BIND 10 #2471: use after free in DNAME processing
BIND 10 Development
do-not-reply at isc.org
Fri Nov 9 22:37:19 UTC 2012
#2471: use after free in DNAME processing
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
jinmei | Status: accepted
Type: | Milestone:
defect | Sprint-20121120
Priority: very | Resolution:
high | Sensitive: 1
Component: | Sub-Project: DNS
b10-auth | Estimated Difficulty: 0
Keywords: | Total Hours: 0
Defect Severity: N/A |
Feature Depending on Ticket: |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by jinmei):
I've committed the fix (with a test case) to a separate private
repository, which is ready for review. It can be cloned by
{{{
% git clone
ssh://<username>@git.bind10.isc.org/home/jinmei/git/bind10-private
}}}
The branch name is sec-trac2471. It's small and should be easy to
understand.
While working on this branch I noticed we only tested the query logic
with a mock data source. I think we should extend the existing
`QueryTest` so we can use the test cases for the in-memory data source
as much as possible. But that should go to a separate task.
In this ticket I tried to minimize the size of the diff.
This is the proposed changelog entry.
{{{
502.? [security] jinmei
Fixed a use-after-free case in handling DNAME record with the
in-memory data source. This could lead to a crash of b10-auth
if it serves a zone containing a DNAME RR from the in-memory
data source. This bug was introduced at bind10-devel-20120927.
(Trac #2471, git TBD)
}}}
I'm not sure about the change category, but tentatively specified
"security".
--
Ticket URL: <http://bind10.isc.org/ticket/2471#comment:3>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list