- fixed some read buffer overflows (upstream)bind-9_6_0-7_P1_fc11

2 files changed, 267 insertions, 1 deletions

diff --git a/bind-96-realloc.patch b/bind-96-realloc.patch
new file mode 100644
index 0000000..b2ecaa8
--- /dev/null
+++ b/bind-96-realloc.patch
@@ -0,0 +1,261 @@
+Index: lib/isc/mem.c
+===================================================================
+RCS file: /var/snap/bind9/lib/isc/mem.c,v
+retrieving revision 1.145
+retrieving revision 1.145.120.4
+diff -u -p -r1.145 -r1.145.120.4
+--- lib/isc/mem.c	2 Apr 2008 02:37:42 -0000	1.145
++++ lib/isc/mem.c	16 Feb 2009 03:17:05 -0000	1.145.120.4
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (C) 1997-2003  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
+@@ -15,7 +15,7 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $ */
++/* $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $ */
+ 
+ /*! \file */
+ 
+@@ -52,7 +52,7 @@ LIBISC_EXTERNAL_DATA unsigned int isc_me
+ 
+ #define DEF_MAX_SIZE		1100
+ #define DEF_MEM_TARGET		4096
+-#define ALIGNMENT_SIZE		8		/*%< must be a power of 2 */
++#define ALIGNMENT_SIZE		8U		/*%< must be a power of 2 */
+ #define NUM_BASIC_BLOCKS	64		/*%< must be > 1 */
+ #define TABLE_INCREMENT		1024
+ #define DEBUGLIST_COUNT		1024
+@@ -1191,7 +1191,7 @@ print_active(isc_mem_t *mctx, FILE *out)
+ 		const char *format;
+ 		isc_boolean_t found;
+ 
+-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
++		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+ 					    ISC_MSG_DUMPALLOC,
+ 					    "Dump of all outstanding "
+ 					    "memory allocations:\n"));
+@@ -1217,7 +1217,7 @@ print_active(isc_mem_t *mctx, FILE *out)
+ 			}
+ 		}
+ 		if (!found)
+-			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
++			fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+ 						    ISC_MSG_NONE, "\tNone.\n"));
+ 	}
+ }
+@@ -1259,7 +1259,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out)
+ 	 */
+ 	pool = ISC_LIST_HEAD(ctx->pools);
+ 	if (pool != NULL) {
+-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
++		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+ 					    ISC_MSG_POOLSTATS,
+ 					    "[Pool statistics]\n"));
+ 		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
+@@ -1365,6 +1365,40 @@ isc__mem_allocate(isc_mem_t *ctx, size_t
+ 	return (si);
+ }
+ 
++void *
++isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
++	void *new_ptr = NULL;
++	size_t oldsize, copysize;
++
++	REQUIRE(VALID_CONTEXT(ctx));
++
++	/*
++	 * This function emulates the realloc(3) standard library function:
++	 * - if size > 0, allocate new memory; and if ptr is non NULL, copy
++	 *   as much of the old contents to the new buffer and free the old one.
++	 *   Note that when allocation fails the original pointer is intact;
++	 *   the caller must free it.
++	 * - if size is 0 and ptr is non NULL, simply free the given ptr.
++	 * - this function returns:
++	 *     pointer to the newly allocated memory, or
++	 *     NULL if allocation fails or doesn't happen.
++	 */
++	if (size > 0U) {
++		new_ptr = isc__mem_allocate(ctx, size FLARG_PASS);
++		if (new_ptr != NULL && ptr != NULL) {
++			oldsize = (((size_info *)ptr)[-1]).u.size;
++			INSIST(oldsize >= ALIGNMENT_SIZE);
++			oldsize -= ALIGNMENT_SIZE;
++			copysize = oldsize > size ? size : oldsize;
++			memcpy(new_ptr, ptr, copysize);
++			isc__mem_free(ctx, ptr FLARG_PASS);
++		}
++	} else if (ptr != NULL)
++		isc__mem_free(ctx, ptr FLARG_PASS);
++
++	return (new_ptr);
++}
++
+ void
+ isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
+ 	size_info *si;
+Index: lib/isc/include/isc/mem.h
+===================================================================
+RCS file: /var/snap/bind9/lib/isc/include/isc/mem.h,v
+retrieving revision 1.78
+retrieving revision 1.78.120.3
+diff -u -p -r1.78 -r1.78.120.3
+--- lib/isc/include/isc/mem.h	31 Mar 2008 05:00:30 -0000	1.78
++++ lib/isc/include/isc/mem.h	11 Feb 2009 03:07:01 -0000	1.78.120.3
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
++ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+  * Copyright (C) 1997-2001  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
+@@ -15,7 +15,7 @@
+  * PERFORMANCE OF THIS SOFTWARE.
+  */
+ 
+-/* $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $ */
++/* $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $ */
+ 
+ #ifndef ISC_MEM_H
+ #define ISC_MEM_H 1
+@@ -94,7 +94,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int
+ /*!<
+  * The variable isc_mem_debugging holds a set of flags for
+  * turning certain memory debugging options on or off at
+- * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
++ * runtime.  It is initialized to the value ISC_MEM_DEGBUGGING,
+  * which is 0 by default but may be overridden at compile time.
+  * The following flags can be specified:
+  *
+@@ -106,7 +106,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int
+  *	Crash if a free doesn't match an allocation.
+  *
+  * \li #ISC_MEM_DEBUGUSAGE
+- *	If a hi_water mark is set, print the maximium inuse memory
++ *	If a hi_water mark is set, print the maximum inuse memory
+  *	every time it is raised once it exceeds the hi_water mark.
+  *
+  * \li #ISC_MEM_DEBUGSIZE
+@@ -154,11 +154,12 @@ LIBISC_EXTERNAL_DATA extern unsigned int
+ 
+ #define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
+ #define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
++#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
+ #define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
+ #define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
+ 
+ /*%
+- * isc_mem_putanddetach() is a convienence function for use where you
++ * isc_mem_putanddetach() is a convenience function for use where you
+  * have a structure with an attached memory context.
+  *
+  * Given:
+@@ -341,12 +342,12 @@ isc_mem_setwater(isc_mem_t *mctx, isc_me
+  *
+  * When the memory usage of 'mctx' exceeds 'hiwater',
+  * '(water)(water_arg, #ISC_MEM_HIWATER)' will be called.  'water' needs to
+- * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowlege the state
++ * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowledge the state
+  * change.  'water' may be called multiple times.
+  *
+  * When the usage drops below 'lowater', 'water' will again be called, this
+  * time with #ISC_MEM_LOWATER.  'water' need to calls isc_mem_waterack() with
+- * #ISC_MEM_LOWATER to acknowlege the change.
++ * #ISC_MEM_LOWATER to acknowledge the change.
+  *
+  *	static void
+  *	water(void *arg, int mark) {
+@@ -373,7 +374,7 @@ isc_mem_setwater(isc_mem_t *mctx, isc_me
+ void
+ isc_mem_waterack(isc_mem_t *ctx, int mark);
+ /*%<
+- * Called to acknowledge changes in signalled by calls to 'water'.
++ * Called to acknowledge changes in signaled by calls to 'water'.
+  */
+ 
+ void
+@@ -512,7 +513,7 @@ isc_mempool_associatelock(isc_mempool_t 
+  * and it is also used to set or get internal state via the isc_mempool_get*()
+  * and isc_mempool_set*() set of functions.
+  *
+- * Mutiple pools can each share a single lock.  For instance, if "manager"
++ * Multiple pools can each share a single lock.  For instance, if "manager"
+  * type object contained pools for various sizes of events, and each of
+  * these pools used a common lock.  Note that this lock must NEVER be used
+  * by other than mempool routines once it is given to a pool, since that can
+@@ -612,6 +613,8 @@ void
+ isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ void *
+ isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
++void *
++isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
+ void
+ isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
+ char *
+Index: lib/dns/openssl_link.c
+===================================================================
+RCS file: /var/snap/bind9/lib/dns/openssl_link.c,v
+retrieving revision 1.22
+retrieving revision 1.22.112.3
+diff -u -p -r1.22 -r1.22.112.3
+--- lib/dns/openssl_link.c	5 Apr 2008 23:47:11 -0000	1.22
++++ lib/dns/openssl_link.c	11 Feb 2009 03:07:01 -0000	1.22.112.3
+@@ -1,5 +1,5 @@
+ /*
+- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
++ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
+  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+  *
+  * Permission to use, copy, modify, and/or distribute this software for any
+@@ -31,7 +31,7 @@
+ 
+ /*
+  * Principal Author: Brian Wellington
+- * $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $
++ * $Id: bind-96-realloc.patch,v 1.1 2009/03/04 09:27:48 atkac Exp $
+  */
+ #ifdef OPENSSL
+ 
+@@ -148,18 +148,8 @@ mem_free(void *ptr) {
+ 
+ static void *
+ mem_realloc(void *ptr, size_t size) {
+-	void *p;
+-
+ 	INSIST(dst__memory_pool != NULL);
+-	p = NULL;
+-	if (size > 0U) {
+-		p = mem_alloc(size);
+-		if (p != NULL && ptr != NULL)
+-			memcpy(p, ptr, size);
+-	}
+-	if (ptr != NULL)
+-		mem_free(ptr);
+-	return (p);
++	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
+ }
+ 
+ isc_result_t
+@@ -252,7 +242,7 @@ dst__openssl_init() {
+ 		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
+ 
+ 			/*
+-			 * Something wierd here. If we call ENGINE_finish()
++			 * Something weird here. If we call ENGINE_finish()
+ 			 * ENGINE_get_default_RAND() will fail.
+ 			 */
+ 			if (ENGINE_init(e)) {
+@@ -386,7 +376,7 @@ dst__openssl_setdefault(const char *name
+  *
+  * 'engine_id' is the openssl engine name.
+  *
+- * pre_cmds and post_cmds a sequence if command arguement pairs
++ * pre_cmds and post_cmds a sequence if command argument pairs
+  * pre_num and post_num are a count of those pairs.
+  *
+  * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
diff --git a/bind.spec b/bind.spec
index f3bae5d..90753ae 100644
--- a/bind.spec
+++ b/bind.spec
@@ -21,7 +21,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.6.0
-Release:  6.%{PATCHVER}%{?dist}
+Release:  7.%{PATCHVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -66,6 +66,7 @@ Patch100:bind-96-libtool2-libbind.patch
 Patch99: bind-96-libtool2.patch
 Patch101:bind-96-old-api.patch
 Patch102:bind-95-rh452060.patch
+Patch103:bind-96-realloc.patch
 
 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@@ -246,6 +247,7 @@ mkdir lib/bind/m4
 %endif
 
 %patch102 -p1 -b .rh452060
+%patch103 -p0 -b .realloc
 
 # Sparc and s390 arches need to use -fPIE
 %ifarch sparcv9 sparc64 s390 s390x
@@ -604,6 +606,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %ghost %{chroot_prefix}/etc/localtime
 
 %changelog
+* Wed Mar 04 2009 Adam Tkac <atkac redhat com> - 32:9.6.0-7.P1
+- fixed some read buffer overflows (upstream)
+
 * Mon Feb 23 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 32:9.6.0-6.P1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild