diff options
author | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-09-05 14:03:27 +0000 |
---|---|---|
committer | Jakob Schlyter <jakob@cvs.openbsd.org> | 2006-09-05 14:03:27 +0000 |
commit | 90ec522ce7f7d756d999f5a47dce83097db01c1e (patch) | |
tree | dcb5db423946833add000eecdca9a28c0a77a3e3 | |
parent | be0c613399e981848fe23e3db2248471840759f8 (diff) |
security update to BIND 9.3.2-P1. ok miod@ and deraadt@
-rw-r--r-- | usr.sbin/bind/CHANGES | 7 | ||||
-rw-r--r-- | usr.sbin/bind/bin/named/query.c | 4 | ||||
-rw-r--r-- | usr.sbin/bind/lib/dns/resolver.c | 49 | ||||
-rw-r--r-- | usr.sbin/bind/version | 6 |
4 files changed, 40 insertions, 26 deletions
diff --git a/usr.sbin/bind/CHANGES b/usr.sbin/bind/CHANGES index 941b946db36..0cfafd20aba 100644 --- a/usr.sbin/bind/CHANGES +++ b/usr.sbin/bind/CHANGES @@ -1,4 +1,11 @@ + --- 9.3.2-P1 released --- + +2066. [security] Handle SIG queries gracefully. [RT #16300] + +1941. [bug] ncache_adderesult() should set eresult even if no + rdataset is passed to it. [RT #15642] + --- 9.3.2 released --- --- 9.3.2rc1 released --- diff --git a/usr.sbin/bind/bin/named/query.c b/usr.sbin/bind/bin/named/query.c index 4f805516aad..7a509b5df44 100644 --- a/usr.sbin/bind/bin/named/query.c +++ b/usr.sbin/bind/bin/named/query.c @@ -2393,7 +2393,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) is_zone = ISC_FALSE; qtype = event->qtype; - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; @@ -2434,7 +2434,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype) /* * If it's a SIG query, we'll iterate the node. */ - if (qtype == dns_rdatatype_rrsig) + if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig) type = dns_rdatatype_any; else type = qtype; diff --git a/usr.sbin/bind/lib/dns/resolver.c b/usr.sbin/bind/lib/dns/resolver.c index 5c963917d24..f2dcb72b20a 100644 --- a/usr.sbin/bind/lib/dns/resolver.c +++ b/usr.sbin/bind/lib/dns/resolver.c @@ -762,7 +762,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) { INSIST(result != ISC_R_SUCCESS || dns_rdataset_isassociated(event->rdataset) || fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); } @@ -3188,7 +3189,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (hevent != NULL) { if (!negative && !chaining && (fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig)) { + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig)) { /* * Don't bind rdatasets; the caller * will iterate the node. @@ -3306,7 +3308,8 @@ validated(isc_task_t *task, isc_event_t *event) { if (!ISC_LIST_EMPTY(fctx->validators)) { INSIST(!negative); INSIST(fctx->type == dns_rdatatype_any || - fctx->type == dns_rdatatype_rrsig); + fctx->type == dns_rdatatype_rrsig || + fctx->type == dns_rdatatype_sig); /* * Don't send a response yet - we have * more rdatasets that still need to @@ -3455,14 +3458,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, return (result); anodep = &event->node; /* - * If this is an ANY or SIG query, we're not going - * to return any rdatasets, unless we encountered + * If this is an ANY, SIG or RRSIG query, we're not + * going to return any rdatasets, unless we encountered * a CNAME or DNAME as "the answer". In this case, * we're going to return DNS_R_CNAME or DNS_R_DNAME * and we must set up the rdatasets. */ if ((fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) || + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) || (name->attributes & DNS_NAMEATTR_CHAINING) != 0) { ardataset = event->rdataset; asigrdataset = event->sigrdataset; @@ -3521,7 +3525,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, */ if (secure_domain && rdataset->trust != dns_trust_glue) { /* - * SIGs are validated as part of validating the + * RRSIGs are validated as part of validating the * type they cover. */ if (rdataset->type == dns_rdatatype_rrsig) @@ -3591,7 +3595,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, if (ANSWER(rdataset) && need_validation) { if (fctx->type != dns_rdatatype_any && - fctx->type != dns_rdatatype_rrsig) { + fctx->type != dns_rdatatype_rrsig && + fctx->type != dns_rdatatype_sig) { /* * This is The Answer. We will * validate it, but first we cache @@ -3763,23 +3768,28 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, isc_result_t *eresultp) { isc_result_t result; + dns_rdataset_t rdataset; + + if (ardataset == NULL) { + dns_rdataset_init(&rdataset); + ardataset = &rdataset; + } result = dns_ncache_add(message, cache, node, covers, now, maxttl, ardataset); - if (result == DNS_R_UNCHANGED) { + if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* - * The data in the cache are better than the negative cache - * entry we're trying to add. + * If the cache now contains a negative entry and we + * care about whether it is DNS_R_NCACHENXDOMAIN or + * DNS_R_NCACHENXRRSET then extract it. */ - if (ardataset != NULL && ardataset->type == 0) { + if (ardataset->type == 0) { /* - * The cache data is also a negative cache - * entry. + * The cache data is a negative cache entry. */ if (NXDOMAIN(ardataset)) *eresultp = DNS_R_NCACHENXDOMAIN; else *eresultp = DNS_R_NCACHENXRRSET; - result = ISC_R_SUCCESS; } else { /* * Either we don't care about the nature of the @@ -3791,14 +3801,11 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, * XXXRTH There's a CNAME/DNAME problem here. */ *eresultp = ISC_R_SUCCESS; - result = ISC_R_SUCCESS; } - } else if (result == ISC_R_SUCCESS) { - if (NXDOMAIN(ardataset)) - *eresultp = DNS_R_NCACHENXDOMAIN; - else - *eresultp = DNS_R_NCACHENXRRSET; + result = ISC_R_SUCCESS; } + if (ardataset == &rdataset && dns_rdataset_isassociated(ardataset)) + dns_rdataset_disassociate(ardataset); return (result); } diff --git a/usr.sbin/bind/version b/usr.sbin/bind/version index 8ff6a2fc26a..73817f1f28a 100644 --- a/usr.sbin/bind/version +++ b/usr.sbin/bind/version @@ -1,4 +1,4 @@ -# $ISC: version,v 1.26.2.17.2.21 2005/12/14 00:43:14 marka Exp $ +# $Id: version,v 1.8 2006/09/05 14:03:26 jakob Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -6,5 +6,5 @@ MAJORVER=9 MINORVER=3 PATCHVER=2 -RELEASETYPE= -RELEASEVER= +RELEASETYPE=-P +RELEASEVER=1 |