From ab700afbd8c946906e573929e6c64be58532f56e Mon Sep 17 00:00:00 2001 From: simon Date: Thu, 22 Nov 2012 22:52:15 +0000 Subject: [PATCH] Fix multiple Denial of Service vulnerabilities with named(8). Fix insufficient message length validation for EAP-TLS messages. Fix Linux compatibility layer input validation error. Security: FreeBSD-SA-12:06.bind Security: FreeBSD-SA-12:07.hostapd Security: FreeBSD-SA-12:08.linux Security: CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576 Approved by: re Approved by: security-officer git-svn-id: svn://svn.freebsd.org/base/releng/9.0@243417 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 8 ++++++ contrib/bind9/bin/named/query.c | 14 +++++----- contrib/bind9/lib/dns/include/dns/rdata.h | 11 ++++++++ contrib/bind9/lib/dns/master.c | 2 +- contrib/bind9/lib/dns/rdata.c | 28 +++++++++++++++---- .../src/eap_server/eap_server_tls_common.c | 8 ++++++ sys/compat/linux/linux_ioctl.c | 5 ++-- sys/conf/newvers.sh | 2 +- 8 files changed, 61 insertions(+), 17 deletions(-) diff --git a/UPDATING b/UPDATING index 45dd66f0..a86a757e 100644 --- a/UPDATING +++ b/UPDATING @@ -9,6 +9,14 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd + FreeBSD-SA-12:08.linux + Fix multiple Denial of Service vulnerabilities with named(8). + + Fix insufficient message length validation for EAP-TLS messages. + + Fix Linux compatibility layer input validation error. + 20120806: p4 FreeBSD-SA-12:05.bind Fix named(8) DNSSEC validation Denial of Service. diff --git a/contrib/bind9/bin/named/query.c b/contrib/bind9/bin/named/query.c index 4945f474..7c3889a9 100644 --- a/contrib/bind9/bin/named/query.c +++ b/contrib/bind9/bin/named/query.c @@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name, mname = NULL; } - /* - * If the dns_name_t we're looking up is already in the message, - * we don't want to trigger the caller's name replacement logic. - */ - if (name == mname) - mname = NULL; - *mnamep = mname; CTRACE("query_isduplicate: false: done"); @@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { if (dns_rdataset_isassociated(rdataset) && !query_isduplicate(client, fname, type, &mname)) { if (mname != NULL) { + INSIST(mname != fname); query_releasename(client, &fname); fname = mname; } else @@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_a, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { mname = NULL; if (!query_isduplicate(client, fname, dns_rdatatype_aaaa, &mname)) { + if (mname != fname) { if (mname != NULL) { query_releasename(client, &fname); fname = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_APPEND(fname->list, rdataset, link); added_something = ISC_TRUE; if (sigrdataset != NULL && @@ -1960,6 +1958,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { crdataset->type == dns_rdatatype_aaaa) { if (!query_isduplicate(client, fname, crdataset->type, &mname)) { + if (mname != fname) { if (mname != NULL) { /* * A different type of this name is @@ -1976,6 +1975,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) { mname0 = mname; } else need_addname = ISC_TRUE; + } ISC_LIST_UNLINK(cfname.list, crdataset, link); ISC_LIST_APPEND(fname->list, crdataset, link); added_something = ISC_TRUE; diff --git a/contrib/bind9/lib/dns/include/dns/rdata.h b/contrib/bind9/lib/dns/include/dns/rdata.h index b70a353d..4c969942 100644 --- a/contrib/bind9/lib/dns/include/dns/rdata.h +++ b/contrib/bind9/lib/dns/include/dns/rdata.h @@ -146,6 +146,17 @@ struct dns_rdata { #define DNS_RDATA_VALIDFLAGS(rdata) \ (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0) +/* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + /* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. diff --git a/contrib/bind9/lib/dns/master.c b/contrib/bind9/lib/dns/master.c index 1e9fead6..9ed7cd00 100644 --- a/contrib/bind9/lib/dns/master.c +++ b/contrib/bind9/lib/dns/master.c @@ -75,7 +75,7 @@ /*% * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /*% * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, diff --git a/contrib/bind9/lib/dns/rdata.c b/contrib/bind9/lib/dns/rdata.c index 9337a801..bf3e7395 100644 --- a/contrib/bind9/lib/dns/rdata.c +++ b/contrib/bind9/lib/dns/rdata.c @@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass, isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -454,6 +455,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass, } } + /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + /* * We should have consumed all of our buffer. */ @@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, dns_rdataclass_t rdclass, if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass, unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass, } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) diff --git a/contrib/wpa/src/eap_server/eap_server_tls_common.c b/contrib/wpa/src/eap_server/eap_server_tls_common.c index 25ae683f..625ff52a 100644 --- a/contrib/wpa/src/eap_server/eap_server_tls_common.c +++ b/contrib/wpa/src/eap_server/eap_server_tls_common.c @@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data, return -1; } + if (len > message_length) { + wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in " + "first fragment of frame (TLS Message " + "Length %d bytes)", + (int) len, (int) message_length); + return -1; + } + data->tls_in = wpabuf_alloc(message_length); if (data->tls_in == NULL) { wpa_printf(MSG_DEBUG, "SSL: No memory for message"); diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c index 15e31363..5a3f6288 100644 --- a/sys/compat/linux/linux_ioctl.c +++ b/sys/compat/linux/linux_ioctl.c @@ -2260,8 +2260,9 @@ again: ifc.ifc_len = valid_len; sbuf_finish(sb); - memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len); - error = copyout(&ifc, uifc, sizeof(ifc)); + error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len); + if (error == 0) + error = copyout(&ifc, uifc, sizeof(ifc)); sbuf_delete(sb); CURVNET_RESTORE(); diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 1a7c73d2..83449504 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.0" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.42.0