|
 |
58fe1c |
From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001
|
|
|
58fe1c |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
58fe1c |
Date: Tue, 18 Aug 2020 10:53:33 +0200
|
|
|
58fe1c |
Subject: [PATCH] Fix CVE-2020-8622
|
|
|
58fe1c |
|
|
|
58fe1c |
5476. [security] It was possible to trigger an assertion failure when
|
|
|
58fe1c |
verifying the response to a TSIG-signed request.
|
|
|
58fe1c |
(CVE-2020-8622) [GL #2028]
|
|
|
58fe1c |
---
|
|
|
58fe1c |
lib/dns/message.c | 24 +++++++++++++-----------
|
|
|
58fe1c |
1 file changed, 13 insertions(+), 11 deletions(-)
|
|
|
58fe1c |
|
|
|
58fe1c |
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
|
|
58fe1c |
index d9e341a..7c813a5 100644
|
|
|
58fe1c |
--- a/lib/dns/message.c
|
|
|
58fe1c |
+++ b/lib/dns/message.c
|
|
|
58fe1c |
@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
|
|
58fe1c |
msg->header_ok = 0;
|
|
|
58fe1c |
msg->question_ok = 0;
|
|
|
58fe1c |
|
|
|
58fe1c |
+ if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {
|
|
|
58fe1c |
+ isc_buffer_usedregion(&origsource, &msg->saved);
|
|
|
58fe1c |
+ } else {
|
|
|
58fe1c |
+ msg->saved.length = isc_buffer_usedlength(&origsource);
|
|
|
58fe1c |
+ msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
|
|
58fe1c |
+ if (msg->saved.base == NULL) {
|
|
|
58fe1c |
+ return (ISC_R_NOMEMORY);
|
|
|
58fe1c |
+ }
|
|
|
58fe1c |
+ memmove(msg->saved.base, isc_buffer_base(&origsource),
|
|
|
58fe1c |
+ msg->saved.length);
|
|
|
58fe1c |
+ msg->free_saved = 1;
|
|
|
58fe1c |
+ }
|
|
|
58fe1c |
+
|
|
|
58fe1c |
isc_buffer_remainingregion(source, &r);
|
|
|
58fe1c |
if (r.length < DNS_MESSAGE_HEADERLEN)
|
|
|
58fe1c |
return (ISC_R_UNEXPECTEDEND);
|
|
|
58fe1c |
@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,
|
|
|
58fe1c |
}
|
|
|
58fe1c |
|
|
|
58fe1c |
truncated:
|
|
|
58fe1c |
- if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)
|
|
|
58fe1c |
- isc_buffer_usedregion(&origsource, &msg->saved);
|
|
|
58fe1c |
- else {
|
|
|
58fe1c |
- msg->saved.length = isc_buffer_usedlength(&origsource);
|
|
|
58fe1c |
- msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);
|
|
|
58fe1c |
- if (msg->saved.base == NULL)
|
|
|
58fe1c |
- return (ISC_R_NOMEMORY);
|
|
|
58fe1c |
- memmove(msg->saved.base, isc_buffer_base(&origsource),
|
|
|
58fe1c |
- msg->saved.length);
|
|
|
58fe1c |
- msg->free_saved = 1;
|
|
|
58fe1c |
- }
|
|
|
58fe1c |
|
|
|
58fe1c |
if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)
|
|
|
58fe1c |
return (DNS_R_RECOVERABLE);
|
|
|
58fe1c |
--
|
|
|
58fe1c |
2.26.2
|
|
|
58fe1c |
|