Commit 5e7f1a8d authored by Evan Hunt's avatar Evan Hunt
Browse files

Merge 'keytag-memleak' into security-master

parents 41a85186 747035dc
...@@ -184,7 +184,8 @@ ...@@ -184,7 +184,8 @@
5111. [bug] Occluded DNSKEY records could make it into the 5111. [bug] Occluded DNSKEY records could make it into the
delegating NSEC/NSEC3 bitmap. [GL #742] delegating NSEC/NSEC3 bitmap. [GL #742]
   
5110. [placeholder] 5110. [security] Named leaked memory if there were multiple Key Tag
EDNS options present. (CVE-2018-5744) [GL #772]
   
5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628] 5109. [cleanup] Remove support for RSAMD5 algorithm. [GL #628]
   
......
...@@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") ...@@ -247,7 +247,7 @@ zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile" cat "$infile" "$ksk.key" "$zsk.key" unsupported-algorithm.key > "$zonefile"
# "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1 # "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
"$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" "$SIGNER" -P -3 - -o "$zone" -f ${zonefile}.signed "$zonefile" > /dev/null 2>&1
# #
# A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U). # A zone with a unknown DNSKEY algorithm + unknown NSEC3 hash algorithm (-U).
......
...@@ -3593,12 +3593,23 @@ status=$((status+ret)) ...@@ -3593,12 +3593,23 @@ status=$((status+ret))
echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)" echo_i "check that KEY-TAG trust-anchor-telemetry queries are logged ($n)"
ret=0 ret=0
dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns4.test$n || ret=1 dig_with_opts . dnskey +ednsopt=KEY-TAG:ffff @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1 grep "trust-anchor-telemetry './IN' from .* 65535" ns1/named.run > /dev/null || ret=1
n=$((n+1)) n=$((n+1))
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret)) status=$((status+ret))
echo_i "check that multiple KEY-TAG trust-anchor-telemetry options don't leak memory ($n)"
ret=0
dig_with_opts . dnskey +ednsopt=KEY-TAG:fffe +ednsopt=KEY-TAG:fffd @10.53.0.1 > dig.out.ns1.test$n || ret=1
grep "trust-anchor-telemetry './IN' from .* 65534" ns1/named.run > /dev/null || ret=1
grep "trust-anchor-telemetry './IN' from .* 65533" ns1/named.run > /dev/null && ret=1
$PERL $SYSTEMTESTTOP/stop.pl dnssec ns1 || ret=1
$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} dnssec ns1 || ret=1
n=$(($n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "check that the view is logged in messages from the validator when using views ($n)" echo_i "check that the view is logged in messages from the validator when using views ($n)"
ret=0 ret=0
grep "view rec: *validat" ns4/named.run > /dev/null || ret=1 grep "view rec: *validat" ns4/named.run > /dev/null || ret=1
......
...@@ -148,6 +148,15 @@ ...@@ -148,6 +148,15 @@
by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780] by BIND 9. This flaw is disclosed in CVE-2018-5745. [GL #780]
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<command>named</command> leaked memory when processing a
request with multiple Key Tag EDNS options present. ISC
would like to thank Toshifumi Sakaguchi for bringing this
to our attention. This flaw is disclosed in CVE-2018-5744.
[GL #772]
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
......
...@@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { ...@@ -2079,6 +2079,12 @@ process_keytag(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
return (DNS_R_OPTERR); return (DNS_R_OPTERR);
} }
/* Silently drop additional keytag options. */
if (client->keytag != NULL) {
isc_buffer_forward(buf, (unsigned int)optlen);
return (ISC_R_SUCCESS);
}
client->keytag = isc_mem_get(client->mctx, optlen); client->keytag = isc_mem_get(client->mctx, optlen);
if (client->keytag != NULL) { if (client->keytag != NULL) {
client->keytag_len = (uint16_t)optlen; client->keytag_len = (uint16_t)optlen;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment