bind/CVE-2022-2881.patch

From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 16 Aug 2022 16:26:02 -0700
Subject: [PATCH] compression buffer was not reused correctly

when the compression buffer was reused for multiple statistics
requests, responses could grow beyond the correct size. this was
because the buffer was not cleared before reuse; compressed data
was still written to the beginning of the buffer, but then the size
of used region was increased by the amount written, rather than set
to the amount written. this caused responses to grow larger and
larger, potentially reading past the end of the allocated buffer.

Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/13333db69f9b9710a98c86f44276e01e95420fa0

(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)
---
 lib/isc/httpd.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
index 776455a..e55330b 100644
--- a/lib/isc/httpd.c
+++ b/lib/isc/httpd.c
@@ -246,6 +246,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
 	if (r.length > 0) {
 		isc_mem_put(mctx, r.base, r.length);
 	}
+
+       isc_buffer_initnull(buffer);
 }
 
 static void
@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) {
 	if (result != ISC_R_SUCCESS) {
 		return (result);
 	}
+       isc_buffer_clear(&httpd->compbuffer);
 	isc_buffer_region(&httpd->compbuffer, &r);
 
 	/*
-- 
2.23.0
bind:fix CVE-2022-2795 CVE-2022-38177 CVE-2022-38178 CVE-2022-3080 CVE-2022-2881 CVE-2022-2906 Signed-off-by: huangyu <huangyu106@huawei.com> (cherry picked from commit 6e6a5d5b26542aa0161f59446570b4ea26ab7d03) 2022-09-28 17:06:18 +08:00			`From 13333db69f9b9710a98c86f44276e01e95420fa0 Mon Sep 17 00:00:00 2001`
			`From: Evan Hunt <each@isc.org>`
			`Date: Tue, 16 Aug 2022 16:26:02 -0700`
			`Subject: [PATCH] compression buffer was not reused correctly`

			`when the compression buffer was reused for multiple statistics`
			`requests, responses could grow beyond the correct size. this was`
			`because the buffer was not cleared before reuse; compressed data`
			`was still written to the beginning of the buffer, but then the size`
			`of used region was increased by the amount written, rather than set`
			`to the amount written. this caused responses to grow larger and`
			`larger, potentially reading past the end of the allocated buffer.`

			`Conflict: NA`
			`Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/13333db69f9b9710a98c86f44276e01e95420fa0`

			`(cherry picked from commit 47e9fa981e56a7a232f3219fe8a40525c79d748b)`
			`---`
			`lib/isc/httpd.c \| 3 +++`
			`1 file changed, 3 insertions(+)`

			`diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c`
			`index 776455a..e55330b 100644`
			`--- a/lib/isc/httpd.c`
			`+++ b/lib/isc/httpd.c`
			`@@ -246,6 +246,8 @@ free_buffer(isc_mem_t mctx, isc_buffer_t buffer) {`
			`if (r.length > 0) {`
			`isc_mem_put(mctx, r.base, r.length);`
			`}`
			`+`
			`+ isc_buffer_initnull(buffer);`
			`}`

			`static void`
			`@@ -910,6 +912,7 @@ isc_httpd_compress(isc_httpd_t *httpd) {`
			`if (result != ISC_R_SUCCESS) {`
			`return (result);`
			`}`
			`+ isc_buffer_clear(&httpd->compbuffer);`
			`isc_buffer_region(&httpd->compbuffer, &r);`

			`/*`
			`--`
			`2.23.0`