From 2117da20537fbd66b2f7d9128fe3f66a7cd3722f Mon Sep 17 00:00:00 2001
From: simon <simon@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 6 Aug 2012 21:33:11 +0000
Subject: [PATCH] Fix named(8) DNSSEC validation Denial of Service.

Security:	FreeBSD-SA-12:05.bind
Security:	CVE-2012-3817
Obtained from:	ISC
Approved by:	so (simon)


git-svn-id: svn://svn.freebsd.org/base/releng/8.2@239108 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                         | 3 +++
 contrib/bind9/lib/dns/resolver.c | 5 +++--
 sys/conf/newvers.sh              | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/UPDATING b/UPDATING
index b2e26c69..5d13e9f9 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20120806:	p10	FreeBSD-SA-12:05.bind
+	Fix named(8) DNSSEC validation Denial of Service.
+
 20120612:	p9	FreeBSD-SA-12:03.bind
 			FreeBSD-SA-12:04.sysret
 			FreeBSD-EN-12:02.ipv6refcount
diff --git a/contrib/bind9/lib/dns/resolver.c b/contrib/bind9/lib/dns/resolver.c
index 8803a052..f20e27f3 100644
--- a/contrib/bind9/lib/dns/resolver.c
+++ b/contrib/bind9/lib/dns/resolver.c
@@ -7936,6 +7936,7 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
 		}
 		bad->type = type;
 		bad->hashval = hashval;
+		bad->expire = *expire;
 		isc_buffer_init(&buffer, bad + 1, name->length);
 		dns_name_init(&bad->name, NULL);
 		dns_name_copy(name, &bad->name, &buffer);
@@ -7947,8 +7948,8 @@ dns_resolver_addbadcache(dns_resolver_t *resolver, dns_name_t *name,
 		if (resolver->badcount < resolver->badhash * 2 &&
 		    resolver->badhash > DNS_BADCACHE_SIZE)
 			resizehash(resolver, &now, ISC_FALSE);
-	}
-	bad->expire = *expire;
+	} else
+		bad->expire = *expire;
  cleanup:
 	UNLOCK(&resolver->lock);
 }
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index fd6a33e1..298f9f98 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.2"
-BRANCH="RELEASE-p9"
+BRANCH="RELEASE-p10"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
-- 
2.42.0