This is the patch provided by ISC, re-generated to work in our system.

svn path=/head/; revision=70078
2024-12-26 05:02:18 +00:00 · 2002-11-14 07:28:36 +00:00 · 2002-11-14 07:28:36 +00:00 · e5ea67970d · 2021-03-31 03:12:20 +00:00
commit e5ea67970d
parent 20315038e1
2 changed files with 468 additions and 0 deletions
--- a/dns/bind8/files/patch-bind833.diff
+++ b/dns/bind8/files/patch-bind833.diff
@ -0,0 +1,234 @@
+diff -ur src-patched/CHANGES src/CHANGES
+--- src-patched/CHANGES	Wed Jun 26 21:25:08 2002
+++ src/CHANGES	Wed Nov 13 22:11:17 2002
+@@ -1,3 +1,23 @@
+1469.	[bug]		buffer length calculation for PX was wrong.
+
+1468.	[bug]		ns_name_ntol() could overwite a zero length buffer.
+
+1467.	[bug]		off by one bug in ns_makecannon().
+
+1466.	[bug]		large ENDS UDP buffer size could trigger a assertion.
+
+1465.	[bug]		possible NULL pointer dereference in db_sec.c
+
+1464.	[bug]      	the buffer used to construct the -ve record was not
+			big enough for all possible SOA records.  use pointer
+			arithmetic to calculate the remaining size in this
+			buffer.
+
+1463.	[bug]		use serial space arithmetic to determine if a SIG is
+			too old, in the future or has internally constistant
+			times.
+
+1462.	[bug]		write buffer overflow in make_rr().
+ 
+ 	--- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002)
+ 
+diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h
+--- src-patched/bin/named/db_defs.h	Fri May 17 18:02:53 2002
+++ src/bin/named/db_defs.h	Wed Nov 13 22:11:17 2002
+@@ -78,7 +78,7 @@
+  */
+ 
+ 	/* max length of data in RR data field */
+-#define MAXDATA		(2*MAXDNAME + 5*INT32SZ)
+#define MAXDATA		(3*MAXDNAME + 5*INT32SZ)
+ 
+ 	/* max length of data in a TXT RR segment */
+ #define MAXCHARSTRING 255
+diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c
+--- src-patched/bin/named/db_sec.c	Mon Jun 18 07:42:57 2001
+++ src/bin/named/db_sec.c	Wed Nov 13 22:11:17 2002
+@@ -479,7 +479,9 @@
+ 	struct sig_record *sigdata;
+ 	struct dnode *sigdn;
+ 	struct databuf *sigdp;
+-	time_t now;
+	u_int32_t now;
+	u_int32_t exptime;
+	u_int32_t signtime;
+ 	char *signer;
+ 	u_char name_n[MAXDNAME];
+ 	u_char *sig, *eom;
+@@ -492,6 +494,7 @@
+ 	int dnssec_failed = 0, dnssec_succeeded = 0;
+ 	int return_value;
+ 	int i;
+	int expired = 0;
+ 
+ 	if (rrset == NULL || rrset->rr_name == NULL) {
+ 		ns_warning (ns_log_default, "verify_set: missing rrset/name");
+@@ -527,11 +530,14 @@
+ 		 * Don't verify a set if the SIG inception time is in
+ 		 * the future.  This should be fixed before 2038 (BEW)
+ 		 */
+-		if ((time_t)ntohl(sigdata->sig_time_n) > now)
+		signtime = ntohl(sigdata->sig_time_n);
+		if (SEQ_GT(signtime, now))
+ 			continue;
+ 
+ 		/* An expired set is dropped, but the data is not. */
+-		if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
+		exptime = ntohl(sigdata->sig_exp_n);
+		if (SEQ_GT(now, exptime)) {
+			expired++;
+ 			db_detach(&sigdn->dp);
+ 			sigdp = NULL;
+ 			continue;
+@@ -723,7 +729,7 @@
+ 	}
+ 
+ end:
+-	if (dnssec_failed > 0)
+	if (dnssec_failed > 0 || expired > 0)
+ 		rrset_trim_sigs(rrset);
+ 	if (trustedkey == 0 && key != NULL)
+ 		dst_free_key(key);
+diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h
+--- src-patched/bin/named/ns_defs.h	Tue Jun 25 20:27:19 2002
+++ src/bin/named/ns_defs.h	Wed Nov 13 22:11:17 2002
+@@ -469,7 +469,7 @@
+ 			q_cmsglen,	/* len of cname message */
+ 			q_cmsgsize;	/* allocated size of cname message */
+ 	int16_t		q_dfd;		/* UDP file descriptor */
+-	int16_t		q_udpsize;	/* UDP message size */
+	u_int16_t	q_udpsize;	/* UDP message size */
+ 	int		q_distance;	/* distance this query is from the
+ 					 * original query that the server
+ 					 * received. */
+diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c
+--- src-patched/bin/named/ns_ncache.c	Mon Jun 18 07:43:16 2001
+++ src/bin/named/ns_ncache.c	Wed Nov 13 22:11:17 2002
+@@ -66,7 +66,7 @@
+ 	u_int16_t atype;
+ 	u_char *sp, *cp1;
+ 	u_char data[MAXDATA];
+-	size_t len = sizeof data;
+	u_char *eod = data + sizeof(data);
+ #endif
+ 
+ 	nameserIncr(from.sin_addr, nssRcvdNXD);
+@@ -186,7 +186,7 @@
+ 		rdatap = cp;
+ 
+ 		/* origin */
+-		n = dn_expand(msg, msg + msglen, cp, (char*)data, len);
+		n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3,
+ 				 "ncache: origin form error");
+@@ -195,9 +195,8 @@
+ 		cp += n;
+ 		n = strlen((char*)data) + 1;
+ 		cp1 = data + n;
+-		len -= n;
+ 		/* mail */
+-		n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len);
+		n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: mail form error");
+ 			return;
+@@ -205,20 +204,20 @@
+ 		cp += n;
+ 		n = strlen((char*)cp1) + 1;
+ 		cp1 += n;
+-		len -= n;
+ 		n = 5 * INT32SZ;
+		if (n > (eod - cp1))	/* Can't happen. See MAXDATA. */
+			return;
+ 		BOUNDS_CHECK(cp, n);
+ 		memcpy(cp1, cp, n);
+ 		/* serial, refresh, retry, expire, min */
+ 		cp1 += n;
+-		len -= n;
+ 		cp += n;
+ 		if (cp != rdatap + dlen) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: form error");
+ 			return;
+ 		}
+ 		/* store the zone of the soa record */
+-		n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len);
+		n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: form error 2");
+ 			return;
+diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c
+--- src-patched/bin/named/ns_req.c	Sun May 12 16:41:52 2002
+++ src/bin/named/ns_req.c	Wed Nov 13 22:11:17 2002
+@@ -2195,7 +2195,7 @@
+ 
+ 		/* first just copy over the type_covered, algorithm, */
+ 		/* labels, orig ttl, two timestamps, and the footprint */
+-		if ((dp->d_size - 18) > buflen)
+		if (buflen < 18)
+ 			goto cleanup;  /* out of room! */
+ 		memcpy(cp, cp1, 18);
+ 		cp  += 18;
+diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c
+--- src-patched/bin/named/ns_resp.c	Wed Jun 26 20:09:19 2002
+++ src/bin/named/ns_resp.c	Wed Nov 13 22:11:17 2002
+@@ -2001,7 +2001,7 @@
+ 		 * to BOUNDS_CHECK() here.
+ 		 */
+ 		cp1 += (n = strlen((char *)cp1) + 1);
+-		n1 = sizeof(data) - n;
+		n1 = sizeof(data) - n - INT16SZ;
+ 		n = dn_expand(msg, eom, cp, (char *)cp1, n1);
+ 		if (n < 0) {
+ 			hp->rcode = FORMERR;
+@@ -2043,8 +2043,18 @@
+ 			ttl = origTTL;
+ 		}
+ 
+		/*
+		 * Check that expire and signature times are internally
+		 * consistant.
+		 */
+		if (!SEQ_GT(exptime, signtime) && exptime != signtime) {
+			ns_debug(ns_log_default, 3,
+			"ignoring SIG: signature expires before it was signed");
+			return ((cp - rrp) + dlen);
+		}
+
+ 		/* Don't let bogus signers "sign" in the future.  */
+-		if (signtime > now) {
+		if (SEQ_GT(signtime, now)) {
+ 			ns_debug(ns_log_default, 3,
+ 			  "ignoring SIG: signature date %s is in the future",
+ 				 p_secstodate (signtime));
+@@ -2052,7 +2062,7 @@
+ 		}
+ 		
+ 		/* Ignore received SIG RR's that are already expired.  */
+-		if (exptime <= now) {
+		if (SEQ_GT(now, exptime)) {
+ 			ns_debug(ns_log_default, 3,
+ 				"ignoring SIG: expiration %s is in the past",
+ 				 p_secstodate (exptime));
+diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c
+--- src-patched/lib/nameser/ns_name.c	Thu May 23 22:10:40 2002
+++ src/lib/nameser/ns_name.c	Wed Nov 13 22:11:17 2002
+@@ -341,6 +341,10 @@
+ 	dn = dst;
+ 	eom = dst + dstsiz;
+ 
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+ 	while ((n = *cp++) != 0) {
+ 		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+ 			/* Some kind of compression pointer. */
+diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c
+--- src-patched/lib/nameser/ns_samedomain.c	Fri Oct 15 14:06:51 1999
+++ src/lib/nameser/ns_samedomain.c	Wed Nov 13 22:11:17 2002
+@@ -166,7 +166,7 @@
+ ns_makecanon(const char *src, char *dst, size_t dstsize) {
+ 	size_t n = strlen(src);
+ 
+-	if (n + sizeof "." > dstsize) {
+	if (n + sizeof "." + 1 > dstsize) {
+ 		errno = EMSGSIZE;
+ 		return (-1);
+ 	}
--- a/net/bind8/files/patch-bind833.diff
+++ b/net/bind8/files/patch-bind833.diff
@ -0,0 +1,234 @@
+diff -ur src-patched/CHANGES src/CHANGES
+--- src-patched/CHANGES	Wed Jun 26 21:25:08 2002
+++ src/CHANGES	Wed Nov 13 22:11:17 2002
+@@ -1,3 +1,23 @@
+1469.	[bug]		buffer length calculation for PX was wrong.
+
+1468.	[bug]		ns_name_ntol() could overwite a zero length buffer.
+
+1467.	[bug]		off by one bug in ns_makecannon().
+
+1466.	[bug]		large ENDS UDP buffer size could trigger a assertion.
+
+1465.	[bug]		possible NULL pointer dereference in db_sec.c
+
+1464.	[bug]      	the buffer used to construct the -ve record was not
+			big enough for all possible SOA records.  use pointer
+			arithmetic to calculate the remaining size in this
+			buffer.
+
+1463.	[bug]		use serial space arithmetic to determine if a SIG is
+			too old, in the future or has internally constistant
+			times.
+
+1462.	[bug]		write buffer overflow in make_rr().
+ 
+ 	--- 8.3.3-REL released --- (Wed Jun 26 21:15:43 PDT 2002)
+ 
+diff -ur src-patched/bin/named/db_defs.h src/bin/named/db_defs.h
+--- src-patched/bin/named/db_defs.h	Fri May 17 18:02:53 2002
+++ src/bin/named/db_defs.h	Wed Nov 13 22:11:17 2002
+@@ -78,7 +78,7 @@
+  */
+ 
+ 	/* max length of data in RR data field */
+-#define MAXDATA		(2*MAXDNAME + 5*INT32SZ)
+#define MAXDATA		(3*MAXDNAME + 5*INT32SZ)
+ 
+ 	/* max length of data in a TXT RR segment */
+ #define MAXCHARSTRING 255
+diff -ur src-patched/bin/named/db_sec.c src/bin/named/db_sec.c
+--- src-patched/bin/named/db_sec.c	Mon Jun 18 07:42:57 2001
+++ src/bin/named/db_sec.c	Wed Nov 13 22:11:17 2002
+@@ -479,7 +479,9 @@
+ 	struct sig_record *sigdata;
+ 	struct dnode *sigdn;
+ 	struct databuf *sigdp;
+-	time_t now;
+	u_int32_t now;
+	u_int32_t exptime;
+	u_int32_t signtime;
+ 	char *signer;
+ 	u_char name_n[MAXDNAME];
+ 	u_char *sig, *eom;
+@@ -492,6 +494,7 @@
+ 	int dnssec_failed = 0, dnssec_succeeded = 0;
+ 	int return_value;
+ 	int i;
+	int expired = 0;
+ 
+ 	if (rrset == NULL || rrset->rr_name == NULL) {
+ 		ns_warning (ns_log_default, "verify_set: missing rrset/name");
+@@ -527,11 +530,14 @@
+ 		 * Don't verify a set if the SIG inception time is in
+ 		 * the future.  This should be fixed before 2038 (BEW)
+ 		 */
+-		if ((time_t)ntohl(sigdata->sig_time_n) > now)
+		signtime = ntohl(sigdata->sig_time_n);
+		if (SEQ_GT(signtime, now))
+ 			continue;
+ 
+ 		/* An expired set is dropped, but the data is not. */
+-		if ((time_t)ntohl(sigdata->sig_exp_n) < now) {
+		exptime = ntohl(sigdata->sig_exp_n);
+		if (SEQ_GT(now, exptime)) {
+			expired++;
+ 			db_detach(&sigdn->dp);
+ 			sigdp = NULL;
+ 			continue;
+@@ -723,7 +729,7 @@
+ 	}
+ 
+ end:
+-	if (dnssec_failed > 0)
+	if (dnssec_failed > 0 || expired > 0)
+ 		rrset_trim_sigs(rrset);
+ 	if (trustedkey == 0 && key != NULL)
+ 		dst_free_key(key);
+diff -ur src-patched/bin/named/ns_defs.h src/bin/named/ns_defs.h
+--- src-patched/bin/named/ns_defs.h	Tue Jun 25 20:27:19 2002
+++ src/bin/named/ns_defs.h	Wed Nov 13 22:11:17 2002
+@@ -469,7 +469,7 @@
+ 			q_cmsglen,	/* len of cname message */
+ 			q_cmsgsize;	/* allocated size of cname message */
+ 	int16_t		q_dfd;		/* UDP file descriptor */
+-	int16_t		q_udpsize;	/* UDP message size */
+	u_int16_t	q_udpsize;	/* UDP message size */
+ 	int		q_distance;	/* distance this query is from the
+ 					 * original query that the server
+ 					 * received. */
+diff -ur src-patched/bin/named/ns_ncache.c src/bin/named/ns_ncache.c
+--- src-patched/bin/named/ns_ncache.c	Mon Jun 18 07:43:16 2001
+++ src/bin/named/ns_ncache.c	Wed Nov 13 22:11:17 2002
+@@ -66,7 +66,7 @@
+ 	u_int16_t atype;
+ 	u_char *sp, *cp1;
+ 	u_char data[MAXDATA];
+-	size_t len = sizeof data;
+	u_char *eod = data + sizeof(data);
+ #endif
+ 
+ 	nameserIncr(from.sin_addr, nssRcvdNXD);
+@@ -186,7 +186,7 @@
+ 		rdatap = cp;
+ 
+ 		/* origin */
+-		n = dn_expand(msg, msg + msglen, cp, (char*)data, len);
+		n = dn_expand(msg, msg + msglen, cp, (char*)data, eod - data);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3,
+ 				 "ncache: origin form error");
+@@ -195,9 +195,8 @@
+ 		cp += n;
+ 		n = strlen((char*)data) + 1;
+ 		cp1 = data + n;
+-		len -= n;
+ 		/* mail */
+-		n = dn_expand(msg, msg + msglen, cp, (char*)cp1, len);
+		n = dn_expand(msg, msg + msglen, cp, (char*)cp1, eod - cp1);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: mail form error");
+ 			return;
+@@ -205,20 +204,20 @@
+ 		cp += n;
+ 		n = strlen((char*)cp1) + 1;
+ 		cp1 += n;
+-		len -= n;
+ 		n = 5 * INT32SZ;
+		if (n > (eod - cp1))	/* Can't happen. See MAXDATA. */
+			return;
+ 		BOUNDS_CHECK(cp, n);
+ 		memcpy(cp1, cp, n);
+ 		/* serial, refresh, retry, expire, min */
+ 		cp1 += n;
+-		len -= n;
+ 		cp += n;
+ 		if (cp != rdatap + dlen) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: form error");
+ 			return;
+ 		}
+ 		/* store the zone of the soa record */
+-		n = dn_expand(msg, msg + msglen, sp, (char*)cp1, len);
+		n = dn_expand(msg, msg + msglen, sp, (char*)cp1, eod - cp1);
+ 		if (n < 0) {
+ 			ns_debug(ns_log_ncache, 3, "ncache: form error 2");
+ 			return;
+diff -ur src-patched/bin/named/ns_req.c src/bin/named/ns_req.c
+--- src-patched/bin/named/ns_req.c	Sun May 12 16:41:52 2002
+++ src/bin/named/ns_req.c	Wed Nov 13 22:11:17 2002
+@@ -2195,7 +2195,7 @@
+ 
+ 		/* first just copy over the type_covered, algorithm, */
+ 		/* labels, orig ttl, two timestamps, and the footprint */
+-		if ((dp->d_size - 18) > buflen)
+		if (buflen < 18)
+ 			goto cleanup;  /* out of room! */
+ 		memcpy(cp, cp1, 18);
+ 		cp  += 18;
+diff -ur src-patched/bin/named/ns_resp.c src/bin/named/ns_resp.c
+--- src-patched/bin/named/ns_resp.c	Wed Jun 26 20:09:19 2002
+++ src/bin/named/ns_resp.c	Wed Nov 13 22:11:17 2002
+@@ -2001,7 +2001,7 @@
+ 		 * to BOUNDS_CHECK() here.
+ 		 */
+ 		cp1 += (n = strlen((char *)cp1) + 1);
+-		n1 = sizeof(data) - n;
+		n1 = sizeof(data) - n - INT16SZ;
+ 		n = dn_expand(msg, eom, cp, (char *)cp1, n1);
+ 		if (n < 0) {
+ 			hp->rcode = FORMERR;
+@@ -2043,8 +2043,18 @@
+ 			ttl = origTTL;
+ 		}
+ 
+		/*
+		 * Check that expire and signature times are internally
+		 * consistant.
+		 */
+		if (!SEQ_GT(exptime, signtime) && exptime != signtime) {
+			ns_debug(ns_log_default, 3,
+			"ignoring SIG: signature expires before it was signed");
+			return ((cp - rrp) + dlen);
+		}
+
+ 		/* Don't let bogus signers "sign" in the future.  */
+-		if (signtime > now) {
+		if (SEQ_GT(signtime, now)) {
+ 			ns_debug(ns_log_default, 3,
+ 			  "ignoring SIG: signature date %s is in the future",
+ 				 p_secstodate (signtime));
+@@ -2052,7 +2062,7 @@
+ 		}
+ 		
+ 		/* Ignore received SIG RR's that are already expired.  */
+-		if (exptime <= now) {
+		if (SEQ_GT(now, exptime)) {
+ 			ns_debug(ns_log_default, 3,
+ 				"ignoring SIG: expiration %s is in the past",
+ 				 p_secstodate (exptime));
+diff -ur src-patched/lib/nameser/ns_name.c src/lib/nameser/ns_name.c
+--- src-patched/lib/nameser/ns_name.c	Thu May 23 22:10:40 2002
+++ src/lib/nameser/ns_name.c	Wed Nov 13 22:11:17 2002
+@@ -341,6 +341,10 @@
+ 	dn = dst;
+ 	eom = dst + dstsiz;
+ 
+	if (dn >= eom) {
+		errno = EMSGSIZE;
+		return (-1);
+	}
+ 	while ((n = *cp++) != 0) {
+ 		if ((n & NS_CMPRSFLGS) == NS_CMPRSFLGS) {
+ 			/* Some kind of compression pointer. */
+diff -ur src-patched/lib/nameser/ns_samedomain.c src/lib/nameser/ns_samedomain.c
+--- src-patched/lib/nameser/ns_samedomain.c	Fri Oct 15 14:06:51 1999
+++ src/lib/nameser/ns_samedomain.c	Wed Nov 13 22:11:17 2002
+@@ -166,7 +166,7 @@
+ ns_makecanon(const char *src, char *dst, size_t dstsize) {
+ 	size_t n = strlen(src);
+ 
+-	if (n + sizeof "." > dstsize) {
+	if (n + sizeof "." + 1 > dstsize) {
+ 		errno = EMSGSIZE;
+ 		return (-1);
+ 	}