Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 482997498f9f95c2819169698d08f0c7 > files > 32

bind-9.3.6-25.P1.el5_11.8.src.rpm

diff -up bind-9.3.6-P1/lib/dns/include/dns/rdata.h.CVE-2012-4244 bind-9.3.6-P1/lib/dns/include/dns/rdata.h
--- bind-9.3.6-P1/lib/dns/include/dns/rdata.h.CVE-2012-4244	2004-03-08 03:08:01.000000000 +0100
+++ bind-9.3.6-P1/lib/dns/include/dns/rdata.h	2012-09-13 11:29:41.830312697 +0200
@@ -131,6 +131,17 @@ struct dns_rdata {
 #define DNS_RDATA_UPDATE	0x0001		/* update pseudo record */
 
 /*
+ * The maximum length of a RDATA that can be sent on the wire.
+ * Max packet size (65535) less header (12), less name (1), type (2),
+ * class (2), ttl(4), length (2).
+ *
+ * None of the defined types that support name compression can exceed
+ * this and all new types are to be sent uncompressed.
+ */
+
+#define DNS_RDATA_MAXLENGTH    65512U
+
+/*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
  * are used by masterfile-level formatting and defined elsewhere.
  * See additional comments at dns_rdata_tofmttext().
diff -up bind-9.3.6-P1/lib/dns/master.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/master.c
--- bind-9.3.6-P1/lib/dns/master.c.CVE-2012-4244	2008-01-24 14:06:47.000000000 +0100
+++ bind-9.3.6-P1/lib/dns/master.c	2012-09-13 11:30:22.458480257 +0200
@@ -71,7 +71,7 @@
 /*
  * max message size - header - root - type - class - ttl - rdlen
  */
-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
+#define MINTSIZ DNS_RDATA_MAXLENGTH
 /*
  * Size for tokens in the presentation format,
  * The largest tokens are the base64 blocks in KEY and CERT records,
diff -up bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/rdata.c
--- bind-9.3.6-P1/lib/dns/rdata.c.CVE-2012-4244	2012-09-13 11:27:48.101841555 +0200
+++ bind-9.3.6-P1/lib/dns/rdata.c	2012-09-13 11:27:48.110841593 +0200
@@ -397,6 +397,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	isc_buffer_t st;
 	isc_boolean_t use_default = ISC_FALSE;
 	isc_uint32_t activelength;
+	size_t length;
 
 	REQUIRE(dctx != NULL);
 	if (rdata != NULL) {
@@ -427,6 +428,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 	}
 
 	/*
+	 * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
+	 * as we cannot transmit it.
+	 */
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = DNS_R_FORMERR;
+
+	/*
 	 * We should have consumed all of our buffer.
 	 */
 	if (result == ISC_R_SUCCESS && !buffer_empty(source))
@@ -434,8 +443,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
 
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 
@@ -570,6 +578,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 	unsigned long line;
 	void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
 	isc_result_t tresult;
+	size_t length;
 
 	REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
 	if (rdata != NULL) {
@@ -642,10 +651,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
 		}
 	} while (1);
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS) {
@@ -752,6 +764,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	isc_buffer_t st;
 	isc_region_t region;
 	isc_boolean_t use_default = ISC_FALSE;
+	size_t length;
 
 	REQUIRE(source != NULL);
 	if (rdata != NULL) {
@@ -766,10 +779,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
 	if (use_default)
 		(void)NULL;
 
+	length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
+	if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
+		result = ISC_R_NOSPACE;
+
 	if (rdata != NULL && result == ISC_R_SUCCESS) {
 		region.base = isc_buffer_used(&st);
-		region.length = isc_buffer_usedlength(target) -
-				isc_buffer_usedlength(&st);
+		region.length = length;
 		dns_rdata_fromregion(rdata, rdclass, type, &region);
 	}
 	if (result != ISC_R_SUCCESS)
diff -up bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-4244 bind-9.3.6-P1/lib/dns/rdataslab.c
--- bind-9.3.6-P1/lib/dns/rdataslab.c.CVE-2012-4244	2012-09-13 11:27:48.000000000 +0200
+++ bind-9.3.6-P1/lib/dns/rdataslab.c	2012-09-13 11:32:43.155058003 +0200
@@ -145,6 +145,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_
 	for (i = 0; i < nalloc; i++) {
 		if (rdatas[i].data == &removed)
 			continue;
+		INSIST(rdatas[i].length <= 0xffff);
 		*rawbuf++ = (rdatas[i].length & 0xff00) >> 8;
 		*rawbuf++ = (rdatas[i].length & 0x00ff);
 		memcpy(rawbuf, rdatas[i].data, rdatas[i].length);

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional