BIND issueshttps://gitlab.isc.org/isc-projects/bind9/-/issues2019-09-04T21:07:15Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1210Address potential NULL pointer dereference in rpz.c2019-09-04T21:07:15ZMark AndrewsAddress potential NULL pointer dereference in rpz.cLogic error Dereference of null pointer /lib/dns/rpz.c 32 Access to field 'updater' results in a dereference of a null pointer (loaded from field 'rpzs')Logic error Dereference of null pointer /lib/dns/rpz.c 32 Access to field 'updater' results in a dereference of a null pointer (loaded from field 'rpzs')BIND 9.15.4Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1209DNS_R_MUSTBESECURE failures2019-09-04T20:39:06ZMark AndrewsDNS_R_MUSTBESECURE failures1. a DNS_R_MUSTBESECURE is overwitten (clang error report)
2. validator_done() called twice with DNS_R_MUSTBESECURE then ISC_R_SUCCESS (by inspection of mustbesecure handling from 1.)1. a DNS_R_MUSTBESECURE is overwitten (clang error report)
2. validator_done() called twice with DNS_R_MUSTBESECURE then ISC_R_SUCCESS (by inspection of mustbesecure handling from 1.)BIND 9.15.4Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1207BIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) i...2019-09-04T04:31:41ZGhost UserBIND | Potential for NULL pointer de-references plus memory leaks (CWE-476) in file 'dlz_mysqldyn_mod.c'<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [...<!--
If the bug you are reporting is potentially security-related - for example,
if it involves an assertion failure or other crash in `named` that can be
triggered repeatedly - then please do *NOT* report it here, but send an
email to [security-officer@isc.org](security-officer@isc.org).
-->
### Summary
Hello, while reviewing code in BIND 9.14.5, in directory 'contrib/dlz/modules/mysqldyn'
file 'dlz_mysqldyn_mod.c', I found missing sanity checks for memory allocations starting
at approximately line 1298 in function 'dlz_newversion' which are not checked for a
return value of NULL, indicating failure...additionally, more memory allocations are
done in the same way, and in the event of failure, previous allocations are not released
prior to returning with a value of 'ISC_R_NOMEMORY'.
### BIND version used
BIND version is 9.14.5
### Steps to reproduce
N/A - bug is in software
### What is the current *bug* behavior?
If bug is triggered, software could abort with 'segmentation fault (core dumped)'
### What is the expected *correct* behavior?
Software should check all requests for memory allocation to ensure they were properly
allocated (the attached patch file does this) 'diff -u' format.
### Relevant configuration files
N/A
### Relevant logs and/or screenshots
N/A
### Possible fixes
Attaching file 'dlz_mysqldyn_mod.c.patch' to this report (diff -u) format
[dlz_mysqldyn_mod.c.patch](/uploads/a58c450eeba022b25a31ee2fd2887cf2/dlz_mysqldyn_mod.c.patch)
Here is the patch file in 'diff -u' format:
```
root@stargate:/usr/local/src/bind-9.14.5/contrib/dlz/modules/mysqldyn# diff -u dlz_mysqldyn_mod.c.orig dlz_mysqldyn_mod.c
--- dlz_mysqldyn_mod.c.orig 2019-09-03 17:43:41.826419700 -0700
+++ dlz_mysqldyn_mod.c 2019-09-03 17:50:52.887392600 -0700
@@ -1298,8 +1298,19 @@
*/
newtx = (mysql_transaction_t *)
malloc(sizeof(mysql_transaction_t));
+ if (newtx == NULL) /* check to see if memory was actually allocated */
+ return (ISC_R_NOMEMORY);
newtx->zone = strdup(zone);
+ if (newtx->zone == NULL) { /* check to see if memory was actually allocated */
+ free(newtx); /* free previously allocated memory */
+ return (ISC_R_NOMEMORY);
+ }
newtx->zone_id = strdup(zone_id);
+ if (newtx->zone_id == NULL) { /* check to see if memory was actually allocated */
+ free(newtx_zone); /* free previous allocation made */
+ free(newtx); /* free initial allocation */
+ return (ISC_R_NOMEMORY);
+ }
newtx->dbi = get_dbi(state);
newtx->next = NULL;
```BIND 9.15.4Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/1199Return value from open() not checked.2019-08-29T00:17:03ZMark AndrewsReturn value from open() not checked.```
6. negative_return_fn: Function open("zone.bin", 2) returns a negative number.
7. assign: Assigning: fd = open("zone.bin", 2).
334 fd = open("zone.bin", O_RDWR);
CID 1452692 (#1 of 1): Improper use of negative...```
6. negative_return_fn: Function open("zone.bin", 2) returns a negative number.
7. assign: Assigning: fd = open("zone.bin", 2).
334 fd = open("zone.bin", O_RDWR);
CID 1452692 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
8. negative_returns: fd is passed to a parameter that cannot be negative. [show details]
```
```
52. negative_return_fn: Function open("zone.bin", 2) returns a negative number.
53. assign: Assigning: fd = open("zone.bin", 2).
394 fd = open("zone.bin", O_RDWR);
CID 1452709 (#1 of 1): Improper use of negative value (NEGATIVE_RETURNS)
54. negative_returns: fd is passed to a parameter that cannot be negative. [show details]
```BIND 9.15.4Mark AndrewsMark Andrews