diff -up bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-1667 bind-9.3.6-P1/lib/dns/rdata.c --- bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-1667 2012-06-04 18:24:53.741535104 +0200 +++ bind-9.3.6-P1/lib/dns/rdata.c 2012-06-04 18:25:16.015495186 +0200 @@ -328,8 +328,8 @@ dns_rdata_compare(const dns_rdata_t *rda REQUIRE(rdata1 != NULL); REQUIRE(rdata2 != NULL); - REQUIRE(rdata1->data != NULL); - REQUIRE(rdata2->data != NULL); + REQUIRE(rdata1->length == 0 || rdata1->data != NULL); + REQUIRE(rdata2->length == 0 || rdata2->data != NULL); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1)); REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2)); diff -up bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-1667 bind-9.3.6-P1/lib/dns/rdataslab.c --- bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-1667 2012-06-04 18:28:03.478195195 +0200 +++ bind-9.3.6-P1/lib/dns/rdataslab.c 2012-06-04 18:33:18.855634417 +0200 @@ -43,6 +43,11 @@ isc_result_t dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx, isc_region_t *region, unsigned int reservelen) { + /* + * Use &removed as a sentinal pointer for duplicate + * rdata as rdata.data == NULL is valid. + */ + static unsigned char removed; dns_rdata_t *rdatas; unsigned char *rawbuf; unsigned int buflen; @@ -72,6 +77,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ INSIST(result == ISC_R_SUCCESS); dns_rdata_init(&rdatas[i]); dns_rdataset_current(rdataset, &rdatas[i]); + INSIST(rdatas[i].data != &removed); result = dns_rdataset_next(rdataset); } if (result != ISC_R_NOMORE) @@ -97,8 +103,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ */ for (i = 1; i < nalloc; i++) { if (compare_rdata(&rdatas[i-1], &rdatas[i]) == 0) { - rdatas[i-1].data = NULL; - rdatas[i-1].length = 0; + rdatas[i-1].data = &removed; nitems--; } else buflen += (2 + rdatas[i-1].length); @@ -138,7 +143,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ *rawbuf++ = (nitems & 0xff00) >> 8; *rawbuf++ = (nitems & 0x00ff); for (i = 0; i < nalloc; i++) { - if (rdatas[i].data == NULL) + if (rdatas[i].data == &removed) continue; *rawbuf++ = (rdatas[i].length & 0xff00) >> 8; *rawbuf++ = (rdatas[i].length & 0x00ff);