BIND 10 master, updated. 3ef8b3161b927c0b427066b026145c4082e47573 [master] add changelog entry for ticket 2471
BIND 10 source code commits
bind10-changes at lists.isc.org
Thu Nov 15 18:27:56 UTC 2012
The branch, master has been updated
via 3ef8b3161b927c0b427066b026145c4082e47573 (commit)
via 53e4c255e0054ee8d1dbe880e6853a4487c47d70 (commit)
via ca8a13ddaaee0ba86f57095f6f93ac2ce381d599 (commit)
via 51a1d8147f00f69419af1a5980f4e8fcedb5bb87 (commit)
via 931c0c2e32baaf74559c82165c7f1a89c0d3054d (commit)
via 705bbc32ba3fdf13602d015420720fb94f6a7f11 (commit)
from 718e97a589b6d3cbdfed7b768f7fbfaba232b709 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 3ef8b3161b927c0b427066b026145c4082e47573
Author: Jeremy C. Reed <jreed at isc.org>
Date: Thu Nov 15 12:27:15 2012 -0600
[master] add changelog entry for ticket 2471
note I renumbered existing entry.
commit 53e4c255e0054ee8d1dbe880e6853a4487c47d70
Merge: 718e97a ca8a13d
Author: Jeremy C. Reed <jreed at isc.org>
Date: Thu Nov 15 12:25:20 2012 -0600
[master]Merge remote-tracking branch 'remotes/bind10-private/sec-trac2471'
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 9 +-
src/bin/auth/query.cc | 4 +-
src/bin/auth/tests/Makefile.am | 1 +
src/bin/auth/tests/query_inmemory_unittest.cc | 123 +++++++++++++++++++++++++
src/bin/auth/tests/testdata/Makefile.am | 1 +
src/bin/auth/tests/testdata/example.zone | 121 ++++++++++++++++++++++++
6 files changed, 256 insertions(+), 3 deletions(-)
create mode 100644 src/bin/auth/tests/query_inmemory_unittest.cc
create mode 100644 src/bin/auth/tests/testdata/example.zone
-----------------------------------------------------------------------
diff --git a/ChangeLog b/ChangeLog
index 63778b4..0befb67 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,10 +1,17 @@
bind10-devel-20121115 released on November 15, 2012
-506. [doc] jelte
+507. [doc] jelte
Added a chapter about the use of the bindctl command tool to
to the BIND 10 guide.
(Trac #2305, git c4b0294b5bf4a9d32fb18ab62ca572f492788d72)
+506. [security] jinmei
+ Fixed a use-after-free case in handling DNAME record with the
+ in-memory data source. This could lead to a crash of b10-auth
+ if it serves a zone containing a DNAME RR from the in-memory
+ data source. This bug was introduced at bind10-devel-20120927.
+ (Trac #2471, git 2b1793ac78f972ddb1ae2fd092a7f539902223ff)
+
505. [bug] jelte
Fixed a bug in b10-xfrin where a wrong call was made during the
final check of a TSIG-signed transfer, incorrectly rejecting the
diff --git a/src/bin/auth/query.cc b/src/bin/auth/query.cc
index 69278d4..5b71565 100644
--- a/src/bin/auth/query.cc
+++ b/src/bin/auth/query.cc
@@ -410,9 +410,9 @@ Query::process(datasrc::ClientList& client_list,
*/
assert(db_context->rrset->getRdataCount() > 0);
// Get the data of DNAME
+ RdataIteratorPtr rit = db_context->rrset->getRdataIterator();
const rdata::generic::DNAME& dname(
- dynamic_cast<const rdata::generic::DNAME&>(
- db_context->rrset->getRdataIterator()->getCurrent()));
+ dynamic_cast<const rdata::generic::DNAME&>(rit->getCurrent()));
// The yet unmatched prefix dname
const Name prefix(qname_->split(0, qname_->getLabelCount() -
db_context->rrset->getName().getLabelCount()));
diff --git a/src/bin/auth/tests/Makefile.am b/src/bin/auth/tests/Makefile.am
index 6a91309..42f202b 100644
--- a/src/bin/auth/tests/Makefile.am
+++ b/src/bin/auth/tests/Makefile.am
@@ -50,6 +50,7 @@ run_unittests_SOURCES += config_syntax_unittest.cc
run_unittests_SOURCES += command_unittest.cc
run_unittests_SOURCES += common_unittest.cc
run_unittests_SOURCES += query_unittest.cc
+run_unittests_SOURCES += query_inmemory_unittest.cc
run_unittests_SOURCES += statistics_unittest.cc
run_unittests_SOURCES += test_datasrc_clients_mgr.h test_datasrc_clients_mgr.cc
run_unittests_SOURCES += datasrc_clients_builder_unittest.cc
diff --git a/src/bin/auth/tests/query_inmemory_unittest.cc b/src/bin/auth/tests/query_inmemory_unittest.cc
new file mode 100644
index 0000000..f587ba2
--- /dev/null
+++ b/src/bin/auth/tests/query_inmemory_unittest.cc
@@ -0,0 +1,123 @@
+// Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
+//
+// Permission to use, copy, modify, and/or distribute this software for any
+// purpose with or without fee is hereby granted, provided that the above
+// copyright notice and this permission notice appear in all copies.
+//
+// THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+// REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+// AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+// INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+// LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+// OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+// PERFORMANCE OF THIS SOFTWARE.
+
+#include <dns/name.h>
+#include <dns/message.h>
+#include <dns/rcode.h>
+#include <dns/opcode.h>
+
+#include <cc/data.h>
+
+#include <datasrc/client_list.h>
+
+#include <auth/query.h>
+
+#include <testutils/dnsmessage_test.h>
+
+#include <gtest/gtest.h>
+
+#include <string>
+
+using namespace isc::dns;
+using namespace isc::auth;
+using namespace isc::testutils;
+using isc::datasrc::ConfigurableClientList;
+using std::string;
+
+namespace {
+
+// The DNAME to do tests against
+const char* const dname_txt =
+ "dname.example.com. 3600 IN DNAME "
+ "somethinglong.dnametarget.example.com.\n";
+// This is not inside the zone, this is created at runtime
+const char* const synthetized_cname_txt =
+ "www.dname.example.com. 3600 IN CNAME "
+ "www.somethinglong.dnametarget.example.com.\n";
+
+// This is a subset of QueryTest using (subset of) the same test data, but
+// with the production in-memory data source. Both tests should be eventually
+// unified to avoid duplicates.
+class InMemoryQueryTest : public ::testing::Test {
+protected:
+ InMemoryQueryTest() : list(RRClass::IN()), response(Message::RENDER) {
+ response.setRcode(Rcode::NOERROR());
+ response.setOpcode(Opcode::QUERY());
+ list.configure(isc::data::Element::fromJSON(
+ "[{\"type\": \"MasterFiles\","
+ " \"cache-enable\": true, "
+ " \"params\": {\"example.com\": \"" +
+ string(TEST_OWN_DATA_DIR "/example.zone") +
+ "\"}}]"), true);
+ }
+
+ ConfigurableClientList list;
+ Message response;
+ Query query;
+};
+
+// A wrapper to check resulting response message commonly used in
+// tests below.
+// check_origin needs to be specified only when the authority section has
+// an SOA RR. The interface is not generic enough but should be okay
+// for our test cases in practice.
+void
+responseCheck(Message& response, const isc::dns::Rcode& rcode,
+ unsigned int flags, const unsigned int ancount,
+ const unsigned int nscount, const unsigned int arcount,
+ const char* const expected_answer,
+ const char* const expected_authority,
+ const char* const expected_additional,
+ const Name& check_origin = Name::ROOT_NAME())
+{
+ // In our test cases QID, Opcode, and QDCOUNT should be constant, so
+ // we don't bother the test cases specifying these values.
+ headerCheck(response, response.getQid(), rcode, Opcode::QUERY().getCode(),
+ flags, 0, ancount, nscount, arcount);
+ if (expected_answer != NULL) {
+ rrsetsCheck(expected_answer,
+ response.beginSection(Message::SECTION_ANSWER),
+ response.endSection(Message::SECTION_ANSWER),
+ check_origin);
+ }
+ if (expected_authority != NULL) {
+ rrsetsCheck(expected_authority,
+ response.beginSection(Message::SECTION_AUTHORITY),
+ response.endSection(Message::SECTION_AUTHORITY),
+ check_origin);
+ }
+ if (expected_additional != NULL) {
+ rrsetsCheck(expected_additional,
+ response.beginSection(Message::SECTION_ADDITIONAL),
+ response.endSection(Message::SECTION_ADDITIONAL));
+ }
+}
+
+/*
+ * Test a query under a domain with DNAME. We should get a synthetized CNAME
+ * as well as the DNAME.
+ *
+ * TODO: Once we have CNAME chaining, check it works with synthetized CNAMEs
+ * as well. This includes tests pointing inside the zone, outside the zone,
+ * pointing to NXRRSET and NXDOMAIN cases (similarly as with CNAME).
+ */
+TEST_F(InMemoryQueryTest, DNAME) {
+ query.process(list, Name("www.dname.example.com"), RRType::A(),
+ response);
+
+ responseCheck(response, Rcode::NOERROR(), AA_FLAG, 2, 0, 0,
+ (string(dname_txt) + synthetized_cname_txt).c_str(),
+ NULL, NULL);
+}
+}
diff --git a/src/bin/auth/tests/testdata/Makefile.am b/src/bin/auth/tests/testdata/Makefile.am
index 7e42b70..a4ea1a5 100644
--- a/src/bin/auth/tests/testdata/Makefile.am
+++ b/src/bin/auth/tests/testdata/Makefile.am
@@ -21,6 +21,7 @@ EXTRA_DIST += simpleresponse_fromWire.spec
EXTRA_DIST += spec.spec
EXTRA_DIST += example.com
+EXTRA_DIST += example.zone
EXTRA_DIST += example.sqlite3
.spec.wire:
diff --git a/src/bin/auth/tests/testdata/example.zone b/src/bin/auth/tests/testdata/example.zone
new file mode 100644
index 0000000..efbbaf2
--- /dev/null
+++ b/src/bin/auth/tests/testdata/example.zone
@@ -0,0 +1,121 @@
+;;
+;; This is a complete (but crafted and somewhat broken) zone file used
+;; in query tests.
+;;
+
+example.com. 3600 IN SOA . . 0 0 0 0 0
+example.com. 3600 IN NS glue.delegation.example.com.
+example.com. 3600 IN NS noglue.example.com.
+example.com. 3600 IN NS example.net.
+example.com. 3600 IN DS 57855 5 1 B6DCD485719ADCA18E5F3D48A2331627FDD3 636B
+glue.delegation.example.com. 3600 IN A 192.0.2.153
+glue.delegation.example.com. 3600 IN AAAA 2001:db8::53
+noglue.example.com. 3600 IN A 192.0.2.53
+delegation.example.com. 3600 IN NS glue.delegation.example.com.
+delegation.example.com. 3600 IN NS noglue.example.com.
+delegation.example.com. 3600 IN NS cname.example.com.
+delegation.example.com. 3600 IN NS example.org.
+;; Borrowed from the RFC4035
+delegation.example.com. 3600 IN DS 57855 5 1 B6DCD485719ADCA18E5F3D48A2331627FDD3 636B
+mx.example.com. 3600 IN MX 10 www.example.com.
+mx.example.com. 3600 IN MX 20 mailer.example.org.
+mx.example.com. 3600 IN MX 30 mx.delegation.example.com.
+www.example.com. 3600 IN A 192.0.2.80
+cname.example.com. 3600 IN CNAME www.example.com.
+cnamenxdom.example.com. 3600 IN CNAME nxdomain.example.com.
+;; CNAME Leading out of zone
+cnameout.example.com. 3600 IN CNAME www.example.org.
+;; The DNAME to do tests against
+dname.example.com. 3600 IN DNAME somethinglong.dnametarget.example.com.
+;; Some data at the dname node (allowed by RFC 2672)
+dname.example.com. 3600 IN A 192.0.2.5
+;; The rest of data won't be referenced from the test cases.
+cnamemailer.example.com. 3600 IN CNAME www.example.com.
+cnamemx.example.com. 3600 IN MX 10 cnamemailer.example.com.
+mx.delegation.example.com. 3600 IN A 192.0.2.100
+;; Wildcards
+*.wild.example.com. 3600 IN A 192.0.2.7
+*.wild.example.com. 3600 IN NSEC www.example.com. A NSEC RRSIG
+*.cnamewild.example.com. 3600 IN CNAME www.example.org.
+*.cnamewild.example.com. 3600 IN NSEC delegation.example.com. CNAME NSEC RRSIG
+;; Wildcard_nxrrset
+*.uwild.example.com. 3600 IN A 192.0.2.9
+*.uwild.example.com. 3600 IN NSEC www.uwild.example.com. A NSEC RRSIG
+www.uwild.example.com. 3600 IN A 192.0.2.11
+www.uwild.example.com. 3600 IN NSEC *.wild.example.com. A NSEC RRSIG
+;; Wildcard empty
+b.*.t.example.com. 3600 IN A 192.0.2.13
+b.*.t.example.com. 3600 IN NSEC *.uwild.example.com. A NSEC RRSIG
+t.example.com. 3600 IN A 192.0.2.15
+t.example.com. 3600 IN NSEC b.*.t.example.com. A NSEC RRSIG
+;; Used in NXDOMAIN proof test. We are going to test some unusual case where
+;; the best possible wildcard is below the "next domain" of the NSEC RR that
+;; proves the NXDOMAIN, i.e.,
+;; mx.example.com. (exist)
+;; (.no.example.com. (qname, NXDOMAIN)
+;; ).no.example.com. (exist)
+;; *.no.example.com. (best possible wildcard, not exist)
+).no.example.com. 3600 IN AAAA 2001:db8::53
+;; NSEC records.
+example.com. 3600 IN NSEC cname.example.com. NS SOA NSEC RRSIG
+mx.example.com. 3600 IN NSEC ).no.example.com. MX NSEC RRSIG
+).no.example.com. 3600 IN NSEC nz.no.example.com. AAAA NSEC RRSIG
+;; We'll also test the case where a single NSEC proves both NXDOMAIN and the
+;; non existence of wildcard. The following records will be used for that
+;; test.
+;; ).no.example.com. (exist, whose NSEC proves everything)
+;; *.no.example.com. (best possible wildcard, not exist)
+;; nx.no.example.com. (NXDOMAIN)
+;; nz.no.example.com. (exist)
+nz.no.example.com. 3600 IN AAAA 2001:db8::5300
+nz.no.example.com. 3600 IN NSEC noglue.example.com. AAAA NSEC RRSIG
+noglue.example.com. 3600 IN NSEC nonsec.example.com. A
+
+;; NSEC for the normal NXRRSET case
+www.example.com. 3600 IN NSEC example.com. A NSEC RRSIG
+
+;; Authoritative data without NSEC
+nonsec.example.com. 3600 IN A 192.0.2.0
+
+;; NSEC3 RRs. You may also need to add mapping to MockZoneFinder::hash_map_.
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example.com. 3600 IN NSEC3 1 1 12 aabbccdd 2t7b4g4vsa5smi47k61mv5bv1a22bojr NS SOA NSEC3PARAM RRSIG
+0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example.com. 3600 IN RRSIG NSEC3 5 3 3600 20000101000000 20000201000000 12345 example.com. FAKEFAKEFAKE
+q04jkcevqvmu85r014c7dkba38o0ji5r.example.com. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG
+q04jkcevqvmu85r014c7dkba38o0ji5r.example.com. 3600 IN RRSIG NSEC3 5 3 3600 20000101000000 20000201000000 12345 example.com. FAKEFAKEFAKE
+
+;; NSEC3 for wild.example.com (used in wildcard tests, will be added on
+;; demand not to confuse other tests)
+ji6neoaepv8b5o6k4ev33abha8ht9fgc.example.com. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en
+
+;; NSEC3 for cnamewild.example.com (used in wildcard tests, will be added on
+;; demand not to confuse other tests)
+k8udemvp1j2f7eg6jebps17vp3n8i58h.example.com. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en
+
+;; NSEC3 for *.uwild.example.com (will be added on demand not to confuse
+;; other tests)
+b4um86eghhds6nea196smvmlo4ors995.example.com. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG
+;; NSEC3 for uwild.example.com. (will be added on demand)
+t644ebqk9bibcna874givr6joj62mlhv.example.com. 3600 IN NSEC3 1 1 12 aabbccdd r53bq7cc2uvmubfu5ocmm6pers9tk9en A RRSIG
+
+;; (Secure) delegation data; Delegation with DS record
+signed-delegation.example.com. 3600 IN NS ns.example.net.
+signed-delegation.example.com. 3600 IN DS 12345 8 2 764501411DE58E8618945054A3F620B36202E115D015A7773F4B78E0F952CECA
+
+;; (Secure) delegation data; Delegation without DS record (and both NSEC
+;; and NSEC3 denying its existence)
+unsigned-delegation.example.com. 3600 IN NS ns.example.net.
+unsigned-delegation.example.com. 3600 IN NSEC unsigned-delegation-optout.example.com. NS RRSIG NSEC
+;; This one will be added on demand
+q81r598950igr1eqvc60aedlq66425b5.example.com. 3600 IN NSEC3 1 1 12 aabbccdd 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom NS RRSIG
+
+;; Delegation without DS record, and no direct matching NSEC3 record
+unsigned-delegation-optout.example.com. 3600 IN NS ns.example.net.
+unsigned-delegation-optout.example.com. 3600 IN NSEC *.uwild.example.com. NS RRSIG NSEC
+
+;; (Secure) delegation data; Delegation where the DS lookup will raise an
+;; exception.
+bad-delegation.example.com. 3600 IN NS ns.example.net.
+
+;; Delegation from an unsigned parent. There's no DS, and there's no NSEC
+;; or NSEC3 that proves it.
+nosec-delegation.example.com. 3600 IN NS ns.nosec.example.net.
More information about the bind10-changes
mailing list