mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Merge branch '942-security-move-test-inside-lock' into security-master

Browse Source
This commit is contained in:
Evan Hunt
2019-05-28 22:14:11 -07:00
parent 95ecdcd762 f1b9bd6f07
commit 7dfef18b05
3 changed files with 21 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -28,7 +28,10 @@
5245. [cleanup] Reduce logging level for IXFR up-to-date poll 5245. [cleanup] Reduce logging level for IXFR up-to-date poll
responses. [GL #1009] responses. [GL #1009]
5244. [placeholder] 5244. [security] Fixed a race condition in dns_dispatch_getnext()
that could cause an assertion failure if a
significant number of incoming packets were
rejected. (CVE-2019-6471) [GL #942]
5243. [bug] Fix a possible race between dispatcher and socket 5243. [bug] Fix a possible race between dispatcher and socket
code in a high-load cold-cache resolver scenario. code in a high-load cold-cache resolver scenario.

10
doc/arm/notes.xml
View File

@@ -97,7 +97,15 @@
<para> <para>
The TCP client quota set using the <command>tcp-clients</command> The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615] exhaustion of file descriptors. This flaw is disclosed in
CVE-2018-5743. [GL #615]
</para>
</listitem>
<listitem>
<para>
A race condition could trigger an assertion failure when
a large number of incoming packets were being rejected.
This flaw is disclosed in CVE-2019-6471. [GL #942]
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>

12
lib/dns/dispatch.c
View File

@@ -126,7 +126,7 @@ struct dns_dispentry {
isc_task_t *task; isc_task_t *task;
isc_taskaction_t action; isc_taskaction_t action;
void *arg; void *arg;
bool item_out; bool item_out;
dispsocket_t *dispsocket; dispsocket_t *dispsocket;
ISC_LIST(dns_dispatchevent_t) items; ISC_LIST(dns_dispatchevent_t) items;
ISC_LINK(dns_dispentry_t) link; ISC_LINK(dns_dispentry_t) link;
@@ -3271,13 +3271,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
disp = resp->disp; disp = resp->disp;
REQUIRE(VALID_DISPATCH(disp)); REQUIRE(VALID_DISPATCH(disp));
REQUIRE(resp->item_out == true);
resp->item_out = false;
ev = *sockevent; ev = *sockevent;
*sockevent = NULL; *sockevent = NULL;
LOCK(&disp->lock); LOCK(&disp->lock);
REQUIRE(resp->item_out == true);
resp->item_out = false;
if (ev->buffer.base != NULL) if (ev->buffer.base != NULL)
free_buffer(disp, ev->buffer.base, ev->buffer.length); free_buffer(disp, ev->buffer.base, ev->buffer.length);
free_devent(disp, ev); free_devent(disp, ev);
@@ -3422,6 +3423,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
isc_task_send(disp->task[0], &disp->ctlevent); isc_task_send(disp->task[0], &disp->ctlevent);
} }
/*
* disp must be locked.
*/
static void static void
do_cancel(dns_dispatch_t *disp) { do_cancel(dns_dispatch_t *disp) {
dns_dispatchevent_t *ev; dns_dispatchevent_t *ev;