From 25585d78e68dbe3141cf5299989f7d1d18d43973 Mon Sep 17 00:00:00 2001
From: simon <simon@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Thu, 22 Nov 2012 22:52:15 +0000
Subject: [PATCH] Fix multiple Denial of Service vulnerabilities with named(8).

Fix insufficient message length validation for EAP-TLS messages.

Fix Linux compatibility layer input validation error.

Security:	FreeBSD-SA-12:06.bind
Security:	FreeBSD-SA-12:07.hostapd
Security:	FreeBSD-SA-12:08.linux
Security:	CVE-2012-4244, CVE-2012-5166, CVE-2012-4445, CVE-2012-4576
Approved by:	re
Approved by:	security-officer


git-svn-id: svn://svn.freebsd.org/base/releng/9.1@243417 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 contrib/wpa/src/eap_server/eap_server_tls_common.c | 8 ++++++++
 sys/compat/linux/linux_ioctl.c                     | 5 +++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/contrib/wpa/src/eap_server/eap_server_tls_common.c b/contrib/wpa/src/eap_server/eap_server_tls_common.c
index 25ae683f..625ff52a 100644
--- a/contrib/wpa/src/eap_server/eap_server_tls_common.c
+++ b/contrib/wpa/src/eap_server/eap_server_tls_common.c
@@ -225,6 +225,14 @@ static int eap_server_tls_process_fragment(struct eap_ssl_data *data,
 			return -1;
 		}
 
+		if (len > message_length) {
+			wpa_printf(MSG_INFO, "SSL: Too much data (%d bytes) in "
+				   "first fragment of frame (TLS Message "
+				   "Length %d bytes)",
+				   (int) len, (int) message_length);
+			return -1;
+		}
+
 		data->tls_in = wpabuf_alloc(message_length);
 		if (data->tls_in == NULL) {
 			wpa_printf(MSG_DEBUG, "SSL: No memory for message");
diff --git a/sys/compat/linux/linux_ioctl.c b/sys/compat/linux/linux_ioctl.c
index a2b1dc02..168e6801 100644
--- a/sys/compat/linux/linux_ioctl.c
+++ b/sys/compat/linux/linux_ioctl.c
@@ -2260,8 +2260,9 @@ again:
 
 	ifc.ifc_len = valid_len; 
 	sbuf_finish(sb);
-	memcpy(PTRIN(ifc.ifc_buf), sbuf_data(sb), ifc.ifc_len);
-	error = copyout(&ifc, uifc, sizeof(ifc));
+	error = copyout(sbuf_data(sb), PTRIN(ifc.ifc_buf), ifc.ifc_len);
+	if (error == 0)
+		error = copyout(&ifc, uifc, sizeof(ifc));
 	sbuf_delete(sb);
 	CURVNET_RESTORE();
 
-- 
2.42.0