current/SOURCES/bind-9.10-CVE-2016-2776.patch

From 9dd582167a8e64917fee9e8343769e09dce6cd1e Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 9 Sep 2016 11:29:48 +1000
Subject: [PATCH] 4467.   [security]      It was possible to trigger a
 assertion when rendering                         a message. [RT #43139]

(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
---
 lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
 1 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/lib/dns/message.c b/lib/dns/message.c
index c49bfa2..3745561 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1728,7 +1728,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
        if (r.length < DNS_MESSAGE_HEADERLEN)
                return (ISC_R_NOSPACE);
 
-       if (r.length < msg->reserved)
+       if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
                return (ISC_R_NOSPACE);
 
        /*
@@ -1869,8 +1869,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
 
        return (ISC_TRUE);
 }
-
 #endif
+
+static isc_result_t
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
+         dns_compress_t *cctx, isc_buffer_t *target,
+         unsigned int reserved, unsigned int options, unsigned int *countp)
+{
+       isc_result_t result;
+
+       /*
+        * Shrink the space in the buffer by the reserved amount.
+        */
+       if (target->length - target->used < reserved)
+               return (ISC_R_NOSPACE);
+
+       target->length -= reserved;
+       result = dns_rdataset_towire(rdataset, owner_name,
+                                    cctx, target, options, countp);
+       target->length += reserved;
+
+       return (result);
+}
+
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
                          unsigned int options)
@@ -1913,6 +1934,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
        /*
         * Shrink the space in the buffer by the reserved amount.
         */
+       if (msg->buffer->length - msg->buffer->used < msg->reserved)
+               return (ISC_R_NOSPACE);
        msg->buffer->length -= msg->reserved;
 
        total = 0;
@@ -2188,9 +2211,8 @@ dns_message_renderend(dns_message_t *msg) {
                 * Render.
                 */
                count = 0;
-               result = dns_rdataset_towire(msg->opt, dns_rootname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->opt, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);
@@ -2206,9 +2228,8 @@ dns_message_renderend(dns_message_t *msg) {
                if (result != ISC_R_SUCCESS)
                        return (result);
                count = 0;
-               result = dns_rdataset_towire(msg->tsig, msg->tsigname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->tsig, msg->tsigname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);
@@ -2229,9 +2250,8 @@ dns_message_renderend(dns_message_t *msg) {
                 * the owner name of a SIG(0) is irrelevant, and will not
                 * be set in a message being rendered.
                 */
-               result = dns_rdataset_towire(msg->sig0, dns_rootname,
-                                            msg->cctx, msg->buffer, 0,
-                                            &count);
+               result = renderset(msg->sig0, dns_rootname, msg->cctx,
+                                  msg->buffer, msg->reserved, 0, &count);
                msg->counts[DNS_SECTION_ADDITIONAL] += count;
                if (result != ISC_R_SUCCESS)
                        return (result);
-- 
2.9.0

1	From 9dd582167a8e64917fee9e8343769e09dce6cd1e Mon Sep 17 00:00:00 2001
2	From: Mark Andrews <marka@isc.org>
3	Date: Fri, 9 Sep 2016 11:29:48 +1000
4	Subject: [PATCH] 4467. [security] It was possible to trigger a
5	assertion when rendering a message. [RT #43139]
6
7	(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12)
8	---
9	lib/dns/message.c \| 42 +++++++++++++++++++++++++++++++-----------
10	1 files changed, 31 insertions(+), 11 deletions(-)
11
12	diff --git a/lib/dns/message.c b/lib/dns/message.c
13	index c49bfa2..3745561 100644
14	--- a/lib/dns/message.c
15	+++ b/lib/dns/message.c
16	@@ -1728,7 +1728,7 @@ dns_message_renderbegin(dns_message_t msg, dns_compress_t cctx,
17	if (r.length < DNS_MESSAGE_HEADERLEN)
18	return (ISC_R_NOSPACE);
19
20	- if (r.length < msg->reserved)
21	+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
22	return (ISC_R_NOSPACE);
23
24	/*
25	@@ -1869,8 +1869,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
26
27	return (ISC_TRUE);
28	}
29	-
30	#endif
31	+
32	+static isc_result_t
33	+renderset(dns_rdataset_t rdataset, dns_name_t owner_name,
34	+ dns_compress_t cctx, isc_buffer_t target,
35	+ unsigned int reserved, unsigned int options, unsigned int *countp)
36	+{
37	+ isc_result_t result;
38	+
39	+ /*
40	+ * Shrink the space in the buffer by the reserved amount.
41	+ */
42	+ if (target->length - target->used < reserved)
43	+ return (ISC_R_NOSPACE);
44	+
45	+ target->length -= reserved;
46	+ result = dns_rdataset_towire(rdataset, owner_name,
47	+ cctx, target, options, countp);
48	+ target->length += reserved;
49	+
50	+ return (result);
51	+}
52	+
53	isc_result_t
54	dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
55	unsigned int options)
56	@@ -1913,6 +1934,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
57	/*
58	* Shrink the space in the buffer by the reserved amount.
59	*/
60	+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
61	+ return (ISC_R_NOSPACE);
62	msg->buffer->length -= msg->reserved;
63
64	total = 0;
65	@@ -2188,9 +2211,8 @@ dns_message_renderend(dns_message_t *msg) {
66	* Render.
67	*/
68	count = 0;
69	- result = dns_rdataset_towire(msg->opt, dns_rootname,
70	- msg->cctx, msg->buffer, 0,
71	- &count);
72	+ result = renderset(msg->opt, dns_rootname, msg->cctx,
73	+ msg->buffer, msg->reserved, 0, &count);
74	msg->counts[DNS_SECTION_ADDITIONAL] += count;
75	if (result != ISC_R_SUCCESS)
76	return (result);
77	@@ -2206,9 +2228,8 @@ dns_message_renderend(dns_message_t *msg) {
78	if (result != ISC_R_SUCCESS)
79	return (result);
80	count = 0;
81	- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
82	- msg->cctx, msg->buffer, 0,
83	- &count);
84	+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
85	+ msg->buffer, msg->reserved, 0, &count);
86	msg->counts[DNS_SECTION_ADDITIONAL] += count;
87	if (result != ISC_R_SUCCESS)
88	return (result);
89	@@ -2229,9 +2250,8 @@ dns_message_renderend(dns_message_t *msg) {
90	* the owner name of a SIG(0) is irrelevant, and will not
91	* be set in a message being rendered.
92	*/
93	- result = dns_rdataset_towire(msg->sig0, dns_rootname,
94	- msg->cctx, msg->buffer, 0,
95	- &count);
96	+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
97	+ msg->buffer, msg->reserved, 0, &count);
98	msg->counts[DNS_SECTION_ADDITIONAL] += count;
99	if (result != ISC_R_SUCCESS)
100	return (result);
101	--
102	2.9.0
103