Commit ae9af802 authored by Michał Kępień's avatar Michał Kępień
Browse files

Merge branch '2028-unexpectedend-and-tsig-v9_11' into 'security-v9_11'

[CVE-2020-8622] Properly handle malformed truncated responses to TSIG queries (v9.11)

See merge request isc-private/bind9!196
parents 348ba25d 0db7d0a4
5476. [security] It was possible to trigger an assertion failure when
verifying the response to a TSIG-signed request.
(CVE-2020-8622) [GL #2028]
5474. [bug] dns_rdata_hip_next() failed to return ISC_R_NOMORE
when it should have. [GL !3880]
 
......
......@@ -15,7 +15,13 @@
<itemizedlist>
<listitem>
<para>
None.
It was possible to trigger an assertion failure when verifying the
response to a TSIG-signed request. This was disclosed in
CVE-2020-8622.
</para>
<para>
ISC would like to thank Dave Feldman, Jeff Warren, and Joel Cunningham
of Oracle for bringing this vulnerability to our attention. [GL #2028]
</para>
</listitem>
</itemizedlist>
......
......@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
msg->header_ok = 0;
msg->question_ok = 0;
if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
isc_buffer_usedregion(&origsource, &msg->saved);
} else {
msg->saved.length = isc_buffer_usedlength(&origsource);
msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
if (msg->saved.base == NULL) {
return (ISC_R_NOMEMORY);
}
memmove(msg->saved.base, isc_buffer_base(&origsource),
msg->saved.length);
msg->free_saved = 1;
}
isc_buffer_remainingregion(source, &r);
if (r.length < DNS_MESSAGE_HEADERLEN)
return (ISC_R_UNEXPECTEDEND);
......@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
}
truncated:
if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
isc_buffer_usedregion(&origsource, &msg->saved);
else {
msg->saved.length = isc_buffer_usedlength(&origsource);
msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
if (msg->saved.base == NULL)
return (ISC_R_NOMEMORY);
memmove(msg->saved.base, isc_buffer_base(&origsource),
msg->saved.length);
msg->free_saved = 1;
}
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
return (DNS_R_RECOVERABLE);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment