diff -up bind-9.3.6-P1/lib/dns/include/dns/rdata.h.CVE-2012-4244 bind-9.3.6-P1/lib/dns/include/dns/rdata.h --- bind-9.3.6-P1/lib/dns/include/dns/rdata.h.CVE-2012-4244 2004-03-08 03:08:01.000000000 +0100 +++ bind-9.3.6-P1/lib/dns/include/dns/rdata.h 2012-09-13 11:29:41.830312697 +0200 @@ -131,6 +131,17 @@ struct dns_rdata { #define DNS_RDATA_UPDATE 0x0001 /* update pseudo record */ /* + * The maximum length of a RDATA that can be sent on the wire. + * Max packet size (65535) less header (12), less name (1), type (2), + * class (2), ttl(4), length (2). + * + * None of the defined types that support name compression can exceed + * this and all new types are to be sent uncompressed. + */ + +#define DNS_RDATA_MAXLENGTH 65512U + +/* * Flags affecting rdata formatting style. Flags 0xFFFF0000 * are used by masterfile-level formatting and defined elsewhere. * See additional comments at dns_rdata_tofmttext(). diff -up bind-9.3.6-P1/lib/dns/master.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/master.c --- bind-9.3.6-P1/lib/dns/master.c.CVE-2012-4244 2008-01-24 14:06:47.000000000 +0100 +++ bind-9.3.6-P1/lib/dns/master.c 2012-09-13 11:30:22.458480257 +0200 @@ -71,7 +71,7 @@ /* * max message size - header - root - type - class - ttl - rdlen */ -#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2) +#define MINTSIZ DNS_RDATA_MAXLENGTH /* * Size for tokens in the presentation format, * The largest tokens are the base64 blocks in KEY and CERT records, diff -up bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/rdata.c --- bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-4244 2012-09-13 11:27:48.101841555 +0200 +++ bind-9.3.6-P1/lib/dns/rdata.c 2012-09-13 11:27:48.110841593 +0200 @@ -397,6 +397,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d isc_buffer_t st; isc_boolean_t use_default = ISC_FALSE; isc_uint32_t activelength; + size_t length; REQUIRE(dctx != NULL); if (rdata != NULL) { @@ -427,6 +428,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d } /* + * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH + * as we cannot transmit it. + */ + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = DNS_R_FORMERR; + + /* * We should have consumed all of our buffer. */ if (result == ISC_R_SUCCESS && !buffer_empty(source)) @@ -434,8 +443,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } @@ -570,6 +578,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d unsigned long line; void (*callback)(dns_rdatacallbacks_t *, const char *, ...); isc_result_t tresult; + size_t length; REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE); if (rdata != NULL) { @@ -642,10 +651,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d } } while (1); + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) { @@ -752,6 +764,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, isc_buffer_t st; isc_region_t region; isc_boolean_t use_default = ISC_FALSE; + size_t length; REQUIRE(source != NULL); if (rdata != NULL) { @@ -766,10 +779,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, if (use_default) (void)NULL; + length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st); + if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH) + result = ISC_R_NOSPACE; + if (rdata != NULL && result == ISC_R_SUCCESS) { region.base = isc_buffer_used(&st); - region.length = isc_buffer_usedlength(target) - - isc_buffer_usedlength(&st); + region.length = length; dns_rdata_fromregion(rdata, rdclass, type, ®ion); } if (result != ISC_R_SUCCESS) diff -up bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/rdataslab.c --- bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-4244 2012-09-13 11:27:48.000000000 +0200 +++ bind-9.3.6-P1/lib/dns/rdataslab.c 2012-09-13 11:32:43.155058003 +0200 @@ -145,6 +145,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_ for (i = 0; i < nalloc; i++) { if (rdatas[i].data == &removed) continue; + INSIST(rdatas[i].length <= 0xffff); *rawbuf++ = (rdatas[i].length & 0xff00) >> 8; *rawbuf++ = (rdatas[i].length & 0x00ff); memcpy(rawbuf, rdatas[i].data, rdatas[i].length);