length & 0xff00) >> 8;
 		*rawbuf++ = (length & 0x00ff);
 #if DNS_RDATASET_FIXED
--- a/lib/dns/tests/Makefile.in
+++ b/lib/dns/tests/Makefile.in
@@ -76,6 +76,10 @@ nsec3_test@EXEEXT@: nsec3_test.@O@ dnstest.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
 			nsec3_test.@O@ dnstest.@O@ ${DNSLIBS} \
 				${ISCLIBS} ${LIBS}

+rdata_test@EXEEXT@: rdata_test.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+			rdata_test.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
 unit::
 	sh ${top_srcdir}/unit/unittest.sh

--- a/lib/dns/tests/master_test.c
+++ b/lib/dns/tests/master_test.c
@@ -40,7 +40,7 @@
 */

 #define	BUFLEN		255
-#define	BIGBUFLEN	(64 * 1024)
+#define	BIGBUFLEN	(70 * 1024)
 #define TEST_ORIGIN	"test"

 static isc_result_t
@@ -106,12 +106,12 @@ test_master(const char *testfile) {
 */

 /* Successful load test */
-ATF_TC(master_load);
-ATF_TC_HEAD(master_load, tc) {
+ATF_TC(load);
+ATF_TC_HEAD(load, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() loads a "
 				       "valid master file and returns success");
 }
-ATF_TC_BODY(master_load, tc) {
+ATF_TC_BODY(load, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -127,13 +127,13 @@ ATF_TC_BODY(master_load, tc) {


 /* Unepxected end of file test */
-ATF_TC(master_unexpected);
-ATF_TC_HEAD(master_unexpected, tc) {
+ATF_TC(unexpected);
+ATF_TC_HEAD(unexpected, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
 				       "DNS_R_UNEXPECTED when file ends "
 				       "too soon");
 }
-ATF_TC_BODY(master_unexpected, tc) {
+ATF_TC_BODY(unexpected, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -149,13 +149,13 @@ ATF_TC_BODY(master_unexpected, tc) {


 /* No owner test */
-ATF_TC(master_noowner);
-ATF_TC_HEAD(master_noowner, tc) {
+ATF_TC(noowner);
+ATF_TC_HEAD(noowner, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() accepts broken "
 				       "zones with no TTL for first record "
 				       "if it is an SOA");
 }
-ATF_TC_BODY(master_noowner, tc) {
+ATF_TC_BODY(noowner, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -171,14 +171,14 @@ ATF_TC_BODY(master_noowner, tc) {


 /* No TTL test */
-ATF_TC(master_nottl);
-ATF_TC_HEAD(master_nottl, tc) {
+ATF_TC(nottl);
+ATF_TC_HEAD(nottl, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
 				       "DNS_R_NOOWNER when no owner name "
 				       "is specified");
 }

-ATF_TC_BODY(master_nottl, tc) {
+ATF_TC_BODY(nottl, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -194,13 +194,13 @@ ATF_TC_BODY(master_nottl, tc) {


 /* Bad class test */
-ATF_TC(master_badclass);
-ATF_TC_HEAD(master_badclass, tc) {
+ATF_TC(badclass);
+ATF_TC_HEAD(badclass, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
 				       "DNS_R_BADCLASS when record class "
 				       "doesn't match zone class");
 }
-ATF_TC_BODY(master_badclass, tc) {
+ATF_TC_BODY(badclass, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -214,13 +214,54 @@ ATF_TC_BODY(master_badclass, tc) {
 	dns_test_end();
 }

+/* Too big rdata test */
+ATF_TC(toobig);
+ATF_TC_HEAD(toobig, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "ISC_R_NOSPACE when record is too big");
+}
+ATF_TC_BODY(toobig, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, ISC_FALSE);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master15.data");
+	ATF_REQUIRE_EQ(result, ISC_R_NOSPACE);
+
+	dns_test_end();
+}
+
+/* Maximum rdata test */
+ATF_TC(maxrdata);
+ATF_TC_HEAD(maxrdata, tc) {
+	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() returns "
+				       "ISC_R_SUCCESS when record is maximum "
+				       "size");
+}
+ATF_TC_BODY(maxrdata, tc) {
+	isc_result_t result;
+
+	UNUSED(tc);
+
+	result = dns_test_begin(NULL, ISC_FALSE);
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	result = test_master("testdata/master/master16.data");
+	ATF_REQUIRE_EQ(result, ISC_R_SUCCESS);
+
+	dns_test_end();
+}
+
 /* DNSKEY test */
-ATF_TC(master_dnskey);
-ATF_TC_HEAD(master_dnskey, tc) {
+ATF_TC(dnskey);
+ATF_TC_HEAD(dnskey, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
 				       "DNSKEY with key material");
 }
-ATF_TC_BODY(master_dnskey, tc) {
+ATF_TC_BODY(dnskey, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -236,12 +277,12 @@ ATF_TC_BODY(master_dnskey, tc) {


 /* DNSKEY with no key material test */
-ATF_TC(master_dnsnokey);
-ATF_TC_HEAD(master_dnsnokey, tc) {
+ATF_TC(dnsnokey);
+ATF_TC_HEAD(dnsnokey, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
 				       "DNSKEY with no key material");
 }
-ATF_TC_BODY(master_dnsnokey, tc) {
+ATF_TC_BODY(dnsnokey, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -256,12 +297,12 @@ ATF_TC_BODY(master_dnsnokey, tc) {
 }

 /* Include test */
-ATF_TC(master_include);
-ATF_TC_HEAD(master_include, tc) {
+ATF_TC(include);
+ATF_TC_HEAD(include, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
 				       "$INCLUDE");
 }
-ATF_TC_BODY(master_include, tc) {
+ATF_TC_BODY(include, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -276,12 +317,12 @@ ATF_TC_BODY(master_include, tc) {
 }

 /* Include failure test */
-ATF_TC(master_includefail);
-ATF_TC_HEAD(master_includefail, tc) {
+ATF_TC(includefail);
+ATF_TC_HEAD(includefail, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() understands "
 				       "$INCLUDE failures");
 }
-ATF_TC_BODY(master_includefail, tc) {
+ATF_TC_BODY(includefail, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -297,12 +338,12 @@ ATF_TC_BODY(master_includefail, tc) {


 /* Non-empty blank lines test */
-ATF_TC(master_blanklines);
-ATF_TC_HEAD(master_blanklines, tc) {
+ATF_TC(blanklines);
+ATF_TC_HEAD(blanklines, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() handles "
 				       "non-empty blank lines");
 }
-ATF_TC_BODY(master_blanklines, tc) {
+ATF_TC_BODY(blanklines, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -317,12 +358,12 @@ ATF_TC_BODY(master_blanklines, tc) {
 }

 /* SOA leading zeroes test */
-ATF_TC(master_leadingzero);
-ATF_TC_HEAD(master_leadingzero, tc) {
+ATF_TC(leadingzero);
+ATF_TC_HEAD(leadingzero, tc) {
 	atf_tc_set_md_var(tc, "descr", "dns_master_loadfile() allows "
 				       "leading zeroes in SOA");
 }
-ATF_TC_BODY(master_leadingzero, tc) {
+ATF_TC_BODY(leadingzero, tc) {
 	isc_result_t result;

 	UNUSED(tc);
@@ -336,11 +377,11 @@ ATF_TC_BODY(master_leadingzero, tc) {
 	dns_test_end();
 }

-ATF_TC(master_totext);
-ATF_TC_HEAD(master_totext, tc) {
+ATF_TC(totext);
+ATF_TC_HEAD(totext, tc) {
 	atf_tc_set_md_var(tc, "descr", "masterfile totext tests");
 }
-ATF_TC_BODY(master_totext, tc) {
+ATF_TC_BODY(totext, tc) {
 	isc_result_t result;
 	dns_rdataset_t rdataset;
 	dns_rdatalist_t rdatalist;
@@ -384,18 +425,20 @@ ATF_TC_BODY(master_totext, tc) {
 * Main
 */
 ATF_TP_ADD_TCS(tp) {
-	ATF_TP_ADD_TC(tp, master_load);
-	ATF_TP_ADD_TC(tp, master_unexpected);
-	ATF_TP_ADD_TC(tp, master_noowner);
-	ATF_TP_ADD_TC(tp, master_nottl);
-	ATF_TP_ADD_TC(tp, master_badclass);
-	ATF_TP_ADD_TC(tp, master_dnskey);
-	ATF_TP_ADD_TC(tp, master_dnsnokey);
-	ATF_TP_ADD_TC(tp, master_include);
-	ATF_TP_ADD_TC(tp, master_includefail);
-	ATF_TP_ADD_TC(tp, master_blanklines);
-	ATF_TP_ADD_TC(tp, master_leadingzero);
-	ATF_TP_ADD_TC(tp, master_totext);
+	ATF_TP_ADD_TC(tp, load);
+	ATF_TP_ADD_TC(tp, unexpected);
+	ATF_TP_ADD_TC(tp, noowner);
+	ATF_TP_ADD_TC(tp, nottl);
+	ATF_TP_ADD_TC(tp, badclass);
+	ATF_TP_ADD_TC(tp, dnskey);
+	ATF_TP_ADD_TC(tp, dnsnokey);
+	ATF_TP_ADD_TC(tp, include);
+	ATF_TP_ADD_TC(tp, includefail);
+	ATF_TP_ADD_TC(tp, blanklines);
+	ATF_TP_ADD_TC(tp, leadingzero);
+	ATF_TP_ADD_TC(tp, totext);
+	ATF_TP_ADD_TC(tp, toobig);
+	ATF_TP_ADD_TC(tp, maxrdata);

 	return (atf_no_error());
 }
--- a/lib/dns/tests/testdata/master/master15.data
+++ b/lib/dns/tests/testdata/master/master15.data
--- a/lib/dns/tests/testdata/master/master16.data
+++ b/lib/dns/tests/testdata/master/master16.data
--- a/2
+++ b/2
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=6
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R7-P2
+RELEASEVER=-R7-P3
Author	SHA1	Message	Date
Mark Andrews	c1cce13f0e	9.6-ESV-R7-P3	2012-08-24 14:34:54 +10:00
Mark Andrews	7221b0a758	3364. [security] Named could die on specially crafted record. [RT #30416]	2012-08-16 13:36:44 +10:00
Mark Andrews	05ea0705d1	3358 [bug] Fix declaration of fatal in bin/named/server.c and bin/nsupdate/main.c. [RT #30522]	2012-08-05 13:07:51 +10:00
Mark Andrews	1021e81004	Fix declaration of fatal in bin/named/server.c.	2012-08-05 01:45:23 +10:00