From a78a9d37a8883288a707a21b381e8a46fbdda556 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 19 Mar 2019 14:14:21 +1100 Subject: [PATCH 1/2] move item_out test inside lock in dns_dispatch_getnext() --- lib/dns/dispatch.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 2b37d29097..a5dd6d75b4 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -126,7 +126,7 @@ struct dns_dispentry { isc_task_t *task; isc_taskaction_t action; void *arg; - bool item_out; + bool item_out; dispsocket_t *dispsocket; ISC_LIST(dns_dispatchevent_t) items; ISC_LINK(dns_dispentry_t) link; @@ -3271,13 +3271,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { disp = resp->disp; REQUIRE(VALID_DISPATCH(disp)); - REQUIRE(resp->item_out == true); - resp->item_out = false; - ev = *sockevent; *sockevent = NULL; LOCK(&disp->lock); + + REQUIRE(resp->item_out == true); + resp->item_out = false; + if (ev->buffer.base != NULL) free_buffer(disp, ev->buffer.base, ev->buffer.length); free_devent(disp, ev); @@ -3422,6 +3423,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, isc_task_send(disp->task[0], &disp->ctlevent); } +/* + * disp must be locked. + */ static void do_cancel(dns_dispatch_t *disp) { dns_dispatchevent_t *ev; From f1b9bd6f079ae30c0cd543dcce00e4dff3352201 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 9 May 2019 10:53:18 -0700 Subject: [PATCH 2/2] CHANGES, release note --- CHANGES | 5 ++++- doc/arm/notes.xml | 10 +++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 4b93b761a0..d09f3a9478 100644 --- a/CHANGES +++ b/CHANGES @@ -28,7 +28,10 @@ 5245. [cleanup] Reduce logging level for IXFR up-to-date poll responses. [GL #1009] -5244. [placeholder] +5244. [security] Fixed a race condition in dns_dispatch_getnext() + that could cause an assertion failure if a + significant number of incoming packets were + rejected. (CVE-2019-6471) [GL #942] 5243. [bug] Fix a possible race between dispatcher and socket code in a high-load cold-cache resolver scenario. diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index 8d09e12986..6d897437ba 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -97,7 +97,15 @@ The TCP client quota set using the tcp-clients option could be exceeded in some cases. This could lead to - exhaustion of file descriptors. (CVE-2018-5743) [GL #615] + exhaustion of file descriptors. This flaw is disclosed in + CVE-2018-5743. [GL #615] + + + + + A race condition could trigger an assertion failure when + a large number of incoming packets were being rejected. + This flaw is disclosed in CVE-2019-6471. [GL #942]