From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 12 Oct 2016 19:52:59 +0900 Subject: [PATCH] 4406. [security] getrrsetbyname with a non absolute name could trigger an infinite recursion bug in lwresd and named with lwres configured if when combined with a search list entry the resulting name is too long. (CVE-2016-2775) [RT #42694] Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the v9.11.0_patch branch. CVE: CVE-2016-2775 Upstream-Status: Backport Signed-off-by: zhengruoqin --- CHANGES | 6 ++++++ bin/named/lwdgrbn.c | 16 ++++++++++------ bin/tests/system/lwresd/lwtest.c | 9 ++++++++- 3 files changed, 24 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index d2e3360..d0a9d12 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +4406. [security] getrrsetbyname with a non absolute name could + trigger an infinite recursion bug in lwresd + and named with lwres configured if when combined + with a search list entry the resulting name is + too long. (CVE-2016-2775) [RT #42694] + 4322. [security] Duplicate EDNS COOKIE options in a response could trigger an assertion failure. (CVE-2016-2088) [RT #41809] diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c index 3e7b15b..e1e9adc 100644 --- a/bin/named/lwdgrbn.c +++ b/bin/named/lwdgrbn.c @@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { INSIST(client->lookup == NULL); dns_fixedname_init(&absname); - result = ns_lwsearchctx_current(&client->searchctx, - dns_fixedname_name(&absname)); + /* - * This will return failure if relative name + suffix is too long. - * In this case, just go on to the next entry in the search path. + * Perform search across all search domains until success + * is returned. Return in case of failure. */ - if (result != ISC_R_SUCCESS) - start_lookup(client); + while (ns_lwsearchctx_current(&client->searchctx, + dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { + if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { + ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); + return; + } + } result = dns_lookup_create(cm->mctx, dns_fixedname_name(&absname), diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c index ad9b551..3eb4a66 100644 --- a/bin/tests/system/lwresd/lwtest.c +++ b/bin/tests/system/lwresd/lwtest.c @@ -768,7 +768,14 @@ main(void) { test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); test_getrrsetbyname("", 1, 1, 0, 0, 0); - + test_getrrsetbyname("123456789.123456789.123456789.123456789." + "123456789.123456789.123456789.123456789." + "123456789.123456789.123456789.123456789." + "123456789.123456789.123456789.123456789." + "123456789.123456789.123456789.123456789." + "123456789.123456789.123456789.123456789." + "123456789", 1, 1, 0, 0, 0); + if (fails == 0) printf("I:ok\n"); return (fails); -- 2.7.4