Commit a2b15b33 authored by Mark Andrews's avatar Mark Andrews
Browse files

4318. [security] Malformed control messages can trigger assertions

                        in named and rndc. (CVE-2016-1285) [RT #41666]
parent 0c9af52e
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
4317. [bug] Age all unused servers on fetch timeout. [RT #41597]
4316. [func] Add option to tools to print RRs in unknown
......
......@@ -91,7 +91,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_boolean_t readonly,
#endif
data = isccc_alist_lookup(message, "_data");
if (data == NULL) {
if (!isccc_alist_alistp(data)) {
/*
* No data section.
*/
......
......@@ -405,7 +405,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
* Limit exposure to replay attacks.
*/
_ctrl = isccc_alist_lookup(request, "_ctrl");
if (_ctrl == NULL) {
if (!isccc_alist_alistp(_ctrl)) {
log_invalid(&conn->ccmsg, ISC_R_FAILURE);
goto cleanup_request;
}
......
......@@ -279,8 +279,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
data = isccc_alist_lookup(response, "_data");
if (data == NULL)
fatal("no data section in response");
if (!isccc_alist_alistp(data))
fatal("bad or missing data section in response");
result = isccc_cc_lookupstring(data, "err", &errormsg);
if (result == ISC_R_SUCCESS) {
failed = ISC_TRUE;
......@@ -353,8 +353,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
isccc_cc_fromwire(&source, &response, algorithm, &secret));
_ctrl = isccc_alist_lookup(response, "_ctrl");
if (_ctrl == NULL)
fatal("_ctrl section missing");
if (!isccc_alist_alistp(_ctrl))
fatal("bad or missing ctrl section in response");
nonce = 0;
if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
nonce = 0;
......
......@@ -167,7 +167,15 @@
This flaw is disclosed in CVE-2015-8705. [RT #41397]
</para>
</listitem>
<listitem>
<para>
Malformed control messages can trigger assertions in named
and rndc. This flaw is disclosed in CVE-2016-1285. [RT
#41666]
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
......
......@@ -422,13 +422,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
* Extract digest.
*/
_auth = isccc_alist_lookup(alist, "_auth");
if (_auth == NULL)
if (!isccc_alist_alistp(_auth))
return (ISC_R_FAILURE);
if (algorithm == ISCCC_ALG_HMACMD5)
hmac = isccc_alist_lookup(_auth, "hmd5");
else
hmac = isccc_alist_lookup(_auth, "hsha");
if (hmac == NULL)
if (!isccc_sexpr_binaryp(hmac))
return (ISC_R_FAILURE);
/*
* Compute digest.
......@@ -745,7 +745,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
REQUIRE(ackp != NULL && *ackp == NULL);
_ctrl = isccc_alist_lookup(message, "_ctrl");
if (_ctrl == NULL ||
if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
......@@ -789,7 +789,7 @@ isccc_cc_isack(isccc_sexpr_t *message) {
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
if (_ctrl == NULL)
if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
......@@ -801,7 +801,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) {
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
if (_ctrl == NULL)
if (!isccc_alist_alistp(_ctrl))
return (ISC_FALSE);
if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
return (ISC_TRUE);
......@@ -821,7 +821,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
_ctrl = isccc_alist_lookup(message, "_ctrl");
_data = isccc_alist_lookup(message, "_data");
if (_ctrl == NULL || _data == NULL ||
if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
......@@ -1002,7 +1002,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
isccc_sexpr_t *_ctrl;
_ctrl = isccc_alist_lookup(message, "_ctrl");
if (_ctrl == NULL ||
if (!isccc_alist_alistp(_ctrl) ||
isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
return (ISC_R_FAILURE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment