Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack

Signed-off-by: Tomas Hozza <thozza@redhat.com>
2013-09-10 10:03:44 +02:00 · 2013-09-10 10:03:44 +02:00 · 4a918b84b0
commit 4a918b84b0
parent d010f7191d
2 changed files with 67 additions and 1 deletions
--- a/bind.spec
+++ b/bind.spec
@ -26,7 +26,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  0.8.%{?PATCHVER}%{?PREVER}%{?dist}
+Release:  0.9.%{?PATCHVER}%{?PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -81,6 +81,7 @@ Patch134:bind97-rh669163.patch
 Patch137:bind99-rrl.patch
 # Install dns/update.h header for bind-dyndb-ldap plugin
 Patch138:bind-9.9.3-include-update-h.patch
+Patch139:bind99-ISC-Bugs-34738.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -279,6 +280,7 @@ popd
 %patch131 -p1 -b .multlib-conflict
 %patch137 -p1 -b .rrl
 %patch138 -p1 -b .update
+%patch139 -p1 -b .journal

 %if %{SDB}
 %patch101 -p1 -b .old-api
@ -779,6 +781,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif

 %changelog
+* Tue Sep 10 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.9.rc2
+- Fix [ISC-Bugs #34738] dns_journal_open() returns a pointer to stack
+
 * Mon Sep 09 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-0.8.rc2
 - update to bind-9.9.4rc2

--- a/bind99-ISC-Bugs-34738.patch
+++ b/bind99-ISC-Bugs-34738.patch
@ -0,0 +1,61 @@
+From 18df9e628ea10c7d607f43fcfd935e7924731f24 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Mon, 9 Sep 2013 22:12:47 -0700
+Subject: [PATCH] [master] strdup journal filename
+
+3646.	[bug]		Journal filename string could be set incorrectly,
+                        causing garbage in log messages.  [RT #34738]
+---
+ lib/dns/journal.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/journal.c b/lib/dns/journal.c
+index 08aabd5..46a52e1 100644
+--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
+@@ -307,7 +307,7 @@ struct dns_journal {
+ 	unsigned int		magic;		/*%< JOUR */
+ 	isc_mem_t		*mctx;		/*%< Memory context */
+ 	journal_state_t		state;
+-	const char 		*filename;	/*%< Journal file name */
+	char 			*filename;	/*%< Journal file name */
+ 	FILE *			fp;		/*%< File handle */
+ 	isc_offset_t		offset;		/*%< Current file offset */
+ 	journal_header_t 	header;		/*%< In-core journal header */
+@@ -573,10 +573,13 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+ 	isc_mem_attach(mctx, &j->mctx);
+ 	j->state = JOURNAL_STATE_INVALID;
+ 	j->fp = NULL;
+-	j->filename = filename;
+	j->filename = isc_mem_strdup(mctx, filename);
+ 	j->index = NULL;
+ 	j->rawindex = NULL;
+ 
+	if (j->filename == NULL)
+		FAIL(ISC_R_NOMEMORY);
+
+ 	result = isc_stdio_open(j->filename, write ? "rb+" : "rb", &fp);
+ 
+ 	if (result == ISC_R_FILENOTFOUND) {
+@@ -679,6 +682,8 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
+ 			    sizeof(journal_rawpos_t));
+ 		j->index = NULL;
+ 	}
+	if (j->filename != NULL)
+		isc_mem_free(j->mctx, j->filename);
+ 	if (j->fp != NULL)
+ 		(void)isc_stdio_close(j->fp);
+ 	isc_mem_putanddetach(&j->mctx, j, sizeof(*j));
+@@ -1242,7 +1247,8 @@ dns_journal_destroy(dns_journal_t **journalp) {
+ 		isc_mem_put(j->mctx, j->it.target.base, j->it.target.length);
+ 	if (j->it.source.base != NULL)
+ 		isc_mem_put(j->mctx, j->it.source.base, j->it.source.length);
+-
+	if (j->filename != NULL)
+		isc_mem_free(j->mctx, j->filename);
+ 	if (j->fp != NULL)
+ 		(void)isc_stdio_close(j->fp);
+ 	j->magic = 0;
+-- 
+1.8.3.1
+