Commit 5e7f1a8d authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge 'keytag-memleak' into security-master

parents 41a85186 747035dc
......@@ -184,7 +184,8 @@
5111. [bug] Occluded DNSKEY records could make it into the
delegating NSEC/NSEC3 bitmap. [GL #742]
 
5110. [placeholder]
5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
 
5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
 
......
......@@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile"
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
#
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
......
......@@ -3593,12 +3593,23 @@ status=$((status+ret))
echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
ret=0
dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1
dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
ret=0
dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1
n=$(($n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that the view is logged in messages from the validator when using views ($n)"
ret=0
grep "view rec: *validat" ns4/named.run > /dev/null || ret=1
......
......@@ -148,6 +148,15 @@
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para>
</listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
return (DNS_R_OPTERR);
}
/* Silently drop additional keytag options. */
if (client->keytag != NULL) {
isc_buffer_forward(buf, (unsigned int)optlen);
return (ISC_R_SUCCESS);
}
client->keytag = isc_mem_get(client->mctx, optlen);
if (client->keytag != NULL) {
client->keytag_len = (uint16_t)optlen;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment