3321. [security] dns_rdataslab_fromrdataset could produce bad

                        rdataslabs. [RT #29644]

bin/tests/system/unknown/clean.sh

@@ -19,3 +19,6 @@
 
 rm -f dig.out
 rm -f */named.memstats
+rm -f */*.bk
+rm -f */*.bk.*
+rm -f ns3/Kexample.*

bin/tests/system/unknown/ns1/example-in.db

@@ -41,6 +41,10 @@ a12		IN	A	\# 4 0A000001
 
 null		IN	NULL	\# 1 00
 empty		IN	NULL	\# 0
+empty		IN	TYPE124	\# 0
+
+emptyplus	IN	TYPE125 \# 0
+emptyplus	IN	TYPE125 \# 1 11
 
 txt1		IN	TXT	"hello"
 txt2		CLASS1	TXT	"hello"
@@ -53,3 +57,4 @@ txt7		IN	TXT	\# 6 0568656C6C6F
 unk1			TYPE123	\# 1 00
 unk2		CLASS1	TYPE123	\# 1 00
 unk3		IN	TYPE123	\# 1 00
+$INCLUDE large.db

bin/tests/system/unknown/ns2/named.conf

+/*
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.11 2007/06/19 23:47:06 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+view "in" {
+	zone "example." {
+		type slave;
+		masters { 10.53.0.1; };
+		file "example-in.bk";
+	};
+};

bin/tests/system/unknown/ns3/named.conf

+/*
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.11 2007/06/19 23:47:06 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	recursion no;
+	notify no;
+};
+
+view "in" {
+	zone "example." {
+		type slave;
+		masters { 10.53.0.1; };
+		inline-signing yes;
+		auto-dnssec maintain;
+		file "example-in.bk";
+	};
+};

bin/tests/system/unknown/ns3/sign.sh

+#!/bin/sh -e
+#
+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.8 2012/02/23 06:53:15 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=example
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`

bin/tests/system/unknown/setup.sh

+# Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.11 2012/02/23 06:53:15 marka Exp $
+
+sh clean.sh
+
+../../../tools/genrandom 400 random.data
+
+(cd ns3; sh -e sign.sh)

bin/tests/system/unknown/tests.sh

@@ -22,13 +22,13 @@ SYSTEMTESTTOP=..
 
 status=0
 
-DIGOPTS="@10.53.0.1 -p 5300"
+DIGOPTS="-p 5300"
 
 echo "I:querying for various representations of an IN A record"
 for i in 1 2 3 4 5 6 7 8 9 10 11 12
 do
 	ret=0
-	$DIG +short $DIGOPTS a$i.example a in > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 a$i.example a in > dig.out || ret=1
 	echo 10.0.0.1 | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -41,7 +41,7 @@ echo "I:querying for various representations of an IN TXT record"
 for i in 1 2 3 4 5 6 7
 do
 	ret=0
-	$DIG +short $DIGOPTS txt$i.example txt in > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt in > dig.out || ret=1
 	echo '"hello"' | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -54,7 +54,7 @@ echo "I:querying for various representations of an IN TYPE123 record"
 for i in 1 2 3
 do
 	ret=0
-	$DIG +short $DIGOPTS unk$i.example type123 in > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 in > dig.out || ret=1
 	echo '\# 1 00' | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -65,14 +65,14 @@ done
 
 echo "I:querying for NULL record"
 ret=0
-$DIG +short $DIGOPTS null.example null in > dig.out || ret=1
+$DIG +short $DIGOPTS @10.53.0.1 null.example null in > dig.out || ret=1
 echo '\# 1 00' | diff - dig.out || ret=1
 [ $ret = 0 ] || echo "I: failed"
 status=`expr $status + $ret`
 
 echo "I:querying for empty NULL record"
 ret=0
-$DIG +short $DIGOPTS empty.example null in > dig.out || ret=1
+$DIG +short $DIGOPTS @10.53.0.1 empty.example null in > dig.out || ret=1
 echo '\# 0' | diff - dig.out || ret=1
 [ $ret = 0 ] || echo "I: failed"
 status=`expr $status + $ret`
@@ -81,7 +81,7 @@ echo "I:querying for various representations of a CLASS10 TYPE1 record"
 for i in 1 2
 do
 	ret=0
-	$DIG +short $DIGOPTS a$i.example a class10 > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 a$i.example a class10 > dig.out || ret=1
 	echo '\# 4 0A000001' | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -94,7 +94,7 @@ echo "I:querying for various representations of a CLASS10 TXT record"
 for i in 1 2 3 4
 do
 	ret=0
-	$DIG +short $DIGOPTS txt$i.example txt class10 > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 txt$i.example txt class10 > dig.out || ret=1
 	echo '"hello"' | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -107,7 +107,7 @@ echo "I:querying for various representations of a CLASS10 TYPE123 record"
 for i in 1 2
 do
 	ret=0
-	$DIG +short $DIGOPTS unk$i.example type123 class10 > dig.out || ret=1
+	$DIG +short $DIGOPTS @10.53.0.1 unk$i.example type123 class10 > dig.out || ret=1
 	echo '\# 1 00' | diff - dig.out || ret=1
 	if [ $ret != 0 ]
 	then
@@ -120,7 +120,7 @@ echo "I:querying for SOAs of zone that should have failed to load"
 for i in 1 2 3 4
 do
 	ret=0
-	$DIG $DIGOPTS broken$i. soa in > dig.out || ret=1
+	$DIG $DIGOPTS @10.53.0.1 broken$i. soa in > dig.out || ret=1
 	grep "SERVFAIL" dig.out > /dev/null || ret=1
 	if [ $ret != 0 ]
 	then
@@ -129,5 +129,38 @@ do
 	status=`expr $status + $ret`
 done
 
+echo "I:checking large unknown record loading on master"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 +tcp +short large.example TYPE45234 > dig.out || { ret=1 ; echo I: dig failed ; }
+diff -s large.out dig.out > /dev/null || { ret=1 ; echo "I: diff failed"; }
+[ $ret = 0 ] || echo "I: failed"
+status=`expr $status + $ret`
+
+
+echo "I:checking large unknown record loading on slave"
+ret=0
+$DIG $DIGOPTS @10.53.0.2 +tcp +short large.example TYPE45234 > dig.out || { ret=1 ; echo I: dig failed ; }
+diff -s large.out dig.out > /dev/null || { ret=1 ; echo "I: diff failed"; }
+[ $ret = 0 ] || echo "I: failed"
+status=`expr $status + $ret`
+
+echo "I:checking large unknown record loading on inline slave"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out || { ret=1 ; echo I: dig failed ; }
+diff large.out dig.out > /dev/null || { ret=1 ; echo "I: diff failed"; }
+[ $ret = 0 ] || echo "I: failed"
+status=`expr $status + $ret`
+
+echo "I:stop and restart inline slave"
+$PERL $SYSTEMTESTTOP/stop.pl . ns3
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns3
+
+echo "I:checking large unknown record loading on inline slave"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 +tcp +short large.example TYPE45234 > dig.out || { ret=1 ; echo I: dig failed ; }
+diff large.out dig.out > /dev/null || { ret=1 ; echo "I: diff failed"; }
+[ $ret = 0 ] || echo "I: failed"
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 exit $status

lib/dns/rdata.c

@@ -338,8 +338,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
 
 	REQUIRE(rdata1 != NULL);
 	REQUIRE(rdata2 != NULL);
-	REQUIRE(rdata1->data != NULL);
-	REQUIRE(rdata2->data != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
 
@@ -369,8 +369,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
 
 	REQUIRE(rdata1 != NULL);
 	REQUIRE(rdata2 != NULL);
-	REQUIRE(rdata1->data != NULL);
-	REQUIRE(rdata2->data != NULL);
+	REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
+	REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
 	REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
 

lib/dns/rdataslab.c

@@ -126,6 +126,11 @@ isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
 {
+	/*
+	 * Use &removed as a sentinal pointer for duplicate
+	 * rdata as rdata.data == NULL is valid.
+	 */
+	static unsigned char removed;
 	struct xrdata  *x;
 	unsigned char  *rawbuf;
 #if DNS_RDATASET_FIXED
@@ -169,6 +174,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		INSIST(result == ISC_R_SUCCESS);
 		dns_rdata_init(&x[i].rdata);
 		dns_rdataset_current(rdataset, &x[i].rdata);
+		INSIST(x[i].rdata.data != &removed);
 #if DNS_RDATASET_FIXED
 		x[i].order = i;
 #endif
@@ -201,8 +207,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	 */
 	for (i = 1; i < nalloc; i++) {
 		if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
-			x[i-1].rdata.data = NULL;
-			x[i-1].rdata.length = 0;
+			x[i-1].rdata.data = &removed;
 #if DNS_RDATASET_FIXED
 			/*
 			 * Preserve the least order so A, B, A -> A, B
@@ -292,7 +297,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 #endif
 
 	for (i = 0; i < nalloc; i++) {
-		if (x[i].rdata.data == NULL)
+		if (x[i].rdata.data == &removed)
 			continue;
 #if DNS_RDATASET_FIXED
 		offsettable[x[i].order] = rawbuf - offsetbase;