4285. [security] Specific APL data could trigger a INSIST.

(CVE-2015-8704) [RT #41396]

4285. [security] Specific APL data could trigger a INSIST.
(CVE-2015-8704) [RT #41396]
1b3d2118 · Mark Andrews · 7321d8df · 1b3d2118 · 1b3d2118 · 1b3d2118
Commit 1b3d2118 authored Dec 31, 2015 by Mark Andrews
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 2 deletions

CHANGES CHANGES +3 -0

doc/arm/notes.xml doc/arm/notes.xml +6 -0

lib/dns/rdata/in_1/apl_42.c lib/dns/rdata/in_1/apl_42.c +2 -2

No files found.
--- a/CHANGES
+++ b/CHANGES
+4285.	[security]	Specific APL data could trigger a INSIST.
+			(CVE-2015-8704) [RT #41396]
+
 4284.	[bug]		Some GeoIP options were incorrectly documented
 			using abbreviated forms which were not accepted by
 			named.  The code has been updated to allow both

--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -153,6 +153,12 @@
 	  <command>named</command> to allow access to unintended clients.
 	</para>
      </listitem>
+      <listitem>
+	<para>
+	  Specfic APL data could trigger a INSIST.  This flaw was discovered
+	  by Brian Mitchell and is disclosed in CVE-2015-8704. [RT #41396].
+	</para>
+      </listitem>
    </itemizedlist>
  </section>
  <section xml:id="relnotes_features"><info><title>New Features</title></info>

--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -116,7 +116,7 @@ totext_in_apl(ARGS_TOTEXT) {
 	isc_uint8_t len;
 	isc_boolean_t neg;
 	unsigned char buf[16];
-	char txt[sizeof(" !64000")];
+	char txt[sizeof(" !64000:")];
 	const char *sep = "";
 	int n;

@@ -140,7 +140,7 @@ totext_in_apl(ARGS_TOTEXT) {
 		isc_region_consume(&sr, 1);
 		INSIST(len <= sr.length);
 		n = snprintf(txt, sizeof(txt), "%s%s%u:", sep,
-			     neg ? "!": "", afi);
+			     neg ? "!" : "", afi);
 		INSIST(n < (int)sizeof(txt));
 		RETERR(str_totext(txt, target));
 		switch (afi) {