svn commit: r246989 - in releng: 7.4 7.4/lib/libc/gen 7.4/sys/conf 8.3 8.3/lib/libc/gen 8.3/sys/conf 9.0 9.0/contrib/bind9/bin/named 9.0/lib/libc/gen 9.0/sys/conf 9.1 9.1/contrib/bind9/bin/named 9....
Bjoern A. Zeeb
bz at FreeBSD.org
Tue Feb 19 13:27:23 UTC 2013
Author: bz
Date: Tue Feb 19 13:27:20 2013
New Revision: 246989
URL: http://svnweb.freebsd.org/changeset/base/246989
Log:
Fix Denial of Service vulnerability in named(8) with DNS64. [13:01]
Fix Denial of Service vulnerability in libc's glob(3) functionality.
[13:02]
Security: CVE-2012-5688
Security: FreeBSD-SA-13:01.bind
Security: CVE-2010-2632
Security: FreeBSD-SA-13:02.libc
Approved by: so (simon, bz)
Modified:
releng/7.4/UPDATING
releng/7.4/lib/libc/gen/glob.c
releng/7.4/sys/conf/newvers.sh
releng/8.3/UPDATING
releng/8.3/lib/libc/gen/glob.c
releng/8.3/sys/conf/newvers.sh
releng/9.0/UPDATING
releng/9.0/contrib/bind9/bin/named/query.c
releng/9.0/lib/libc/gen/glob.c
releng/9.0/sys/conf/newvers.sh
releng/9.1/UPDATING
releng/9.1/contrib/bind9/bin/named/query.c
releng/9.1/lib/libc/gen/glob.c
releng/9.1/sys/conf/newvers.sh
Modified: releng/7.4/UPDATING
==============================================================================
--- releng/7.4/UPDATING Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/7.4/UPDATING Tue Feb 19 13:27:20 2013 (r246989)
@@ -8,6 +8,9 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20130218: p12 FreeBSD-SA-13:02.libc
+ Fix Denial of Service vulnerability in libc's glob(3) functionality.
+
20121122: p11 FreeBSD-SA-12:06.bind FreeBSD-SA-12:08.linux
Fix multiple Denial of Service vulnerabilities with named(8).
Modified: releng/7.4/lib/libc/gen/glob.c
==============================================================================
--- releng/7.4/lib/libc/gen/glob.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/7.4/lib/libc/gen/glob.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -89,6 +89,25 @@ __FBSDID("$FreeBSD$");
#include "collate.h"
+/*
+ * glob(3) expansion limits. Stop the expansion if any of these limits
+ * is reached. This caps the runtime in the face of DoS attacks. See
+ * also CVE-2010-2632
+ */
+#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
+#define GLOB_LIMIT_PATH 65536 /* number of path elements */
+#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
+#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
+#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
+
+struct glob_limit {
+ size_t l_brace_cnt;
+ size_t l_path_lim;
+ size_t l_readdir_cnt;
+ size_t l_stat_cnt;
+ size_t l_string_cnt;
+};
+
#define DOLLAR '$'
#define DOT '.'
#define EOS '\0'
@@ -148,15 +167,18 @@ static Char *g_strchr(Char *, wchar_t);
static Char *g_strcat(Char *, const Char *);
#endif
static int g_stat(Char *, struct stat *, glob_t *);
-static int glob0(const Char *, glob_t *, size_t *);
-static int glob1(Char *, glob_t *, size_t *);
-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int globextend(const Char *, glob_t *, size_t *);
-static const Char *
+static int glob0(const Char *, glob_t *, struct glob_limit *);
+static int glob1(Char *, glob_t *, struct glob_limit *);
+static int glob2(Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int globextend(const Char *, glob_t *, struct glob_limit *);
+static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
-static int globexp1(const Char *, glob_t *, size_t *);
-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
+static int globexp1(const Char *, glob_t *, struct glob_limit *);
+static int globexp2(const Char *, const Char *, glob_t *, int *,
+ struct glob_limit *);
static int match(Char *, Char *, Char *);
#ifdef DEBUG
static void qprintf(const char *, Char *);
@@ -165,8 +187,8 @@ static void qprintf(const char *, Char
int
glob(const char *pattern, int flags, int (*errfunc)(const char *, int), glob_t *pglob)
{
+ struct glob_limit limit = { 0, 0, 0, 0, 0 };
const char *patnext;
- size_t limit;
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
mbstate_t mbs;
wchar_t wc;
@@ -180,11 +202,10 @@ glob(const char *pattern, int flags, int
pglob->gl_offs = 0;
}
if (flags & GLOB_LIMIT) {
- limit = pglob->gl_matchc;
- if (limit == 0)
- limit = ARG_MAX;
- } else
- limit = 0;
+ limit.l_path_lim = pglob->gl_matchc;
+ if (limit.l_path_lim == 0)
+ limit.l_path_lim = GLOB_LIMIT_PATH;
+ }
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0;
@@ -237,11 +258,17 @@ glob(const char *pattern, int flags, int
* characters
*/
static int
-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
+globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char* ptr = pattern;
int rv;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+
/* Protect a single {}, for find(1), like csh */
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
return glob0(pattern, pglob, limit);
@@ -260,7 +287,8 @@ globexp1(const Char *pattern, glob_t *pg
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
+ struct glob_limit *limit)
{
int i;
Char *lm, *ls;
@@ -430,7 +458,7 @@ globtilde(const Char *pattern, Char *pat
* if things went well, nonzero if errors occurred.
*/
static int
-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
+glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char *qpatnext;
int err;
@@ -523,7 +551,7 @@ compare(const void *p, const void *q)
}
static int
-glob1(Char *pattern, glob_t *pglob, size_t *limit)
+glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
Char pathbuf[MAXPATHLEN];
@@ -541,7 +569,7 @@ glob1(Char *pattern, glob_t *pglob, size
*/
static int
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct stat sb;
Char *p, *q;
@@ -557,6 +585,15 @@ glob2(Char *pathbuf, Char *pathend, Char
if (g_lstat(pathbuf, &sb, pglob))
return(0);
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ return (GLOB_ABORTED);
+ *pathend++ = SEP;
+ *pathend = EOS;
+ return (GLOB_NOSPACE);
+ }
if (((pglob->gl_flags & GLOB_MARK) &&
pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
|| (S_ISLNK(sb.st_mode) &&
@@ -600,7 +637,7 @@ glob2(Char *pathbuf, Char *pathend, Char
static int
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct dirent *dp;
DIR *dirp;
@@ -646,6 +683,19 @@ glob3(Char *pathbuf, Char *pathend, Char
size_t clen;
mbstate_t mbs;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ err = GLOB_ABORTED;
+ else {
+ *pathend++ = SEP;
+ *pathend = EOS;
+ err = GLOB_NOSPACE;
+ }
+ break;
+ }
+
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == DOT && *pattern != DOT)
continue;
@@ -696,14 +746,15 @@ glob3(Char *pathbuf, Char *pathend, Char
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
-globextend(const Char *path, glob_t *pglob, size_t *limit)
+globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
{
char **pathv;
size_t i, newsize, len;
char *copy;
const Char *p;
- if (*limit && pglob->gl_pathc > *limit) {
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ pglob->gl_matchc > limit->l_path_lim) {
errno = 0;
return (GLOB_NOSPACE);
}
@@ -731,6 +782,12 @@ globextend(const Char *path, glob_t *pgl
for (p = path; *p++;)
continue;
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
+ limit->l_string_cnt += len;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
if ((copy = malloc(len)) != NULL) {
if (g_Ctoc(path, copy, len)) {
free(copy);
Modified: releng/7.4/sys/conf/newvers.sh
==============================================================================
--- releng/7.4/sys/conf/newvers.sh Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/7.4/sys/conf/newvers.sh Tue Feb 19 13:27:20 2013 (r246989)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.4"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.3/UPDATING
==============================================================================
--- releng/8.3/UPDATING Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/8.3/UPDATING Tue Feb 19 13:27:20 2013 (r246989)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20130218: p6 FreeBSD-SA-13:02.libc
+ Fix Denial of Service vulnerability in libc's glob(3) functionality.
+
20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
FreeBSD-SA-12:08.linux
Fix multiple Denial of Service vulnerabilities with named(8).
Modified: releng/8.3/lib/libc/gen/glob.c
==============================================================================
--- releng/8.3/lib/libc/gen/glob.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/8.3/lib/libc/gen/glob.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -89,6 +89,25 @@ __FBSDID("$FreeBSD$");
#include "collate.h"
+/*
+ * glob(3) expansion limits. Stop the expansion if any of these limits
+ * is reached. This caps the runtime in the face of DoS attacks. See
+ * also CVE-2010-2632
+ */
+#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
+#define GLOB_LIMIT_PATH 65536 /* number of path elements */
+#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
+#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
+#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
+
+struct glob_limit {
+ size_t l_brace_cnt;
+ size_t l_path_lim;
+ size_t l_readdir_cnt;
+ size_t l_stat_cnt;
+ size_t l_string_cnt;
+};
+
#define DOLLAR '$'
#define DOT '.'
#define EOS '\0'
@@ -148,15 +167,18 @@ static const Char *g_strchr(const Char *
static Char *g_strcat(Char *, const Char *);
#endif
static int g_stat(Char *, struct stat *, glob_t *);
-static int glob0(const Char *, glob_t *, size_t *);
-static int glob1(Char *, glob_t *, size_t *);
-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int globextend(const Char *, glob_t *, size_t *);
-static const Char *
+static int glob0(const Char *, glob_t *, struct glob_limit *);
+static int glob1(Char *, glob_t *, struct glob_limit *);
+static int glob2(Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int globextend(const Char *, glob_t *, struct glob_limit *);
+static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
-static int globexp1(const Char *, glob_t *, size_t *);
-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
+static int globexp1(const Char *, glob_t *, struct glob_limit *);
+static int globexp2(const Char *, const Char *, glob_t *, int *,
+ struct glob_limit *);
static int match(Char *, Char *, Char *);
#ifdef DEBUG
static void qprintf(const char *, Char *);
@@ -166,8 +188,8 @@ int
glob(const char * __restrict pattern, int flags,
int (*errfunc)(const char *, int), glob_t * __restrict pglob)
{
+ struct glob_limit limit = { 0, 0, 0, 0, 0 };
const char *patnext;
- size_t limit;
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
mbstate_t mbs;
wchar_t wc;
@@ -181,11 +203,10 @@ glob(const char * __restrict pattern, in
pglob->gl_offs = 0;
}
if (flags & GLOB_LIMIT) {
- limit = pglob->gl_matchc;
- if (limit == 0)
- limit = ARG_MAX;
- } else
- limit = 0;
+ limit.l_path_lim = pglob->gl_matchc;
+ if (limit.l_path_lim == 0)
+ limit.l_path_lim = GLOB_LIMIT_PATH;
+ }
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0;
@@ -238,11 +259,17 @@ glob(const char * __restrict pattern, in
* characters
*/
static int
-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
+globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char* ptr = pattern;
int rv;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+
/* Protect a single {}, for find(1), like csh */
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
return glob0(pattern, pglob, limit);
@@ -261,7 +288,8 @@ globexp1(const Char *pattern, glob_t *pg
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
+ struct glob_limit *limit)
{
int i;
Char *lm, *ls;
@@ -431,7 +459,7 @@ globtilde(const Char *pattern, Char *pat
* if things went well, nonzero if errors occurred.
*/
static int
-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
+glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char *qpatnext;
int err;
@@ -524,7 +552,7 @@ compare(const void *p, const void *q)
}
static int
-glob1(Char *pattern, glob_t *pglob, size_t *limit)
+glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
Char pathbuf[MAXPATHLEN];
@@ -542,7 +570,7 @@ glob1(Char *pattern, glob_t *pglob, size
*/
static int
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct stat sb;
Char *p, *q;
@@ -558,6 +586,15 @@ glob2(Char *pathbuf, Char *pathend, Char
if (g_lstat(pathbuf, &sb, pglob))
return(0);
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ return (GLOB_ABORTED);
+ *pathend++ = SEP;
+ *pathend = EOS;
+ return (GLOB_NOSPACE);
+ }
if (((pglob->gl_flags & GLOB_MARK) &&
pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
|| (S_ISLNK(sb.st_mode) &&
@@ -601,7 +638,7 @@ glob2(Char *pathbuf, Char *pathend, Char
static int
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct dirent *dp;
DIR *dirp;
@@ -647,6 +684,19 @@ glob3(Char *pathbuf, Char *pathend, Char
size_t clen;
mbstate_t mbs;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ err = GLOB_ABORTED;
+ else {
+ *pathend++ = SEP;
+ *pathend = EOS;
+ err = GLOB_NOSPACE;
+ }
+ break;
+ }
+
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == DOT && *pattern != DOT)
continue;
@@ -697,14 +747,15 @@ glob3(Char *pathbuf, Char *pathend, Char
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
-globextend(const Char *path, glob_t *pglob, size_t *limit)
+globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
{
char **pathv;
size_t i, newsize, len;
char *copy;
const Char *p;
- if (*limit && pglob->gl_pathc > *limit) {
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ pglob->gl_matchc > limit->l_path_lim) {
errno = 0;
return (GLOB_NOSPACE);
}
@@ -732,6 +783,12 @@ globextend(const Char *path, glob_t *pgl
for (p = path; *p++;)
continue;
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
+ limit->l_string_cnt += len;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
if ((copy = malloc(len)) != NULL) {
if (g_Ctoc(path, copy, len)) {
free(copy);
Modified: releng/8.3/sys/conf/newvers.sh
==============================================================================
--- releng/8.3/sys/conf/newvers.sh Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/8.3/sys/conf/newvers.sh Tue Feb 19 13:27:20 2013 (r246989)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.3"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.0/UPDATING
==============================================================================
--- releng/9.0/UPDATING Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.0/UPDATING Tue Feb 19 13:27:20 2013 (r246989)
@@ -9,6 +9,11 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20130218: p6 FreeBSD-SA-13:01.bind FreeBSD-SA-13:02.libc
+ Fix Denial of Service vulnerability in named(8) with DNS64.
+
+ Fix Denial of Service vulnerability in libc's glob(3) functionality.
+
20121122: p5 FreeBSD-SA-12:06.bind FreeBSD-SA-12:07.hostapd
FreeBSD-SA-12:08.linux
Fix multiple Denial of Service vulnerabilities with named(8).
Modified: releng/9.0/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.0/contrib/bind9/bin/named/query.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.0/contrib/bind9/bin/named/query.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -4860,10 +4860,12 @@ dns64_ttl(dns_db_t *db, dns_dbversion_t
isc_result_t result;
isc_uint32_t ttl = ISC_UINT32_MAX;
+ dns_rdataset_init(&rdataset);
+
result = dns_db_getoriginnode(db, &node);
if (result != ISC_R_SUCCESS)
goto cleanup;
- dns_rdataset_init(&rdataset);
+
result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS)
Modified: releng/9.0/lib/libc/gen/glob.c
==============================================================================
--- releng/9.0/lib/libc/gen/glob.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.0/lib/libc/gen/glob.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -89,6 +89,25 @@ __FBSDID("$FreeBSD$");
#include "collate.h"
+/*
+ * glob(3) expansion limits. Stop the expansion if any of these limits
+ * is reached. This caps the runtime in the face of DoS attacks. See
+ * also CVE-2010-2632
+ */
+#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
+#define GLOB_LIMIT_PATH 65536 /* number of path elements */
+#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
+#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
+#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
+
+struct glob_limit {
+ size_t l_brace_cnt;
+ size_t l_path_lim;
+ size_t l_readdir_cnt;
+ size_t l_stat_cnt;
+ size_t l_string_cnt;
+};
+
#define DOLLAR '$'
#define DOT '.'
#define EOS '\0'
@@ -148,15 +167,18 @@ static const Char *g_strchr(const Char *
static Char *g_strcat(Char *, const Char *);
#endif
static int g_stat(Char *, struct stat *, glob_t *);
-static int glob0(const Char *, glob_t *, size_t *);
-static int glob1(Char *, glob_t *, size_t *);
-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int globextend(const Char *, glob_t *, size_t *);
-static const Char *
+static int glob0(const Char *, glob_t *, struct glob_limit *);
+static int glob1(Char *, glob_t *, struct glob_limit *);
+static int glob2(Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int globextend(const Char *, glob_t *, struct glob_limit *);
+static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
-static int globexp1(const Char *, glob_t *, size_t *);
-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
+static int globexp1(const Char *, glob_t *, struct glob_limit *);
+static int globexp2(const Char *, const Char *, glob_t *, int *,
+ struct glob_limit *);
static int match(Char *, Char *, Char *);
#ifdef DEBUG
static void qprintf(const char *, Char *);
@@ -165,8 +187,8 @@ static void qprintf(const char *, Char
int
glob(const char *pattern, int flags, int (*errfunc)(const char *, int), glob_t *pglob)
{
+ struct glob_limit limit = { 0, 0, 0, 0, 0 };
const char *patnext;
- size_t limit;
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
mbstate_t mbs;
wchar_t wc;
@@ -180,11 +202,10 @@ glob(const char *pattern, int flags, int
pglob->gl_offs = 0;
}
if (flags & GLOB_LIMIT) {
- limit = pglob->gl_matchc;
- if (limit == 0)
- limit = ARG_MAX;
- } else
- limit = 0;
+ limit.l_path_lim = pglob->gl_matchc;
+ if (limit.l_path_lim == 0)
+ limit.l_path_lim = GLOB_LIMIT_PATH;
+ }
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0;
@@ -237,11 +258,17 @@ glob(const char *pattern, int flags, int
* characters
*/
static int
-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
+globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char* ptr = pattern;
int rv;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+
/* Protect a single {}, for find(1), like csh */
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
return glob0(pattern, pglob, limit);
@@ -260,7 +287,8 @@ globexp1(const Char *pattern, glob_t *pg
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
+ struct glob_limit *limit)
{
int i;
Char *lm, *ls;
@@ -430,7 +458,7 @@ globtilde(const Char *pattern, Char *pat
* if things went well, nonzero if errors occurred.
*/
static int
-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
+glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char *qpatnext;
int err;
@@ -523,7 +551,7 @@ compare(const void *p, const void *q)
}
static int
-glob1(Char *pattern, glob_t *pglob, size_t *limit)
+glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
Char pathbuf[MAXPATHLEN];
@@ -541,7 +569,7 @@ glob1(Char *pattern, glob_t *pglob, size
*/
static int
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct stat sb;
Char *p, *q;
@@ -557,6 +585,15 @@ glob2(Char *pathbuf, Char *pathend, Char
if (g_lstat(pathbuf, &sb, pglob))
return(0);
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ return (GLOB_ABORTED);
+ *pathend++ = SEP;
+ *pathend = EOS;
+ return (GLOB_NOSPACE);
+ }
if (((pglob->gl_flags & GLOB_MARK) &&
pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
|| (S_ISLNK(sb.st_mode) &&
@@ -600,7 +637,7 @@ glob2(Char *pathbuf, Char *pathend, Char
static int
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct dirent *dp;
DIR *dirp;
@@ -646,6 +683,19 @@ glob3(Char *pathbuf, Char *pathend, Char
size_t clen;
mbstate_t mbs;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ err = GLOB_ABORTED;
+ else {
+ *pathend++ = SEP;
+ *pathend = EOS;
+ err = GLOB_NOSPACE;
+ }
+ break;
+ }
+
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == DOT && *pattern != DOT)
continue;
@@ -696,14 +746,15 @@ glob3(Char *pathbuf, Char *pathend, Char
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
-globextend(const Char *path, glob_t *pglob, size_t *limit)
+globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
{
char **pathv;
size_t i, newsize, len;
char *copy;
const Char *p;
- if (*limit && pglob->gl_pathc > *limit) {
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ pglob->gl_matchc > limit->l_path_lim) {
errno = 0;
return (GLOB_NOSPACE);
}
@@ -731,6 +782,12 @@ globextend(const Char *path, glob_t *pgl
for (p = path; *p++;)
continue;
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
+ limit->l_string_cnt += len;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
if ((copy = malloc(len)) != NULL) {
if (g_Ctoc(path, copy, len)) {
free(copy);
Modified: releng/9.0/sys/conf/newvers.sh
==============================================================================
--- releng/9.0/sys/conf/newvers.sh Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.0/sys/conf/newvers.sh Tue Feb 19 13:27:20 2013 (r246989)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.0"
-BRANCH="RELEASE-p5"
+BRANCH="RELEASE-p6"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.1/UPDATING Tue Feb 19 13:27:20 2013 (r246989)
@@ -9,6 +9,11 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20130218: p1 FreeBSD-SA-13:01.bind FreeBSD-SA-13:02.libc
+ Fix Denial of Service vulnerability in named(8) with DNS64.
+
+ Fix Denial of Service vulnerability in libc's glob(3) functionality.
+
20121205:
9.1-RELEASE.
Modified: releng/9.1/contrib/bind9/bin/named/query.c
==============================================================================
--- releng/9.1/contrib/bind9/bin/named/query.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.1/contrib/bind9/bin/named/query.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -5117,10 +5117,12 @@ dns64_ttl(dns_db_t *db, dns_dbversion_t
isc_result_t result;
isc_uint32_t ttl = ISC_UINT32_MAX;
+ dns_rdataset_init(&rdataset);
+
result = dns_db_getoriginnode(db, &node);
if (result != ISC_R_SUCCESS)
goto cleanup;
- dns_rdataset_init(&rdataset);
+
result = dns_db_findrdataset(db, node, version, dns_rdatatype_soa,
0, 0, &rdataset, NULL);
if (result != ISC_R_SUCCESS)
Modified: releng/9.1/lib/libc/gen/glob.c
==============================================================================
--- releng/9.1/lib/libc/gen/glob.c Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.1/lib/libc/gen/glob.c Tue Feb 19 13:27:20 2013 (r246989)
@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
#include "collate.h"
+/*
+ * glob(3) expansion limits. Stop the expansion if any of these limits
+ * is reached. This caps the runtime in the face of DoS attacks. See
+ * also CVE-2010-2632
+ */
+#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
+#define GLOB_LIMIT_PATH 65536 /* number of path elements */
+#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
+#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
+#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
+
+struct glob_limit {
+ size_t l_brace_cnt;
+ size_t l_path_lim;
+ size_t l_readdir_cnt;
+ size_t l_stat_cnt;
+ size_t l_string_cnt;
+};
+
#define DOLLAR '$'
#define DOT '.'
#define EOS '\0'
@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *
static Char *g_strcat(Char *, const Char *);
#endif
static int g_stat(Char *, struct stat *, glob_t *);
-static int glob0(const Char *, glob_t *, size_t *);
-static int glob1(Char *, glob_t *, size_t *);
-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
-static int globextend(const Char *, glob_t *, size_t *);
-static const Char *
+static int glob0(const Char *, glob_t *, struct glob_limit *);
+static int glob1(Char *, glob_t *, struct glob_limit *);
+static int glob2(Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
+ struct glob_limit *);
+static int globextend(const Char *, glob_t *, struct glob_limit *);
+static const Char *
globtilde(const Char *, Char *, size_t, glob_t *);
-static int globexp1(const Char *, glob_t *, size_t *);
-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
+static int globexp1(const Char *, glob_t *, struct glob_limit *);
+static int globexp2(const Char *, const Char *, glob_t *, int *,
+ struct glob_limit *);
static int match(Char *, Char *, Char *);
#ifdef DEBUG
static void qprintf(const char *, Char *);
@@ -171,8 +193,8 @@ int
glob(const char * __restrict pattern, int flags,
int (*errfunc)(const char *, int), glob_t * __restrict pglob)
{
+ struct glob_limit limit = { 0, 0, 0, 0, 0 };
const char *patnext;
- size_t limit;
Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
mbstate_t mbs;
wchar_t wc;
@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, in
pglob->gl_offs = 0;
}
if (flags & GLOB_LIMIT) {
- limit = pglob->gl_matchc;
- if (limit == 0)
- limit = ARG_MAX;
- } else
- limit = 0;
+ limit.l_path_lim = pglob->gl_matchc;
+ if (limit.l_path_lim == 0)
+ limit.l_path_lim = GLOB_LIMIT_PATH;
+ }
pglob->gl_flags = flags & ~GLOB_MAGCHAR;
pglob->gl_errfunc = errfunc;
pglob->gl_matchc = 0;
@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, in
* characters
*/
static int
-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
+globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char* ptr = pattern;
int rv;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+
/* Protect a single {}, for find(1), like csh */
if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
return glob0(pattern, pglob, limit);
@@ -266,7 +293,8 @@ globexp1(const Char *pattern, glob_t *pg
* If it fails then it tries to glob the rest of the pattern and returns.
*/
static int
-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
+ struct glob_limit *limit)
{
int i;
Char *lm, *ls;
@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *pat
* if things went well, nonzero if errors occurred.
*/
static int
-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
+glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
const Char *qpatnext;
int err;
@@ -529,7 +557,7 @@ compare(const void *p, const void *q)
}
static int
-glob1(Char *pattern, glob_t *pglob, size_t *limit)
+glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
{
Char pathbuf[MAXPATHLEN];
@@ -547,7 +575,7 @@ glob1(Char *pattern, glob_t *pglob, size
*/
static int
glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct stat sb;
Char *p, *q;
@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char
if (g_lstat(pathbuf, &sb, pglob))
return(0);
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ return (GLOB_ABORTED);
+ *pathend++ = SEP;
+ *pathend = EOS;
+ return (GLOB_NOSPACE);
+ }
if (((pglob->gl_flags & GLOB_MARK) &&
pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
|| (S_ISLNK(sb.st_mode) &&
@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char
static int
glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
Char *pattern, Char *restpattern,
- glob_t *pglob, size_t *limit)
+ glob_t *pglob, struct glob_limit *limit)
{
struct dirent *dp;
DIR *dirp;
@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char
size_t clen;
mbstate_t mbs;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
+ errno = 0;
+ if (pathend + 1 > pathend_last)
+ err = GLOB_ABORTED;
+ else {
+ *pathend++ = SEP;
+ *pathend = EOS;
+ err = GLOB_NOSPACE;
+ }
+ break;
+ }
+
/* Initial DOT must be matched literally. */
if (dp->d_name[0] == DOT && *pattern != DOT)
continue;
@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char
* gl_pathv points to (gl_offs + gl_pathc + 1) items.
*/
static int
-globextend(const Char *path, glob_t *pglob, size_t *limit)
+globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
{
char **pathv;
size_t i, newsize, len;
char *copy;
const Char *p;
- if (*limit && pglob->gl_pathc > *limit) {
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ pglob->gl_matchc > limit->l_path_lim) {
errno = 0;
return (GLOB_NOSPACE);
}
@@ -737,6 +788,12 @@ globextend(const Char *path, glob_t *pgl
for (p = path; *p++;)
continue;
len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
+ limit->l_string_cnt += len;
+ if ((pglob->gl_flags & GLOB_LIMIT) &&
+ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
if ((copy = malloc(len)) != NULL) {
if (g_Ctoc(path, copy, len)) {
free(copy);
Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh Tue Feb 19 13:17:16 2013 (r246988)
+++ releng/9.1/sys/conf/newvers.sh Tue Feb 19 13:27:20 2013 (r246989)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
More information about the svn-src-releng
mailing list