You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
48 lines
1.3 KiB
48 lines
1.3 KiB
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001 |
|
From: Petr Mensik <pemensik@redhat.com> |
|
Date: Wed, 19 Jun 2019 12:28:08 +0200 |
|
Subject: [PATCH] Fix CVE-2019-6471 |
|
|
|
5244. [security] Fixed a race condition in dns_dispatch_getnext() |
|
that could cause an assertion failure if a |
|
significant number of incoming packets were |
|
rejected. (CVE-2019-6471) [GL #942] |
|
--- |
|
lib/dns/dispatch.c | 10 +++++++--- |
|
1 file changed, 7 insertions(+), 3 deletions(-) |
|
|
|
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c |
|
index 321459ebcb..ae5c9c0fc7 100644 |
|
--- a/lib/dns/dispatch.c |
|
+++ b/lib/dns/dispatch.c |
|
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { |
|
disp = resp->disp; |
|
REQUIRE(VALID_DISPATCH(disp)); |
|
|
|
- REQUIRE(resp->item_out == ISC_TRUE); |
|
- resp->item_out = ISC_FALSE; |
|
- |
|
ev = *sockevent; |
|
*sockevent = NULL; |
|
|
|
LOCK(&disp->lock); |
|
+ |
|
+ REQUIRE(resp->item_out == ISC_TRUE); |
|
+ resp->item_out = ISC_FALSE; |
|
+ |
|
if (ev->buffer.base != NULL) |
|
free_buffer(disp, ev->buffer.base, ev->buffer.length); |
|
free_devent(disp, ev); |
|
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, |
|
isc_task_send(disp->task[0], &disp->ctlevent); |
|
} |
|
|
|
+/* |
|
+ * disp must be locked. |
|
+ */ |
|
static void |
|
do_cancel(dns_dispatch_t *disp) { |
|
dns_dispatchevent_t *ev; |
|
-- |
|
2.20.1 |
|
|
|
|