From 1042a29aafb32a40f68a189c3481f24110172b37 Mon Sep 17 00:00:00 2001 From: dougb Date: Thu, 1 Dec 2011 21:17:59 +0000 Subject: [PATCH] Upgrade to BIND 9.8.1-P1 to address the following DDOS bug: Recursive name servers are failing with an assertion: INSIST(! dns_rdataset_isassociated(sigrdataset)) At this time it is not thought that authoritative-only servers are affected, but information about this bug is evolving rapidly. Because it may be possible to trigger this bug even on networks that do not allow untrusted users to access the recursive name servers (perhaps via specially crafted e-mail messages, and/or malicious web sites) it is recommended that ALL operators of recursive name servers upgrade immediately. For more information see: https://www.isc.org/software/bind/advisories/cve-2011-4313 which will be updated as more information becomes available. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 Approved by: re (kib) git-svn-id: svn://svn.freebsd.org/base/releng/9.0@228190 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- contrib/bind9/CHANGES | 6 ++++++ contrib/bind9/bin/named/query.c | 21 +++++++++------------ contrib/bind9/lib/dns/rbtdb.c | 6 +++--- contrib/bind9/version | 6 +++--- 4 files changed, 21 insertions(+), 18 deletions(-) diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES index 3e48dd63..dc0b2c69 100644 --- a/contrib/bind9/CHANGES +++ b/contrib/bind9/CHANGES @@ -1,3 +1,9 @@ + --- 9.8.1-P1 released --- + +3218. [security] Cache lookup could return RRSIG data associated with + nonexistent records, leading to an assertion + failure. [RT #26590] + --- 9.8.1 released --- --- 9.8.1rc1 released --- diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 9be178be..4945f474 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: query.c,v 1.353.8.11 2011-06-09 03:14:03 marka Exp $ */ +/* $Id: query.c,v 1.353.8.11.4.1 2011-11-16 09:32:08 marka Exp $ */ /*! \file */ @@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto addname; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - INSIST(sigrdataset == NULL || - ! dns_rdataset_isassociated(sigrdataset)); + if (sigrdataset != NULL && + dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { mname = NULL; @@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { goto setcache; if (result == DNS_R_NCACHENXRRSET) { dns_rdataset_disassociate(rdataset); - /* - * Negative cache entries don't have sigrdatasets. - */ - INSIST(! dns_rdataset_isassociated(sigrdataset)); + if (dns_rdataset_isassociated(sigrdataset)) + dns_rdataset_disassociate(sigrdataset); } if (result == ISC_R_SUCCESS) { /* Remember the result as a cache */ diff --git a/contrib/bind9/lib/dns/rbtdb.c b/contrib/bind9/lib/dns/rbtdb.c index 9d66006b..10525d92 100644 --- a/contrib/bind9/lib/dns/rbtdb.c +++ b/contrib/bind9/lib/dns/rbtdb.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: rbtdb.c,v 1.310.8.5 2011-06-08 23:02:42 each Exp $ */ +/* $Id: rbtdb.c,v 1.310.8.5.4.1 2011-11-16 09:32:08 marka Exp $ */ /*! \file */ @@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version, rdataset); if (need_headerupdate(found, search.now)) update = found; - if (foundsig != NULL) { + if (!NEGATIVE(found) && foundsig != NULL) { bind_rdataset(search.rbtdb, node, foundsig, search.now, sigrdataset); if (need_headerupdate(foundsig, search.now)) @@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, } if (found != NULL) { bind_rdataset(rbtdb, rbtnode, found, now, rdataset); - if (foundsig != NULL) + if (!NEGATIVE(found) && foundsig != NULL) bind_rdataset(rbtdb, rbtnode, foundsig, now, sigrdataset); } diff --git a/contrib/bind9/version b/contrib/bind9/version index ede0ba05..249750e3 100644 --- a/contrib/bind9/version +++ b/contrib/bind9/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.53.8.9 2011-08-24 02:08:26 marka Exp $ +# $Id: version,v 1.53.8.9.6.1 2011-11-16 09:32:07 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=8 PATCHVER=1 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=-P +RELEASEVER=1 -- 2.42.0