1 |
From 9dd582167a8e64917fee9e8343769e09dce6cd1e Mon Sep 17 00:00:00 2001 |
2 |
From: Mark Andrews <marka@isc.org> |
3 |
Date: Fri, 9 Sep 2016 11:29:48 +1000 |
4 |
Subject: [PATCH] 4467. [security] It was possible to trigger a |
5 |
assertion when rendering a message. [RT #43139] |
6 |
|
7 |
(cherry picked from commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12) |
8 |
--- |
9 |
lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- |
10 |
1 files changed, 31 insertions(+), 11 deletions(-) |
11 |
|
12 |
diff --git a/lib/dns/message.c b/lib/dns/message.c |
13 |
index c49bfa2..3745561 100644 |
14 |
--- a/lib/dns/message.c |
15 |
+++ b/lib/dns/message.c |
16 |
@@ -1728,7 +1728,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, |
17 |
if (r.length < DNS_MESSAGE_HEADERLEN) |
18 |
return (ISC_R_NOSPACE); |
19 |
|
20 |
- if (r.length < msg->reserved) |
21 |
+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) |
22 |
return (ISC_R_NOSPACE); |
23 |
|
24 |
/* |
25 |
@@ -1869,8 +1869,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options, |
26 |
|
27 |
return (ISC_TRUE); |
28 |
} |
29 |
- |
30 |
#endif |
31 |
+ |
32 |
+static isc_result_t |
33 |
+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, |
34 |
+ dns_compress_t *cctx, isc_buffer_t *target, |
35 |
+ unsigned int reserved, unsigned int options, unsigned int *countp) |
36 |
+{ |
37 |
+ isc_result_t result; |
38 |
+ |
39 |
+ /* |
40 |
+ * Shrink the space in the buffer by the reserved amount. |
41 |
+ */ |
42 |
+ if (target->length - target->used < reserved) |
43 |
+ return (ISC_R_NOSPACE); |
44 |
+ |
45 |
+ target->length -= reserved; |
46 |
+ result = dns_rdataset_towire(rdataset, owner_name, |
47 |
+ cctx, target, options, countp); |
48 |
+ target->length += reserved; |
49 |
+ |
50 |
+ return (result); |
51 |
+} |
52 |
+ |
53 |
isc_result_t |
54 |
dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, |
55 |
unsigned int options) |
56 |
@@ -1913,6 +1934,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, |
57 |
/* |
58 |
* Shrink the space in the buffer by the reserved amount. |
59 |
*/ |
60 |
+ if (msg->buffer->length - msg->buffer->used < msg->reserved) |
61 |
+ return (ISC_R_NOSPACE); |
62 |
msg->buffer->length -= msg->reserved; |
63 |
|
64 |
total = 0; |
65 |
@@ -2188,9 +2211,8 @@ dns_message_renderend(dns_message_t *msg) { |
66 |
* Render. |
67 |
*/ |
68 |
count = 0; |
69 |
- result = dns_rdataset_towire(msg->opt, dns_rootname, |
70 |
- msg->cctx, msg->buffer, 0, |
71 |
- &count); |
72 |
+ result = renderset(msg->opt, dns_rootname, msg->cctx, |
73 |
+ msg->buffer, msg->reserved, 0, &count); |
74 |
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
75 |
if (result != ISC_R_SUCCESS) |
76 |
return (result); |
77 |
@@ -2206,9 +2228,8 @@ dns_message_renderend(dns_message_t *msg) { |
78 |
if (result != ISC_R_SUCCESS) |
79 |
return (result); |
80 |
count = 0; |
81 |
- result = dns_rdataset_towire(msg->tsig, msg->tsigname, |
82 |
- msg->cctx, msg->buffer, 0, |
83 |
- &count); |
84 |
+ result = renderset(msg->tsig, msg->tsigname, msg->cctx, |
85 |
+ msg->buffer, msg->reserved, 0, &count); |
86 |
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
87 |
if (result != ISC_R_SUCCESS) |
88 |
return (result); |
89 |
@@ -2229,9 +2250,8 @@ dns_message_renderend(dns_message_t *msg) { |
90 |
* the owner name of a SIG(0) is irrelevant, and will not |
91 |
* be set in a message being rendered. |
92 |
*/ |
93 |
- result = dns_rdataset_towire(msg->sig0, dns_rootname, |
94 |
- msg->cctx, msg->buffer, 0, |
95 |
- &count); |
96 |
+ result = renderset(msg->sig0, dns_rootname, msg->cctx, |
97 |
+ msg->buffer, msg->reserved, 0, &count); |
98 |
msg->counts[DNS_SECTION_ADDITIONAL] += count; |
99 |
if (result != ISC_R_SUCCESS) |
100 |
return (result); |
101 |
-- |
102 |
2.9.0 |
103 |
|