From owner-svn-src-all@FreeBSD.ORG Tue Jan 14 19:38:38 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 23A823B6; Tue, 14 Jan 2014 19:38:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E851317AE; Tue, 14 Jan 2014 19:38:37 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EJcbIa016533; Tue, 14 Jan 2014 19:38:37 GMT (envelope-from delphij@svn.freebsd.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id s0EJcboo016532; Tue, 14 Jan 2014 19:38:37 GMT (envelope-from delphij@svn.freebsd.org) Message-Id: <201401141938.s0EJcboo016532@svn.freebsd.org> From: Xin LI Date: Tue, 14 Jan 2014 19:38:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r260646 - in stable: 8/contrib/bind9/bin/named 9/contrib/bind9/bin/named X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 19:38:38 -0000 Author: delphij Date: Tue Jan 14 19:38:37 2014 New Revision: 260646 URL: http://svnweb.freebsd.org/changeset/base/260646 Log: Fix BIND remote denial of service vulnerability. Security: FreeBSD-SA-14:04.bind Security: CVE-2014-0591 Modified: stable/8/contrib/bind9/bin/named/query.c Changes in other areas also in this revision: Modified: stable/9/contrib/bind9/bin/named/query.c Modified: stable/8/contrib/bind9/bin/named/query.c ============================================================================== --- stable/8/contrib/bind9/bin/named/query.c Tue Jan 14 19:33:28 2014 (r260645) +++ stable/8/contrib/bind9/bin/named/query.c Tue Jan 14 19:38:37 2014 (r260646) @@ -5088,8 +5088,7 @@ query_findclosestnsec3(dns_name_t *qname dns_fixedname_t fixed; dns_hash_t hash; dns_name_t name; - int order; - unsigned int count; + unsigned int skip = 0, labels; dns_rdata_nsec3_t nsec3; dns_rdata_t rdata = DNS_RDATA_INIT; isc_boolean_t optout; @@ -5102,6 +5101,7 @@ query_findclosestnsec3(dns_name_t *qname dns_name_init(&name, NULL); dns_name_clone(qname, &name); + labels = dns_name_countlabels(&name); /* * Map unknown algorithm to known value. @@ -5133,13 +5133,14 @@ query_findclosestnsec3(dns_name_t *qname dns_rdata_reset(&rdata); optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0); if (found != NULL && optout && - dns_name_fullcompare(&name, dns_db_origin(db), &order, - &count) == dns_namereln_subdomain) { + dns_name_issubdomain(&name, dns_db_origin(db))) + { dns_rdataset_disassociate(rdataset); if (dns_rdataset_isassociated(sigrdataset)) dns_rdataset_disassociate(sigrdataset); - count = dns_name_countlabels(&name) - 1; - dns_name_getlabelsequence(&name, 1, count, &name); + skip++; + dns_name_getlabelsequence(qname, skip, labels - skip, + &name); ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3), "looking for closest provable encloser"); @@ -5157,7 +5158,11 @@ query_findclosestnsec3(dns_name_t *qname ns_client_log(client, DNS_LOGCATEGORY_DNSSEC, NS_LOGMODULE_QUERY, ISC_LOG_WARNING, "expected covering NSEC3, got an exact match"); - if (found != NULL) + if (found == qname) { + if (skip != 0U) + dns_name_getlabelsequence(qname, skip, labels - skip, + found); + } else if (found != NULL) dns_name_copy(&name, found, NULL); return; }