|
 |
e55890 |
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
|
|
|
e55890 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
e55890 |
Date: Wed, 19 Jun 2019 12:28:08 +0200
|
|
|
e55890 |
Subject: [PATCH] Fix CVE-2019-6471
|
|
|
e55890 |
|
|
|
e55890 |
5244. [security] Fixed a race condition in dns_dispatch_getnext()
|
|
|
e55890 |
that could cause an assertion failure if a
|
|
|
e55890 |
significant number of incoming packets were
|
|
|
e55890 |
rejected. (CVE-2019-6471) [GL #942]
|
|
|
e55890 |
---
|
|
|
e55890 |
lib/dns/dispatch.c | 10 +++++++---
|
|
|
e55890 |
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
e55890 |
|
|
|
e55890 |
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
|
|
|
e55890 |
index 321459ebcb..ae5c9c0fc7 100644
|
|
|
e55890 |
--- a/lib/dns/dispatch.c
|
|
|
e55890 |
+++ b/lib/dns/dispatch.c
|
|
|
e55890 |
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
|
|
|
e55890 |
disp = resp->disp;
|
|
|
e55890 |
REQUIRE(VALID_DISPATCH(disp));
|
|
|
e55890 |
|
|
|
e55890 |
- REQUIRE(resp->item_out == ISC_TRUE);
|
|
|
e55890 |
- resp->item_out = ISC_FALSE;
|
|
|
e55890 |
-
|
|
|
e55890 |
ev = *sockevent;
|
|
|
e55890 |
*sockevent = NULL;
|
|
|
e55890 |
|
|
|
e55890 |
LOCK(&disp->lock);
|
|
|
e55890 |
+
|
|
|
e55890 |
+ REQUIRE(resp->item_out == ISC_TRUE);
|
|
|
e55890 |
+ resp->item_out = ISC_FALSE;
|
|
|
e55890 |
+
|
|
|
e55890 |
if (ev->buffer.base != NULL)
|
|
|
e55890 |
free_buffer(disp, ev->buffer.base, ev->buffer.length);
|
|
|
e55890 |
free_devent(disp, ev);
|
|
|
e55890 |
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
|
|
|
e55890 |
isc_task_send(disp->task[0], &disp->ctlevent);
|
|
|
e55890 |
}
|
|
|
e55890 |
|
|
|
e55890 |
+/*
|
|
|
e55890 |
+ * disp must be locked.
|
|
|
e55890 |
+ */
|
|
|
e55890 |
static void
|
|
|
e55890 |
do_cancel(dns_dispatch_t *disp) {
|
|
|
e55890 |
dns_dispatchevent_t *ev;
|
|
|
e55890 |
--
|
|
|
e55890 |
2.20.1
|
|
|
e55890 |
|