resolve conflicts with 9.3.4; SECURITY UPDATE

7 files changed, 131 insertions, 14 deletions

diff --git a/usr.sbin/bind/CHANGES b/usr.sbin/bind/CHANGES
index f4b36d9204e..acf2817b5b7 100644
--- a/usr.sbin/bind/CHANGES
+++ b/usr.sbin/bind/CHANGES
@@ -1,4 +1,11 @@
 
+	--- 9.3.4 released ---
+
+2126.	[security]	Serialise validation of type ANY responses. [RT #16555]
+
+2124.	[security]	It was possible to dereference a freed fetch
+			context. [RT #16584]
+
 	--- 9.3.3 released ---
 
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
diff --git a/usr.sbin/bind/FAQ b/usr.sbin/bind/FAQ
index 5c6a2a7368c..ba87de21652 100644
--- a/usr.sbin/bind/FAQ
+++ b/usr.sbin/bind/FAQ
@@ -1,5 +1,9 @@
 Frequently Asked Questions about BIND 9
 
+Copyright © 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+
+Copyright © 2000-2003 Internet Software Consortium.
+
 -------------------------------------------------------------------------------
 
 Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
@@ -630,3 +634,42 @@ A: Red Hat Security Enhanced Linux (SELinux) policy security protections :
    See these man-pages for more information : selinux(8), named_selinux(8), chcon
    (1), setsebool(8)
 
+Q: I want to forward all DNS queries from my caching nameserver to another server.
+   But there are some domains which have to be served locally, via rbldnsd.
+
+   How do I achieve this ?
+
+A: options {
+           forward only;
+           forwarders { <ip.of.primary.nameserver>; };
+   };
+
+   zone "sbl-xbl.spamhaus.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+   zone "list.dsbl.org" {
+           type forward; forward only;
+           forwarders { <ip.of.rbldns.server> port 530; };
+   };
+
+
+Q: Will named be affected by the 2007 changes to daylight savings rules in the US.
+
+A: No, so long as the machines internal clock (as reported by "date -u") remains
+   at UTC. The only visible change if you fail to upgrade your OS, if you are in a
+   affected area, will be that log messages will be a hour out during the period
+   where the old rules do not match the new rules.
+
+   For most OS's this change just means that you need to update the conversion
+   rules from UTC to local time. Normally this involves updating a file in /etc
+   (which sets the default timezone for the machine) and possibly a directory
+   which has all the conversion rules for the world (e.g. /usr/share/zoneinfo).
+   When updating the OS do not forget to update any chroot areas as well. See your
+   OS's documetation for more details.
+
+   The local timezone conversion rules can also be done on a individual basis by
+   setting the TZ envirionment variable appropriately. See your OS's documentation
+   for more details.
+
diff --git a/usr.sbin/bind/README b/usr.sbin/bind/README
index 709df1267ae..4763e53b894 100644
--- a/usr.sbin/bind/README
+++ b/usr.sbin/bind/README
@@ -42,6 +42,14 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
+BIND 9.3.4
+
+	BIND 9.3.4 is a security release.
+
+BIND 9.3.3
+
+        BIND 9.3.3 is a maintenance release, containing fixes for
+        a number of bugs in 9.3.2.
 
 BIND 9.3.2
 
diff --git a/usr.sbin/bind/lib/dns/api b/usr.sbin/bind/lib/dns/api
index 1bc2b11a91b..95b29be1b78 100644
--- a/usr.sbin/bind/lib/dns/api
+++ b/usr.sbin/bind/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 22
-LIBREVISION = 7
-LIBAGE = 0
+LIBINTERFACE = 23
+LIBREVISION = 0
+LIBAGE = 1
diff --git a/usr.sbin/bind/lib/dns/resolver.c b/usr.sbin/bind/lib/dns/resolver.c
index c1021bac3a7..371bdbdae05 100644
--- a/usr.sbin/bind/lib/dns/resolver.c
+++ b/usr.sbin/bind/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: resolver.c,v 1.218.2.18.4.64 2006/08/31 03:57:11 marka Exp $ */
+/* $ISC: resolver.c,v 1.218.2.18.4.64.4.2 2007/01/11 05:05:10 marka Exp $ */
 
 #include <config.h>
 
@@ -218,6 +218,11 @@ struct fetchctx {
 	dns_name_t 			nsname; 
 	dns_fetch_t *			nsfetch;
 	dns_rdataset_t			nsrrset;
+
+	/*%
+	 * Number of queries that reference this context.
+	 */
+	unsigned int			nqueries;
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
@@ -351,6 +356,7 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_rdataset_t *ardataset,
 				      isc_result_t *eresultp);
 static void validated(isc_task_t *task, isc_event_t *event); 
+static void maybe_destroy(fetchctx_t *fctx);
 
 static isc_result_t
 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
@@ -369,6 +375,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 	valarg->fctx = fctx;
 	valarg->addrinfo = addrinfo;
 
+	if (!ISC_LIST_EMPTY(fctx->validators))
+		INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
+
 	result = dns_validator_create(fctx->res->view, name, type, rdataset,
 				      sigrdataset, fctx->rmessage,
 				      valoptions, task, validated, valarg,
@@ -515,6 +524,9 @@ resquery_destroy(resquery_t **queryp) {
 
 	INSIST(query->tcpsocket == NULL);
 
+	query->fctx->nqueries--;
+	if (SHUTTINGDOWN(query->fctx))
+		maybe_destroy(query->fctx);	/* Locks bucket. */
 	query->magic = 0;
 	isc_mem_put(query->mctx, query, sizeof(*query));
 	*queryp = NULL;
@@ -973,6 +985,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	INSIST(ISC_LIST_EMPTY(fctx->validators));
+
 	dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
 	query = isc_mem_get(res->mctx, sizeof(*query));
@@ -1088,6 +1102,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	}
 
 	ISC_LIST_APPEND(fctx->queries, query, link);
+	query->fctx->nqueries++;
 
 	return (ISC_R_SUCCESS);
 
@@ -1540,7 +1555,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 			want_done = ISC_TRUE;
 		}
 	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
-		   ISC_LIST_EMPTY(fctx->validators)) {
+		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
 		bucketnum = fctx->bucketnum;
 		LOCK(&res->buckets[bucketnum].lock);
 		/*
@@ -2394,8 +2409,8 @@ fctx_destroy(fetchctx_t *fctx) {
 	REQUIRE(ISC_LIST_EMPTY(fctx->finds));
 	REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
 	REQUIRE(fctx->pending == 0);
-	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
 	REQUIRE(fctx->references == 0);
+	REQUIRE(ISC_LIST_EMPTY(fctx->validators));
 
 	FCTXTRACE("destroy");
 
@@ -2569,7 +2584,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (fctx->references == 0 && fctx->pending == 0 &&
-	    ISC_LIST_EMPTY(fctx->validators))
+	    fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
 		bucket_empty = fctx_destroy(fctx);
 
 	UNLOCK(&res->buckets[bucketnum].lock);
@@ -2610,6 +2625,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 		 * pending ADB finds and no pending validations.
 		 */
 		INSIST(fctx->pending == 0);
+		INSIST(fctx->nqueries == 0);
 		INSIST(ISC_LIST_EMPTY(fctx->validators));
 		if (fctx->references == 0) {
 			/*
@@ -2771,6 +2787,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->restarts = 0;
 	fctx->timeouts = 0;
 	fctx->attributes = 0;
+	fctx->nqueries = 0;
 
 	dns_name_init(&fctx->nsname, NULL);
 	fctx->nsfetch = NULL;
@@ -3093,12 +3110,21 @@ maybe_destroy(fetchctx_t *fctx) {
 	unsigned int bucketnum;
 	isc_boolean_t bucket_empty = ISC_FALSE;
 	dns_resolver_t *res = fctx->res;
+	dns_validator_t *validator;
 
 	REQUIRE(SHUTTINGDOWN(fctx));
 
-	if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+	if (fctx->pending != 0 || fctx->nqueries != 0)
 		return;
 
+	for (validator = ISC_LIST_HEAD(fctx->validators);
+	     validator != NULL;
+	     validator = ISC_LIST_HEAD(fctx->validators)) {
+		ISC_LIST_UNLINK(fctx->validators, validator, link);
+		dns_validator_cancel(validator);
+		dns_validator_destroy(&validator);
+	}
+
 	bucketnum = fctx->bucketnum;
 	LOCK(&res->buckets[bucketnum].lock);
 	if (fctx->references == 0)
@@ -3232,7 +3258,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 		add_bad(fctx, &addrinfo->sockaddr, result);
 		isc_event_free(&event);
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
-		if (sentresponse)
+		if (!ISC_LIST_EMPTY(fctx->validators))
+			dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+		else if (sentresponse)
 			fctx_done(fctx, result);	/* Locks bucket. */
 		else
 			fctx_try(fctx);			/* Locks bucket. */
@@ -3330,6 +3358,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		 * be validated.
 		 */
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+		dns_validator_send(ISC_LIST_HEAD(fctx->validators));
 		goto cleanup_event;
 	}
 
@@ -3640,6 +3669,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 							   rdataset,
 							   sigrdataset,
 							   valoptions, task);
+					/*
+					 * Defer any further validations.
+					 * This prevents multiple validators
+					 * from manipulating fctx->rmessage
+					 * simultaniously.
+					 */
+					valoptions |= DNS_VALIDATOR_DEFER;
 				}
 			} else if (CHAINING(rdataset)) {
 				if (rdataset->type == dns_rdatatype_cname)
@@ -6371,7 +6407,8 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 		/*
 		 * No one cares about the result of this fetch anymore.
 		 */
-		if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
+		if (fctx->pending == 0 && fctx->nqueries == 0 &&
+		    ISC_LIST_EMPTY(fctx->validators) &&
 		    SHUTTINGDOWN(fctx)) {
 			/*
 			 * This fctx is already shutdown; we were just
diff --git a/usr.sbin/bind/lib/dns/validator.c b/usr.sbin/bind/lib/dns/validator.c
index d1a8cabfd1f..6eac151df98 100644
--- a/usr.sbin/bind/lib/dns/validator.c
+++ b/usr.sbin/bind/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: validator.c,v 1.91.2.5.8.27 2006/02/26 23:03:52 marka Exp $ */
+/* $ISC: validator.c,v 1.91.2.5.8.27.6.1 2007/01/11 04:51:39 marka Exp $ */
 
 #include <config.h>
 
@@ -2825,7 +2825,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	ISC_LINK_INIT(val, link);
 	val->magic = VALIDATOR_MAGIC;
 
-	isc_task_send(task, ISC_EVENT_PTR(&event));
+	if ((options & DNS_VALIDATOR_DEFER) == 0)
+		isc_task_send(task, ISC_EVENT_PTR(&event));
 
 	*validatorp = val;
 
@@ -2843,6 +2844,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 }
 
 void
+dns_validator_send(dns_validator_t *validator) {
+	isc_event_t *event;
+	REQUIRE(VALID_VALIDATOR(validator));
+
+	LOCK(&validator->lock);
+
+	INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+	event = (isc_event_t *)validator->event;
+	validator->options &= ~DNS_VALIDATOR_DEFER;
+	UNLOCK(&validator->lock);
+
+	isc_task_send(validator->task, ISC_EVENT_PTR(&event));
+}
+
+void
 dns_validator_cancel(dns_validator_t *validator) {
 	REQUIRE(VALID_VALIDATOR(validator));
 
@@ -2856,6 +2872,12 @@ dns_validator_cancel(dns_validator_t *validator) {
 
 		if (validator->subvalidator != NULL)
 			dns_validator_cancel(validator->subvalidator);
+		if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+			isc_task_t *task = validator->event->ev_sender;
+			validator->options &= ~DNS_VALIDATOR_DEFER;
+			isc_event_free((isc_event_t **)&validator->event);
+			isc_task_detach(&task);
+		}
 	}
 	UNLOCK(&validator->lock);
 }
diff --git a/usr.sbin/bind/version b/usr.sbin/bind/version
index aed9c590c39..e1f1933f5d3 100644
--- a/usr.sbin/bind/version
+++ b/usr.sbin/bind/version
@@ -1,10 +1,10 @@
-# $ISC: version,v 1.26.2.17.2.26 2006/11/28 00:52:38 marka Exp $
+# $ISC: version,v 1.26.2.17.2.26.4.1 2007/01/11 05:06:25 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
 MINORVER=3
-PATCHVER=3
+PATCHVER=4
 RELEASETYPE=
 RELEASEVER=