Update to 8.2.2-P7, which fixes the recent ZXFR DoS.

2000-11-11 13:22:23 +00:00 · 2000-11-11 13:22:23 +00:00 · a1a737aba6
commit a1a737aba6
parent d4eb473bfa
2 changed files with 362 additions and 2 deletions
--- a/net/bind8/Makefile
+++ b/net/bind8/Makefile
@ -1,7 +1,7 @@
-# $OpenBSD: Makefile,v 1.19 2000/10/22 14:03:33 espie Exp $
+# $OpenBSD: Makefile,v 1.20 2000/11/11 13:22:23 ho Exp $

 DISTNAME=	bind-openbsd-8.2.2-P6-19991217
-PKGNAME=	bind-8.2.2-P6
+PKGNAME=	bind-8.2.2-P7
 CATEGORIES=	net
 NEED_VERSION=	1.317
 MASTER_SITES=	ftp://ftp.gsnig.org/pub/openbsd-bind/ \
--- a/net/bind8/patches/patch-822-P7
+++ b/net/bind8/patches/patch-822-P7
@ -0,0 +1,360 @@
+--- Version	1999/12/06 21:52:47	1.7
+++ Version	2000/11/11 12:38:26
+@@ -1 +1 @@
+-8.2.2-P6
+8.2.2-P7
+--- include/arpa/nameser.h	1999/10/17 17:52:23	1.9
+++ include/arpa/nameser.h	2000/11/11 12:38:27
+@@ -51,7 +51,7 @@
+  */
+ 
+ /*
+- *	$ISC: nameser.h,v 8.36 1999/10/15 19:49:08 vixie Exp $
+ *	$ISC: nameser.h,v 8.36.2.1 2000/11/09 23:15:31 vixie Exp $
+  */
+ 
+ #ifndef _ARPA_NAMESER_H_
+@@ -493,6 +493,7 @@
+ #define	ns_name_compress	__ns_name_compress
+ #define	ns_name_uncompress	__ns_name_uncompress
+ #define	ns_name_skip		__ns_name_skip
+#define	ns_name_rollback	__ns_name_rollback
+ #define	ns_sign			__ns_sign
+ #define	ns_sign_tcp		__ns_sign_tcp
+ #define	ns_sign_tcp_init	__ns_sign_tcp_init
+@@ -534,6 +535,8 @@
+ int		ns_name_compress __P((const char *, u_char *, size_t,
+ 				      const u_char **, const u_char **));
+ int		ns_name_skip __P((const u_char **, const u_char *));
+void		ns_name_rollback __P((const u_char *, const u_char **, 
+				      const u_char **));
+ int		ns_sign __P((u_char *, int *, int, int, void *,
+ 			     const u_char *, int, u_char *, int *, time_t));
+ int		ns_sign_tcp __P((u_char *, int *, int, int,
+--- libbind/nameser/ns_name.c	1999/10/13 23:14:00	1.7
+++ libbind/nameser/ns_name.c	2000/11/11 12:38:27
+@@ -18,7 +18,7 @@
+  */
+ 
+ #ifndef lint
+-static const char rcsid[] = "$ISC: ns_name.c,v 8.12 1999/10/13 17:11:23 vixie Exp $";
+static const char rcsid[] = "$ISC: ns_name.c,v 8.12.2.1 2000/11/09 23:15:32 vixie Exp $";
+ #endif
+ 
+ #include "port_before.h"
+@@ -502,6 +502,23 @@
+ 	if (ns_name_pton(src, tmp, sizeof tmp) == -1)
+ 		return (-1);
+ 	return (ns_name_pack(tmp, dst, dstsiz, dnptrs, lastdnptr));
+}
+
+/*
+ * Reset dnptrs so that there are no active references to pointers at or
+ * after src.
+ */
+void
+ns_name_rollback(const u_char *src, const u_char **dnptrs, 
+		 const u_char **lastdnptr)
+{
+	while (dnptrs < lastdnptr && *dnptrs != NULL) {
+		if (*dnptrs >= src) {
+			*dnptrs = NULL;
+			break;
+		}
+		dnptrs++;
+	}
+ }
+ 
+ /*
+--- named/ns_ctl.c	1999/10/13 23:14:05	1.14
+++ named/ns_ctl.c	2000/11/11 12:38:28
+@@ -1,6 +1,6 @@
+ /* $OpenBSD: patch-822-P7,v 1.1 2000/11/11 13:22:24 ho Exp $ */
+ #if !defined(lint) && !defined(SABER)
+-static const char rcsid[] = "$ISC: ns_ctl.c,v 8.28 1999/10/13 16:39:04 vixie Exp $";
+static const char rcsid[] = "$ISC: ns_ctl.c,v 8.28.2.1 2000/11/09 23:15:28 vixie Exp $";
+ #endif /* not lint */
+ 
+ /*
+@@ -246,6 +246,7 @@
+ 	/* Add any new controls which were found. */
+ 	for (ctl = HEAD(*new); ctl != NULL; ctl = next) {
+ 		next = NEXT(ctl, link);
+		UNLINK(*new, ctl, link);
+ 		APPEND(server_controls, ctl, link);
+ 		install(ctl);
+ 		if (ctl->sctx == NULL)
+--- named/ns_defs.h	1999/10/10 22:51:52	1.12
+++ named/ns_defs.h	2000/11/11 12:38:28
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: patch-822-P7,v 1.1 2000/11/11 13:22:24 ho Exp $ */
+ /*
+  *	from ns.h	4.33 (Berkeley) 8/23/90
+- *	$ISC: ns_defs.h,v 8.89 1999/10/07 08:24:08 vixie Exp $
+ *	$ISC: ns_defs.h,v 8.89.2.1 2000/11/09 04:01:21 marka Exp $
+  */
+ 
+ /*
+@@ -603,7 +603,7 @@
+ #define STREAM_CONNECT_EV	0x08
+ #define STREAM_DONE_CLOSE	0x10
+ #define STREAM_AXFR		0x20
+-#define STREAM_AXFRIXFR		0x22
+#define STREAM_AXFRIXFR		0x40
+ 
+ #define ALLOW_NETS	0x0001
+ #define	ALLOW_HOSTS	0x0002
+--- named/ns_req.c	1999/10/17 17:52:28	1.17
+++ named/ns_req.c	2000/11/11 12:38:29
+@@ -1,7 +1,7 @@
+ /* $OpenBSD: patch-822-P7,v 1.1 2000/11/11 13:22:24 ho Exp $ */
+ #if !defined(lint) && !defined(SABER)
+ static const char sccsid[] = "@(#)ns_req.c	4.47 (Berkeley) 7/1/91";
+-static const char rcsid[] = "$ISC: ns_req.c,v 8.104 1999/10/15 19:49:04 vixie Exp $";
+static const char rcsid[] = "$ISC: ns_req.c,v 8.104.2.2 2000/11/09 23:15:29 vixie Exp $";
+ #endif /* not lint */
+ 
+ /*
+@@ -1115,7 +1115,7 @@
+ 		if (qsp == NULL)
+ 			return (Finish);
+ 		else {
+-			if (!ixfr_found) {
+			if (!ixfr_found && type == ns_t_ixfr) {
+ 				qsp->flags |= STREAM_AXFRIXFR;
+ 				hp->qdcount = htons(1);
+ 			}
+@@ -1593,11 +1593,11 @@
+ 	}
+ #endif
+ 	if ((n = dn_comp(name, buf, buflen, comp_ptrs, edp)) < 0)
+-		return (-1);
+		goto cleanup;
+ 	cp = buf + n;
+ 	buflen -= n;
+ 	if (buflen < 0)
+-		return (-1);
+		goto cleanup;
+ 	PUTSHORT((u_int16_t)type, cp);
+ 	PUTSHORT((u_int16_t)dp->d_class, cp);
+ 	PUTLONG(ttl, cp);
+@@ -1610,7 +1610,7 @@
+ 	case T_PTR:
+ 		n = dn_comp((char *)dp->d_data, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		PUTSHORT((u_int16_t)n, sp);
+ 		cp += n;
+ 		break;
+@@ -1620,7 +1620,7 @@
+ 		/* Store domain name in answer */
+ 		n = dn_comp((char *)dp->d_data, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		PUTSHORT((u_int16_t)n, sp);
+ 		cp += n;
+ 		if (doadd) {
+@@ -1636,15 +1636,15 @@
+ 		cp1 = dp->d_data;
+ 		n = dn_comp((char *)cp1, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 		buflen -= type == T_SOA ? n + 5 * INT32SZ : n;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp1 += strlen((char *)cp1) + 1;
+ 		n = dn_comp((char *)cp1, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 		if (type == T_SOA) {
+ 			cp1 += strlen((char *)cp1) + 1;
+@@ -1672,7 +1672,7 @@
+  		/* copy order */
+ 		buflen -= INT16SZ;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+  		memcpy(cp, cp1, INT16SZ);
+  		cp += INT16SZ;
+  		cp1 += INT16SZ;
+@@ -1682,7 +1682,7 @@
+ 		/* copy preference */
+ 		buflen -= INT16SZ;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+ 		memcpy(cp, cp1, INT16SZ);
+ 		cp += INT16SZ;
+ 		cp1 += INT16SZ;
+@@ -1694,7 +1694,7 @@
+ 		ns_debug(ns_log_default, 1, "size of n at flags = %d", n);
+ 		buflen -= n + 1;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+ 		*cp++ = n;
+ 		memcpy(cp, cp1, n);
+ 		cp += n;
+@@ -1706,7 +1706,7 @@
+ 		n = *cp1++;
+ 		buflen -= n + 1;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+ 		*cp++ = n;
+ 		memcpy(cp, cp1, n);
+ 		cp += n;
+@@ -1718,7 +1718,7 @@
+ 		n = *cp1++;
+ 		buflen -= n + 1;
+ 		if (buflen < 0)
+-			return (-1);
+			goto cleanup;
+ 		*cp++ = n;
+ 		memcpy(cp, cp1, n);
+ 		cp += n;
+@@ -1731,7 +1731,7 @@
+ 		n = dn_comp((char *)cp1, cp, buflen, dnptrs, edp);
+ 		ns_debug(ns_log_default, 1, "dn_comp's n = %u", n);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 
+ 		/* save data length */
+@@ -1749,7 +1749,7 @@
+ 		cp1 = dp->d_data;
+ 
+  		if ((buflen -= INT16SZ) < 0)
+-			return (-1);
+			goto cleanup;
+ 
+  		/* copy preference */
+  		memcpy(cp, cp1, INT16SZ);
+@@ -1759,7 +1759,7 @@
+ 		if (type == T_SRV) {
+ 			buflen -= INT16SZ*2;
+ 			if (buflen < 0)
+-				return (-1);
+				goto cleanup;
+ 			memcpy(cp, cp1, INT16SZ*2);
+ 			cp += INT16SZ*2;
+ 			cp1 += INT16SZ*2;
+@@ -1769,7 +1769,7 @@
+ 			    (type == ns_t_mx) ? comp_ptrs : NULL,
+ 			    (type == ns_t_mx) ? edp : NULL);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 
+ 		/* save data length */
+@@ -1783,7 +1783,7 @@
+ 		cp1 = dp->d_data;
+ 
+ 		if ((buflen -= INT16SZ) < 0)
+-			return (-1);
+			goto cleanup;
+ 
+ 		/* copy preference */
+ 		memcpy(cp, cp1, INT16SZ);
+@@ -1792,13 +1792,13 @@
+ 
+ 		n = dn_comp((char *)cp1, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 		buflen -= n;
+ 		cp1 += strlen((char *)cp1) + 1;
+ 		n = dn_comp((char *)cp1, cp, buflen, comp_ptrs, edp);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 
+ 		/* save data length */
+@@ -1813,7 +1813,7 @@
+ 		/* first just copy over the type_covered, algorithm, */
+ 		/* labels, orig ttl, two timestamps, and the footprint */
+ 		if ((dp->d_size - 18) > buflen)
+-			return (-1);  /* out of room! */
+			goto cleanup;  /* out of room! */
+ 		memcpy(cp, cp1, 18);
+ 		cp  += 18;
+ 		cp1 += 18;
+@@ -1822,7 +1822,7 @@
+ 		/* then the signer's name */
+ 		n = dn_comp((char *)cp1, cp, buflen, NULL, NULL);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 		cp += n;
+ 		buflen -= n;
+ 		cp1 += strlen((char*)cp1)+1;
+@@ -1830,7 +1830,7 @@
+ 		/* finally, we copy over the variable-length signature */
+ 		n = dp->d_size - (u_int16_t)((cp1 - dp->d_data));
+ 		if (n > buflen)
+-			return (-1);  /* out of room! */
+			goto cleanup;  /* out of room! */
+ 		memcpy(cp, cp1, n);
+ 		cp += n;
+ 		
+@@ -1843,7 +1843,7 @@
+ 		cp1 = dp->d_data;
+ 		n = dn_comp((char *)cp1, cp, buflen, NULL, NULL);
+ 		if (n < 0)
+-			return (-1);
+			goto cleanup;
+ 
+ 		cp += n;
+ 		buflen -=n;
+@@ -1852,7 +1852,7 @@
+ 		/* copy nxt bit map */
+ 		n = dp->d_size - (u_int16_t)((cp1 - dp->d_data));
+ 		if (n > buflen)
+-			return (-1);  /* out of room! */
+			goto cleanup;  /* out of room! */
+ 		memcpy(cp, cp1, n);
+ 		cp += n;
+ 		buflen -= n;
+@@ -1866,12 +1866,18 @@
+ 		if ((type == T_A || type == T_AAAA) && doadd)
+ 			addname(name, name, type, T_KEY, dp->d_class);
+ 		if (dp->d_size > buflen)
+-			return (-1);
+			goto cleanup;
+ 		memcpy(cp, dp->d_data, dp->d_size);
+ 		PUTSHORT((u_int16_t)dp->d_size, sp);
+ 		cp += dp->d_size;
+ 	}
+ 	return (cp - buf);
+
+cleanup:
+	/* Rollback RR. */
+	ns_name_rollback(buf, (const u_char **)comp_ptrs, 
+			 (const u_char **)edp);
+	return (-1);
+ }
+ 
+ static void
+@@ -1995,6 +2001,10 @@
+ 				ns_debug(ns_log_default, 5,
+ 			  "addinfo: not enough room, remaining msglen = %d",
+ 					 save_msglen);
+				/* Rollback RRset. */
+				ns_name_rollback(save_cp, 
+						 (const u_char **)dnptrs, 
+						 (const u_char **)dnptrs_end);
+ 				cp = save_cp;
+ 				msglen = save_msglen;
+ 				count = save_count;
+