From 3e9b51fc7b2d12c88298f5b777f9075feb52f071 Mon Sep 17 00:00:00 2001 From: Bob Halley Date: Mon, 14 May 2001 18:23:39 +0000 Subject: [PATCH] Replies to the reload command would sometimes contain invalid signatures because the code was incorrectly referencing the secret from memory that the reload frees. The code now makes a copy of the secret used to validate the request, and uses that in the response. --- bin/named/controlconf.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index b0fb18b042..fdc762af16 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.7 2001/05/08 04:09:37 bwelling Exp $ */ +/* $Id: controlconf.c,v 1.8 2001/05/14 18:23:39 halley Exp $ */ #include @@ -312,6 +312,12 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { conn = event->ev_arg; listener = conn->listener; key = ISC_LIST_HEAD(listener->keys); + INSIST(key != NULL); + secret.rstart = isc_mem_get(listener->mctx, key->secret.length); + if (secret.rstart == NULL) + goto cleanup; + memcpy(secret.rstart, key->secret.base, key->secret.length); + secret.rend = secret.rstart + key->secret.length; if (conn->ccmsg.result != ISC_R_SUCCESS) { if (conn->ccmsg.result != ISC_R_CANCELED && @@ -323,8 +329,6 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { ccregion.rstart = isc_buffer_base(&conn->ccmsg.buffer); ccregion.rend = isc_buffer_used(&conn->ccmsg.buffer); request = NULL; - secret.rstart = key->secret.base; - secret.rend = key->secret.base + key->secret.length; result = isccc_cc_fromwire(&ccregion, &request, &secret); if (result != ISC_R_SUCCESS) { log_invalid(&conn->ccmsg, result); @@ -383,6 +387,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { goto cleanup; conn->sending = ISC_TRUE; + if (secret.rstart != NULL) + isc_mem_put(listener->mctx, secret.rstart, + REGION_SIZE(secret)); if (request != NULL) isccc_sexpr_free(&request); if (response != NULL) @@ -390,6 +397,9 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { return; cleanup: + if (secret.rstart != NULL) + isc_mem_put(listener->mctx, secret.rstart, + REGION_SIZE(secret)); isc_socket_detach(&conn->sock); isccc_ccmsg_invalidate(&conn->ccmsg); conn->ccmsg_valid = ISC_FALSE;