Debian Bug report logs - #501800
bind9: bind crashes with a list for allow-update

version graph

Package: bind9; Maintainer for bind9 is LaMont Jones <lamont@debian.org>; Source for bind9 is src:bind9.

Reported by: Christian Motschke <motschke@itso-berlin.de>

Date: Fri, 10 Oct 2008 15:21:02 UTC

Severity: grave

Tags: fixed-upstream, patch, upstream

Merged with 496954

Found in versions bind9/1:9.5.0.dfsg.P2-1, bind9/1:9.5.0.dfsg.P2-4

Fixed in version bind9/1:9.5.0.dfsg.P2-5.1

Done: Ben Hutchings <ben@decadent.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, motschke@itso-berlin.de, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Fri, 10 Oct 2008 15:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christian Motschke <motschke@itso-berlin.de>:
New Bug report received and forwarded. Copy sent to motschke@itso-berlin.de, LaMont Jones <lamont@debian.org>. (Fri, 10 Oct 2008 15:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christian Motschke <motschke@itso-berlin.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bind9: bind crashes with a list for allow-update
Date: Fri, 10 Oct 2008 17:18:10 +0200
Package: bind9
Version: 1:9.5.0.dfsg.P2-4
Severity: grave
Justification: renders package unusable

Hello,

I used bind for years with dynamic updates. The configuration runs on a 
system with bind 1:9.4.2-9.
Now I would like to switch to a new server running as DomU under XEN and 
the exact same configuration
throws a sgmentation fault with bind 1:9.5.0.dfsg.P2-4 (I have not 
tested other versions) when I use a
address_match_list for allow-update.

This seg faults:
        zone "itso-berlin.de" {
                type master;
                file "/etc/bind/db.itso-berlin.de.internal";
                allow-update { key ddns; "ADservers"; "lan"; };
                check-names ignore;
        };

It works when I use only one entry in the allow-update list.
This works:

        zone "itso-berlin.de" {
                type master;
                file "/etc/bind/db.itso-berlin.de.internal";
                allow-update { key ddns; };
                check-names ignore;
        };

>From syslog:
Oct 10 12:23:15 firewall named[8855]: starting BIND 9.5.0-P2 -u bind
Oct 10 12:23:15 firewall named[8855]: found 1 CPU, using 1 worker thread
Oct 10 12:23:15 firewall named[8855]: loading configuration from 
'/etc/bind/named.conf'
Oct 10 12:23:15 firewall named[8855]: listening on IPv4 interface lo, 
127.0.0.1#53
Oct 10 12:23:15 firewall named[8855]: listening on IPv4 interface br1, 
192.168.42.18#53
Oct 10 12:23:15 firewall named[8855]: listening on IPv4 interface br0, 
62.96.12.229#53
Oct 10 12:23:15 firewall kernel: named[8856]: segfault at 
0000000000000000 rip 00002b761ea48e20 rsp 00000000407fe818 error 4

With kind regards.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-6-xen-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE (charmap=locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Kann LC_ALL nicht auf die Standard-Lokale einstellen: Datei oder Verzeichnis nicht gefunden
ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages bind9 depends on:
ii  adduser               3.110              add and remove users and groups
ii  bind9utils            1:9.5.0.dfsg.P2-4  Utilities for BIND
ii  debconf [debconf-2.0] 1.5.23             Debian configuration management sy
ii  libbind9-40           1:9.5.0.dfsg.P2-4  BIND9 Shared Library used by BIND
ii  libc6                 2.7-14             GNU C Library: Shared libraries
ii  libcap2               2.11-2             support for getting/setting POSIX.
ii  libdb4.6              4.6.21-11          Berkeley v4.6 Database Libraries [
ii  libdns43              1:9.5.0.dfsg.P2-4  DNS Shared Library used by BIND
ii  libisc44              1:9.5.0.dfsg.P2-4  ISC Shared Library used by BIND
ii  libisccc40            1:9.5.0.dfsg.P2-4  Command Channel Library used by BI
ii  libisccfg40           1:9.5.0.dfsg.P2-4  Config File Handling Library used 
ii  libkrb53              1.6.dfsg.4~beta1-4 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.10-3           OpenLDAP libraries
ii  liblwres40            1:9.5.0.dfsg.P2-4  Lightweight Resolver Library used 
ii  libssl0.9.8           0.9.8g-13          SSL shared libraries
ii  libxml2               2.6.32.dfsg-4      GNOME XML library
ii  lsb-base              3.2-20             Linux Standard Base 3.2 init scrip
ii  netbase               4.34               Basic TCP/IP networking system

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc              <none>            (no description available)
ii  dnsutils               1:9.5.0.dfsg.P2-4 Clients provided with BIND
pn  resolvconf             <none>            (no description available)
pn  ufw                    <none>            (no description available)

-- debconf information:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_CTYPE = "de_DE",
	LANG = "de_DE.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Kann LC_ALL nicht auf die Standard-Lokale einstellen: Datei oder Verzeichnis nicht gefunden
  bind9/different-configuration-file:
  bind9/run-resolvconf: true
  bind9/start-as-user: bind




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sun, 12 Oct 2008 19:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maximiliano Curia <maxy@gnuservers.com.ar>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 12 Oct 2008 19:21:04 GMT) Full text and rfc822 format available.

Message #10 received at 501800@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <maxy@gnuservers.com.ar>
To: 501800@bugs.debian.org, control@bugs.debian.org
Subject: Please, provide a full example of the bug
Date: Sun, 12 Oct 2008 16:17:36 -0300
tags 501800 +moreinfo

thank you

I have tried to reproduce this bug with the following named.local:
key "key-test" {
	algorithm hmac-md5;
	secret "IVqRBcWBoPU2LhJTFnaJrw==";
};

acl "test" {
        192.168.0.0/24;
        };

acl "another" {
        192.168.1.0/24;
        };

zone "example.com" {
	type master;
	file "/etc/bind/db.local";
	allow-update { key key-test; "test"; "another"; };
	check-names ignore;
};

And it seems to work. Could you please provide a minimal named.conf.local that
triggers this bug?

Anyway, in the 9.5.0 release sources the file KNOWN-DEFECTS documents an ugly
bug, and an untested patch. It might be worth checking if appling the
patch fixes your problem.

-- 
A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Saludos /\/\ /\ >< `/




Tags added: moreinfo Request was from Maximiliano Curia <maxy@gnuservers.com.ar> to control@bugs.debian.org. (Sun, 12 Oct 2008 19:21:05 GMT) Full text and rfc822 format available.

Message sent on to Christian Motschke <motschke@itso-berlin.de>:
Bug#501800. (Sun, 12 Oct 2008 19:24:02 GMT) Full text and rfc822 format available.

Message #15 received at 501800-submitter@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <maxy@gnuservers.com.ar>
To: 501800-submitter@bugs.debian.org
Subject: Please, provide a full example of the bug
Date: Sun, 12 Oct 2008 16:20:55 -0300
tags 501800 +moreinfo

thank you

I have tried to reproduce this bug with the following named.local:
key "key-test" {
	algorithm hmac-md5;
	secret "IVqRBcWBoPU2LhJTFnaJrw==";
};

acl "test" {
        192.168.0.0/24;
        };

acl "another" {
        192.168.1.0/24;
        };

zone "example.com" {
	type master;
	file "/etc/bind/db.local";
	allow-update { key key-test; "test"; "another"; };
	check-names ignore;
};

And it seems to work. Could you please provide a minimal named.conf.local that
triggers this bug?

Anyway, in the 9.5.0 release sources the file KNOWN-DEFECTS documents an ugly
bug, and an untested patch. It might be worth checking if appling the
patch fixes your problem.

-- 
A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Saludos /\/\ /\ >< `/




Information stored :
Bug#501800; Package bind9. (Sun, 12 Oct 2008 22:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Christian Motschke" <motschke@itso-berlin.de>:
Extra info received and filed, but not forwarded. (Sun, 12 Oct 2008 22:12:03 GMT) Full text and rfc822 format available.

Message #20 received at 501800-quiet@bugs.debian.org (full text, mbox):

From: "Christian Motschke" <motschke@itso-berlin.de>
To: "Maximiliano Curia" <maxy@gnuservers.com.ar>, <501800-quiet@bugs.debian.org>
Subject: AW: Bug#501800: Please, provide a full example of the bug
Date: Mon, 13 Oct 2008 00:09:26 +0200
[Message part 1 (text/plain, inline)]
Hello,

attached you will find 2 files which will reproduce the error on my server.
The funny thing is, that named crashes, if you use he line:
allow-update { key ddns; "ADservers"; "lan"; };
But with 
allow-update { key ddns; "lan"; "ADservers"; };
it runs. So I can use my old configuration, if I change the order of the address list of allow-update. Very strange.
I hope, you can reproduce the error now.

With kind regards.
Christian Motschke

-----Ursprüngliche Nachricht-----
Von: Maximiliano Curia [mailto:maxy@gnuservers.com.ar] 
Gesendet: Sonntag, 12. Oktober 2008 21:21
An: 501800-submitter@bugs.debian.org
Betreff: Bug#501800: Please, provide a full example of the bug

tags 501800 +moreinfo

thank you

I have tried to reproduce this bug with the following named.local:
key "key-test" {
	algorithm hmac-md5;
	secret "IVqRBcWBoPU2LhJTFnaJrw==";
};

acl "test" {
        192.168.0.0/24;
        };

acl "another" {
        192.168.1.0/24;
        };

zone "example.com" {
	type master;
	file "/etc/bind/db.local";
	allow-update { key key-test; "test"; "another"; };
	check-names ignore;
};

And it seems to work. Could you please provide a minimal named.conf.local that
triggers this bug?

Anyway, in the 9.5.0 release sources the file KNOWN-DEFECTS documents an ugly
bug, and an untested patch. It might be worth checking if appling the
patch fixes your problem.

-- 
A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Saludos /\/\ /\ >< `/


[named.conf.options.test (application/octet-stream, attachment)]
[named.conf.local.test (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sat, 18 Oct 2008 15:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maximiliano Curia <google@maxy.com.ar>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 18 Oct 2008 15:12:03 GMT) Full text and rfc822 format available.

Message #25 received at 501800@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <google@maxy.com.ar>
To: 501800@bugs.debian.org, 501800-submitter@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#501800: Please, provide a full example of the bug
Date: Sat, 18 Oct 2008 12:08:20 -0300
tags: 501800 -moreinfo +confirmed
found: 501800 1:9.5.0.dfsg.P2-1

thank you

> attached you will find 2 files which will reproduce the error on my server.
> The funny thing is, that named crashes, if you use he line:
> allow-update { key ddns; "ADservers"; "lan"; };
> But with 
> allow-update { key ddns; "lan"; "ADservers"; };
> it runs. So I can use my old configuration, if I change the order of the
> address list of allow-update. Very strange.
> I hope, you can reproduce the error now.

Indeed I could.
The configuration that I used is:
--- named.conf
include "/etc/bind/named.conf.options";

acl "lan" {
        { 192.168.42.0/24; };
};

acl "ADservers" {
        { 192.168.42.2; 192.168.69.2; 192.168.42.149; };
};

key "ddns" {
        algorithm hmac-md5;
        secret "IVqRBcWBoPU2LhJTFnaJrw==";
};

view "internal" {
match-clients { 127.0.0.1; "lan"; };
recursion yes;
allow-recursion { 127.0.0.1; "lan"; };

zone "example.com" {
        type master;
        file "/etc/bind/db.local";
        allow-update { key ddns; "ADservers"; "lan"; };
        check-names ignore;
};

};
---

The SEGV is being produced before logging that the acl is insecure. A pseudo
fix can be made avoiding the check, the following makes this partcular SEGV
dissapear:
--- zoneconf.ugly.hack
--- ./bin/named/zoneconf.c      2008-05-21 20:26:11.000000000 -0300
+++ ./bin/named/zoneconf.c.hack 2008-10-18 11:29:52.000000000 -0300
@@ -660,7 +660,7 @@
                                          dns_zone_clearupdateacl));
 
                updateacl = dns_zone_getupdateacl(zone);
-               if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
+               if (updateacl != NULL  && 0 && dns_acl_isinsecure(updateacl))
                        isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
                                      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
                                      "zone '%s' allows updates by IP "
---

Which only confirms that the problem is acl specific. I suspect that some acl
function has a Null pointer (probably inside ./lib/isc/radix.c), but I'm
having some weird problems when I try to debug it.

I compiled bind9 with DEB_BUILD_OPTIONS="noopt debug nostrip" debuild

But when I tried to use gdb I get:
(gdb) break main
Breakpoint 1 at 0x23c58: file ./main.c, line 818.
(gdb) run
Starting program: /usr/sbin/named -f
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x23c58: Input/output error.

I couldn't find info about this issue. I'll try debugging with printf and see
if I can find something.

-- 
Saludos /\/\ /\ >< `/




Message sent on to Christian Motschke <motschke@itso-berlin.de>:
Bug#501800. (Sat, 18 Oct 2008 15:12:05 GMT) Full text and rfc822 format available.

Tags removed: moreinfo Request was from Maximiliano Curia <maxy@gnuservers.com.ar> to control@bugs.debian.org. (Sat, 18 Oct 2008 21:00:03 GMT) Full text and rfc822 format available.

Bug marked as found in version 1:9.5.0.dfsg.P2-1. Request was from Maximiliano Curia <maxy@gnuservers.com.ar> to control@bugs.debian.org. (Sat, 18 Oct 2008 21:00:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sat, 18 Oct 2008 21:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Maximiliano Curia <maxy@gnuservers.com.ar>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 18 Oct 2008 21:03:02 GMT) Full text and rfc822 format available.

Message #37 received at 501800@bugs.debian.org (full text, mbox):

From: Maximiliano Curia <maxy@gnuservers.com.ar>
To: 501800@bugs.debian.org
Subject: Some more info about this bug
Date: Sat, 18 Oct 2008 18:00:05 -0300
So, some more info about the bug:

The problem is that the node->data[0] of the first node in the list of 3 is
null.

If no address includes a host part bigger than 127, it doesn't fail.

If the address that includes a host bigger than 127 is not in the same
network, it doesn't fail either.

I have to go now, will keep debugging later.

-- 
Saludos /\/\ /\ >< `/




Merged 496954 501800. Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Tue, 21 Oct 2008 10:33:06 GMT) Full text and rfc822 format available.

Tags removed: patch Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Wed, 22 Oct 2008 05:57:03 GMT) Full text and rfc822 format available.

Disconnected #501800 from all other report(s). Request was from Paul Wise <pabs@debian.org> to control@bugs.debian.org. (Wed, 22 Oct 2008 07:45:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Wed, 22 Oct 2008 08:06:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 22 Oct 2008 08:06:05 GMT) Full text and rfc822 format available.

Message #48 received at 501800@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: 501800@bugs.debian.org
Subject: bind9: 501800: backtrace
Date: Wed, 22 Oct 2008 16:04:38 +0800
[Message part 1 (text/plain, inline)]
I've attached a backtrace of this crash generated using the config
mentioned above.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[bind9-backtrace.txt (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Wed, 22 Oct 2008 08:12:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to 501800@bugs.debian.org, 496954@bugs.debian.org, pabs@debian.org:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 22 Oct 2008 08:12:08 GMT) Full text and rfc822 format available.

Message #53 received at 501800@bugs.debian.org (full text, mbox):

From: Paul Wise <pabs@debian.org>
To: bind9-bugs@isc.org
Cc: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Subject: bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Wed, 22 Oct 2008 16:08:27 +0800
[Message part 1 (text/plain, inline)]
Hi,

A couple of Debian users reported acl-related segfaults when upgrading
from bind 9.3.4 to 9.5.0-P2. Both bug reports come with full backtraces
and the bug reports can be found here:

http://bugs.debian.org/496954
http://bugs.debian.org/501800

Any insight you can give into these bugs would be appreciated.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Mon, 27 Oct 2008 21:54:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Mon, 27 Oct 2008 21:54:04 GMT) Full text and rfc822 format available.

Message #58 received at 501800@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Cc: bind9-bugs@isc.org
Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Mon, 27 Oct 2008 22:53:21 +0100
Hi,

I was “assigned” the RC bug as part of BugSprint (http://wiki.debian.org/BugSprint).

After some time debugging, i can add more information.

Here is a more simple use case to reproduce the bug from a fresh
install of bind9. Add the following lines to
/etc/bind/named.conf.local.
--8<-----------------------------------
acl "plop1" {
        { 192.168.1.0/24; };
};

acl "plop2" {
        { 192.168.1.8; 192.168.1.128; };
};

zone "example.com" {
        type master;
        file "/etc/bind/db.local";
        allow-update { "plop2"; "plop1"; };
};
----------------------------------->8--

Something very weird is that the following changes make it work
correctly : 
--8<-----------------------------------
-        { 192.168.1.8; 192.168.1.128; };
+        { 192.168.1.8; 192.168.1.X; };
----------------------------------->8--
with X < 128

or 

--8<-----------------------------------
-        allow-update { "plop2"; "plop1"; };
+        allow-update { "plop1"; "plop2"; };
----------------------------------->8--

The backtrace for the segv is the following :

--8<-----------------------------------
#0  0x00007f136e6c7839 in is_insecure (prefix=0x7f136ecf55b0, data=0x7f136ed1e6f8) at acl.c:499
#1  0x00007f136d871624 in isc_radix_process (radix=0x7f136ed17a60, func=0x7f136e6c77dd <is_insecure>) at radix.c:227
#2  0x00007f136e6c7958 in dns_acl_isinsecure (a=0x7f136ecf3ce0) at acl.c:546
#3  0x000000000045153e in ns_zone_configure (config=0x7f136ed198d0, vconfig=0x0, zconfig=0x7f136ed1bb50, ac=0x41626fe0, zone=0x13d62a0) at zoneconf.c:663
#4  0x0000000000437689 in configure_zone (config=0x7f136ed198d0, zconfig=0x7f136ed1bb50, vconfig=0x0, mctx=0x1308350, view=0x137bf20, aclconf=0x41626fe0) at server.c:2484
#5  0x00000000004331e8 in configure_view (view=0x137bf20, config=0x7f136ed198d0, vconfig=0x0, mctx=0x1308350, actx=0x41626fe0, need_hints=isc_boolean_true) at server.c:1127
#6  0x00000000004393b7 in load_configuration (filename=0x4660a1 "/etc/bind/named.conf", server=0x7f136ecfe010, first_time=isc_boolean_true) at server.c:3275
#7  0x000000000043ab5f in run_server (task=0x7f136ed07010, event=0x0) at server.c:3703
----------------------------------->8--

I think that the problem comes from the acl struture (arg ac in
ns_zone_configure ()) which is not filled correctly :

1 : configure_zone () server.c:2484
2: ns_zone_configure () (zoneconf.c, line 657)
   -> RETERR(configure_zone_acl(zconfig, vconfig, config, "allow-update", ac, zone, dns_zone_setupdateacl, dns_zone_clearupdateacl));
3: configure_zone_acl() (zoneconf.c, line 93)
    -> result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, dns_zone_getmctx(zone), 0, &dacl);
4: cfg_acl_fromconfig() (aclconf.c, line 253)
    -> result = dns_iptable_addprefix(iptab, &addr, bitlen, ISC_TF(nest_level != 0 || !neg));
5: dns_iptable_addprefix (iptable.c, line 61)
    -> result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
6: isc_radix_insert (radix.c, line 301) 
    -> ....

The segv occurs because the node->data[] 'array' contains null value
but it should not hence i think there is something goes wrong in
isc_radix_insert() with this use case.

It's a bit difficult to fix this bug regarding the complexity of the
code, and difficult to have a fix with no side effects.

I'm CCing bind9-bugs@isc.org, and hope they could take a look at these
bugs and help us to fix them.

Any help would be appreciated.

Cheers,

-- 
Emmanuel Bouthenot




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Mon, 27 Oct 2008 23:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Mon, 27 Oct 2008 23:45:03 GMT) Full text and rfc822 format available.

Message #63 received at 501800@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954 <496954@bugs.debian.org>
Subject: Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Tue, 28 Oct 2008 00:42:04 +0100
Here are 2 replies from upstream :

Evan Hunt wrotes :
--8<--------------------------------
> Here is a more simple use case to reproduce the bug from a fresh
> install of bind9. Add the following lines to
> /etc/bind/named.conf.local.

Thank you, I was able to reproduce the bug with these instructions.
The
bug doesn't show up in 9.5.1b3, which is due to be released in a
couple
of days.  I believe this is attributable to the following fix:

2470.   [bug]           Elements of the isc_radix_node_t could be
incorrectly
                        overwritten.  [RT# 18719]

This one may have been a factor as well:

2474.   [bug]           ACL structures could be allocated with
insufficient
                        space, causing an array overrun. [RT #18765]
-------------------------------->8--

Mark Andrews wrotes :
--8<--------------------------------
Thanks for the update.

I could reproduce this against 9.5.0-P2.
I could not reproduce this against 9.5.1b2.

Mark
-------------------------------->8--

Regarding these additional informations, i took a look at differences
in file radix.c. As i presumed, most changes occurs in fonction
isc_radix_insert().

As a quick fix, i try to only apply the changes from radix.c in
9.5.0-P2 and the segv has gone. The patch is short and seems to not
have any other side effects.


Cheers,

-- 
Emmanuel Bouthenot
 mail : kolter@openics.org
  gpg : 0x414EC36E
  jid : kolter@im.openics.org
  irc : kolter@(freenode|oftc)




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Tue, 28 Oct 2008 08:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Emmanuel Bouthenot <kolter@openics.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Tue, 28 Oct 2008 08:09:05 GMT) Full text and rfc822 format available.

Message #68 received at 501800@bugs.debian.org (full text, mbox):

From: Emmanuel Bouthenot <kolter@openics.org>
To: 501800@bugs.debian.org, 496954@bugs.debian.org
Subject: [Re:] bind9: acl-related segfaults upgrading from bind 9.3.4 to 9.5.0-P2
Date: Tue, 28 Oct 2008 09:07:31 +0100
[Message part 1 (text/plain, inline)]
tags 501800 +patch
thanks


After further discussions with upstream authors :

Evan Hunt wrotes :

--8<--------------------------------
Thanks to  Emmanuel Bouthenot for the assistance, I was able to
reproduce the issue with his instructions.  It turned out to be a bug
that was fixed in 9.5.1b2.

There are several other ACL problems that have been fixed in that
release and in 9.5.1b3, which is due out in a few days.  I'd recommend
using 9.5.1 when it's complete (in about a month, most likely), but
I'm told Debian is planning is to release 9.5.0-P2 plus patches
instead.  So I've rolled all the ACL fixes in the 9.5.1 pipeline up
into a single patch and attached it to this email. This reflects the
following changes:


2474.   [bug]           ACL structures could be allocated with insufficient
                        space, causing an array overrun. [RT #18765]
2470.   [bug]           Elements of the isc_radix_node_t could be incorrectly
                        overwritten.  [RT# 18719]
2456.   [bug]           In ACLs, ::/0 and 0.0.0.0/0 would both match any
                        address, regardless of family.  They now
			correctly distinguish IPv4 from IPv6.  [RT #18559]
2441.   [bug]           isc_radix_insert() could copy radix tree nodes
                        incompletely. [RT #18573]
2439.   [bug]           Potential NULL dereference in dns_acl_isanyornone().
                        [RT #18559]

(For the record, the bug you hit was 2441.)

Thanks again and let me know if you have any questions.
-------------------------------->8--

The patch is attached.


Cheers,

-- 
Emmanuel Bouthenot
 mail : kolter@openics.org
  gpg : 0x414EC36E
  jid : kolter@im.openics.org
  irc : kolter@(freenode|oftc)
[aclfixes.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Thu, 30 Oct 2008 09:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Lucas Nussbaum <lucas@lucas-nussbaum.net>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 30 Oct 2008 09:21:07 GMT) Full text and rfc822 format available.

Message #73 received at 501800@bugs.debian.org (full text, mbox):

From: Lucas Nussbaum <lucas@lucas-nussbaum.net>
To: debian-release@lists.debian.org
Cc: 501800@bugs.debian.org, 496954@bugs.debian.org, kolter@openics.org, lamont@debian.org
Subject: bind9 fix for #501800 - call for release team opinion
Date: Thu, 30 Oct 2008 10:17:43 +0100
[Message part 1 (text/plain, inline)]
Hi,

bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
investigated those, and contacted upstream, who provided a patch that
backports several fixes from the new upstream release (not yet
released).

The unstable package also received several changes. Here is its
changelog:
+bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
+
+  * meta: fix typo in Depends: lsb-base.  Closes: #501365
+
+ -- LaMont Jones <lamont@debian.org>  Tue, 07 Oct 2008 17:20:11 -0600
+
+bind9 (1:9.5.0.dfsg.P2-3) unstable; urgency=low
+
+  [LaMont Jones]
+
+  * enable largefile support.  Closes: #497040
+
+  [localization folks]
+
+  * l10n: Dutch translation.  Closes: #499977 (Paul Gevers)
+  * l10n: simplified chinese debconf template.  Closes: #501103 (LI Daobing)
+  * l10n: Update spanish template.  Closes: #493775 (Ignacio Mondino)
+
+ -- LaMont Jones <lamont@debian.org>  Sun, 05 Oct 2008 20:20:00 -0600
+
+bind9 (1:9.5.0.dfsg.P2-2) unstable; urgency=low
+
+  [Kees Cook]
+
+  * debian/{control,rules}: enable PIE hardening (from -1ubuntu1)
+
+  [Nicolas Valcárcel]
+
+  * Add ufw integration (from -1ubuntu2)
+
+  [Dustin Kirkland]
+
+  * use pid file in init.d/bind9 status.  LP: #247084
+
+  [LaMont Jones]
+
+  * dig: add -DDIG_SIGCHASE to compile options.  LP: #257682
+  * apparmor profile: add /var/log/named
+
+  [Nikita Ofitserov]
+
+  * ipv6 support requires _GNU_SOURCE definition.  LP: #249824
+
+ -- LaMont Jones <lamont@debian.org>  Thu, 28 Aug 2008 23:08:36 -0600


We have two options:
(A) Fix the ACL bugs in the unstable version, migrate it to lenny
(B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
    the unstable version.

I've attached:
bind9_9.5.0.dfsg-P2-1_to_-4.debdiff.gz:
    debdiff between the testing and unstable verison.
bind9_9.5.0.dfsg-P2-4+aclfixes.debdiff:
    proposed NMU of the unstable version with upstream's patch.

Release team, what do you want to do?
-- 
| Lucas Nussbaum
| lucas@lucas-nussbaum.net   http://www.lucas-nussbaum.net/ |
| jabber: lucas@nussbaum.fr             GPG: 1024D/023B3F4F |
[bind9_9.5.0.dfsg-P2-4+aclfixes.debdiff (text/plain, attachment)]
[bind9_9.5.0.dfsg-P2-1_to_-4.debdiff.gz (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#501800; Package bind9. (Thu, 30 Oct 2008 13:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. (Thu, 30 Oct 2008 13:51:04 GMT) Full text and rfc822 format available.

Message #78 received at 501800@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org
Cc: debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org, lamont@debian.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Thu, 30 Oct 2008 07:49:56 -0600
On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> investigated those, and contacted upstream, who provided a patch that
> backports several fixes from the new upstream release (not yet
> released).

I'll be uploading new bits to unstable with these fixes shortly myself.
(Shortly == waiting for the next upstream beta/rc to pull patches from
for this and other significant bugs)

> We have two options:
> (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
>     the unstable version.

> Release team, what do you want to do?

I prefer (A), though I'm not wedded to it.

lamont




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sat, 15 Nov 2008 01:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sat, 15 Nov 2008 01:03:03 GMT) Full text and rfc822 format available.

Message #83 received at 501800@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: LaMont Jones <lamont@debian.org>, Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org, debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Sat, 15 Nov 2008 01:58:51 +0100
On Thu, Oct 30, 2008 at 07:49:56AM -0600, LaMont Jones wrote:
> On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> > bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> > investigated those, and contacted upstream, who provided a patch that
> > backports several fixes from the new upstream release (not yet
> > released).
> 
> I'll be uploading new bits to unstable with these fixes shortly myself.
> (Shortly == waiting for the next upstream beta/rc to pull patches from
> for this and other significant bugs)
> 
> > We have two options:
> > (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> > (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
> >     the unstable version.
> 
> > Release team, what do you want to do?
> 
> I prefer (A), though I'm not wedded to it.

Meanwhile 1:9.5.0.dfsg.P2-4 has migrated to testing; can you please go ahead
with (A) now?

Cheers,
        Moritz




Tags removed: Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sat, 22 Nov 2008 20:57:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Wed, 03 Dec 2008 17:51:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to <marcos.marado@sonae.com>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Wed, 03 Dec 2008 17:51:03 GMT) Full text and rfc822 format available.

Message #90 received at 501800@bugs.debian.org (full text, mbox):

From: <marcos.marado@sonae.com>
To: <496954@bugs.debian.org>, <501800@bugs.debian.org>
Subject: BIND 9.5.1rc1 is now available
Date: Wed, 3 Dec 2008 17:47:42 +0000
Just a head's up:

BIND 9.5.1rc1 is now available (since today):
http://oldwww.isc.org/sw/bind/view/?release=9.5.1rc1

Best regards,
-- 
Marcos Marado




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#501800; Package bind9. (Wed, 03 Dec 2008 18:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to LaMont Jones <lamont@debian.org>:
Extra info received and forwarded to list. (Wed, 03 Dec 2008 18:06:03 GMT) Full text and rfc822 format available.

Message #95 received at 501800@bugs.debian.org (full text, mbox):

From: LaMont Jones <lamont@debian.org>
To: marcos.marado@sonae.com, 501800@bugs.debian.org
Subject: Re: Bug#501800: BIND 9.5.1rc1 is now available
Date: Wed, 3 Dec 2008 11:03:42 -0700
On Wed, Dec 03, 2008 at 05:47:42PM +0000, marcos.marado@sonae.com wrote:
> BIND 9.5.1rc1 is now available (since today):
> http://oldwww.isc.org/sw/bind/view/?release=9.5.1rc1

Yeah, I have the patch for just that bug backported, will be uploading
this week sometime.

lamont




Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Thu, 04 Dec 2008 17:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Thu, 04 Dec 2008 17:36:03 GMT) Full text and rfc822 format available.

Message #100 received at 501800@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: LaMont Jones <lamont@debian.org>
Cc: Lucas Nussbaum <lucas@lucas-nussbaum.net>, 496954@bugs.debian.org, debian-release@lists.debian.org, 501800@bugs.debian.org, kolter@openics.org
Subject: Re: Bug#496954: bind9 fix for #501800 - call for release team opinion
Date: Thu, 4 Dec 2008 18:30:24 +0100
On Sat, Nov 15, 2008 at 01:58:51AM +0100, Moritz Muehlenhoff wrote:
> On Thu, Oct 30, 2008 at 07:49:56AM -0600, LaMont Jones wrote:
> > On Thu, Oct 30, 2008 at 10:17:43AM +0100, Lucas Nussbaum wrote:
> > > bind9 in lenny has several problems with ACL parsing. Emmanuel Bouthenot
> > > investigated those, and contacted upstream, who provided a patch that
> > > backports several fixes from the new upstream release (not yet
> > > released).
> > 
> > I'll be uploading new bits to unstable with these fixes shortly myself.
> > (Shortly == waiting for the next upstream beta/rc to pull patches from
> > for this and other significant bugs)
> > 
> > > We have two options:
> > > (A) Fix the ACL bugs in the unstable version, migrate it to lenny
> > > (B) Fix the ACL bugs through a t-p-u upload, cherrypick some patches from
> > >     the unstable version.
> > 
> > > Release team, what do you want to do?
> > 
> > I prefer (A), though I'm not wedded to it.
> 
> Meanwhile 1:9.5.0.dfsg.P2-4 has migrated to testing; can you please go ahead
> with (A) now?

Another three weeks have passed, what's the status?

Cheers,
        Moritz





Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sun, 07 Dec 2008 17:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 07 Dec 2008 17:03:03 GMT) Full text and rfc822 format available.

Message #105 received at 501800@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954@bugs.debian.org, 501800@bugs.debian.org
Subject: NMU diff for bind9 1:9.5.0.dfsg.P2-4.1
Date: Sun, 07 Dec 2008 16:58:02 +0000
[Message part 1 (text/plain, inline)]
I intend to upload the following changes to delayed/3 shortly.

Ben.

diff -u bind9-9.5.0.dfsg.P2/debian/changelog bind9-9.5.0.dfsg.P2/debian/changelog
--- bind9-9.5.0.dfsg.P2/debian/changelog
+++ bind9-9.5.0.dfsg.P2/debian/changelog
@@ -1,3 +1,12 @@
+bind9 (1:9.5.0.dfsg.P2-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Backported upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
+    by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
+    contacted him. Closes: #496954, #501800.
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 07 Dec 2008 16:30:43 +0000
+
 bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
 
   * meta: fix typo in Depends: lsb-base.  Closes: #501365
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/iptable.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/iptable.c
@@ -70,22 +70,39 @@
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? pfx.family : AF_INET;
-
 	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
 		return(result);
+	}
 
-	/* If the node already contains data, don't overwrite it */
-	if (node->data[ISC_IS6(family)] == NULL) {
-		if (pos)
-			node->data[ISC_IS6(family)] = &dns_iptable_pos;
-		else
-			node->data[ISC_IS6(family)] = &dns_iptable_neg;
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+ 		/* "any" or "none" */
+ 		INSIST(pfx.bitlen == 0);
+ 		if (pos) {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_pos;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_pos;
+ 		} else {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_neg;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_neg;
+ 		}
+ 	} else {
+ 		/* any other prefix */
+ 		if (node->data[ISC_IS6(family)] == NULL) {
+ 			if (pos)
+ 				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+ 			else
+ 				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+ 		}
 	}
 
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -148,7 +148,10 @@
 		return (ISC_FALSE);
 
 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+  	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+	    acl->iptable->radix->head->data[1] &&
+  	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
 		return (ISC_TRUE);
 
 	return (ISC_FALSE); /* All others */
@@ -220,8 +223,6 @@
 
 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -491,9 +492,8 @@
 	isc_boolean_t secure;
 	int bitlen, family;
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;
 
 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isccfg/aclconf.c
+++ bind9-9.5.0.dfsg.P2/lib/isccfg/aclconf.c
@@ -160,6 +160,51 @@
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
@@ -194,14 +239,18 @@
 	} else {
 		/*
 		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition and allocate space for that many
-		 * elements (even though some or all of them may end up in
-		 * the iptable instead of the element array).
+		 * in the ACL definition that will require space in the
+		 * elemnts table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
 		 */
-		isc_boolean_t recurse = ISC_TF(nest_level == 0);
-		result = dns_acl_create(mctx,
-					cfg_list_length(caml, recurse),
-					&dacl);
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/radix.c
+++ bind9-9.5.0.dfsg.P2/lib/isc/radix.c
@@ -53,7 +53,7 @@
 
 	REQUIRE(target != NULL);
 
-	if (family != AF_INET6 && family != AF_INET)
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
@@ -64,6 +64,7 @@
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
 		memcpy(&prefix->add.sin6, dest, 16);
 	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
 		memcpy(&prefix->add.sin, dest, 4);
 	}
@@ -95,7 +96,8 @@
 _ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
 	INSIST(prefix != NULL);
 	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128));
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
 	REQUIRE(target != NULL);
 
 	/* If this prefix is a static allocation, copy it into new memory */
@@ -236,7 +238,7 @@
 	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
 	u_char *addr;
 	isc_uint32_t bitlen;
-	int family, tfamily = -1;
+	int tfamily = -1;
 	int cnt = 0;
 
 	REQUIRE(radix != NULL);
@@ -276,16 +278,12 @@
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
 				    node->prefix->bitlen)) {
-			/* Bitlen 0 means "any" or "none",
-			   which is always treated as IPv4 */
-			family = node->prefix->bitlen ?
-				 prefix->family : AF_INET;
-			if (node->node_num[ISC_IS6(family)] != -1 &&
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
 				 ((*target == NULL) ||
 				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(family)])) {
+				   node->node_num[ISC_IS6(prefix->family)])) {
 				*target = node;
-				tfamily = family;
+				tfamily = prefix->family;
 			}
 		}
 	}
@@ -303,7 +301,7 @@
 {
 	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
 	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, family, check_bit, differ_bit;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
 	isc_uint32_t i, j, r;
 	isc_result_t result;
 
@@ -317,9 +315,7 @@
 	INSIST(prefix != NULL);
 
 	bitlen = prefix->bitlen;
-
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? prefix->family : AF_INET;
+	fam = prefix->family;
 
 	if (radix->head == NULL) {
 		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
@@ -353,8 +349,14 @@
 			node->data[0] = source->data[0];
 			node->data[1] = source->data[1];
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 			node->data[0] = NULL;
 			node->data[1] = NULL;
 		}
@@ -417,25 +419,71 @@
 	if (differ_bit == bitlen && node->bit == bitlen) {
 		if (node->prefix != NULL) {
 			/* Set node_num only if it hasn't been set before */
-			if (node->node_num[ISC_IS6(family)] == -1)
-				node->node_num[ISC_IS6(family)] =
-					 ++radix->num_added_node;
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+ 					/* "any" or "none" */
+ 					int next = radix->num_added_node + 1;
+ 					if (node->node_num[0] == -1) {
+ 						node->node_num[0] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 					if (node->node_num[1] == -1) {
+ 						node->node_num[1] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 				} else {
+ 					if (node->node_num[ISC_IS6(fam)] == -1)
+ 						node->node_num[ISC_IS6(fam)]
+ 						   = ++radix->num_added_node;
+ 				}
+			}
 			*target = node;
 			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
 		       node->data[1] == NULL && node->node_num[1] == -1);
 		if (source != NULL) {
 			/* Merging node */
-			node->node_num[ISC_IS6(family)] =
-				radix->num_added_node +
-				source->node_num[ISC_IS6(family)];
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 		}
 		*target = node;
 		return (ISC_R_SUCCESS);
@@ -477,7 +525,14 @@
 		new_node->data[0] = source->data[0];
 		new_node->data[1] = source->data[1];
 	} else {
-		new_node->node_num[ISC_IS6(family)] = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
 		new_node->data[0] = NULL;
 		new_node->data[1] = NULL;
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/include/isc/radix.h
+++ bind9-9.5.0.dfsg.P2/lib/isc/include/isc/radix.h
@@ -37,7 +37,7 @@
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
 		memset(&(pt), 0, sizeof(pt)); \
-		if((bits) && (na) != NULL) { \
+		if((na) != NULL) { \
 			(pt).family = (na)->family; \
 			(pt).bitlen = (bits); \
 			if ((pt).family == AF_INET6) { \
@@ -46,14 +46,16 @@
 			} else \
 				memcpy(&(pt).add.sin, &(na)->type.in, \
 				       ((bits)+7)/8); \
-		} else \
-			(pt).family = AF_INET; \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)
 
 typedef struct isc_prefix {
-    unsigned int family;	/* AF_INET | AF_INET6 */
-    unsigned int bitlen;
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
     isc_refcount_t refcount;
     union {
 		struct in_addr sin;
--- END ---

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so ingenious.
[signature.asc (application/pgp-signature, inline)]

Tags added: patch, upstream, fixed-upstream, pending Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Sun, 07 Dec 2008 17:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, LaMont Jones <lamont@debian.org>:
Bug#501800; Package bind9. (Sun, 07 Dec 2008 17:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ben Hutchings <ben@decadent.org.uk>:
Extra info received and forwarded to list. Copy sent to LaMont Jones <lamont@debian.org>. (Sun, 07 Dec 2008 17:42:06 GMT) Full text and rfc822 format available.

Message #112 received at 501800@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 496954@bugs.debian.org, 501800@bugs.debian.org
Subject: Re: NMU diff for bind9 1:9.5.0.dfsg.P2-4.1
Date: Sun, 07 Dec 2008 17:38:31 +0000
[Message part 1 (text/plain, inline)]
On Sun, 2008-12-07 at 16:58 +0000, Ben Hutchings wrote:
> I intend to upload the following changes to delayed/3 shortly.
> 
> Ben.

lintian and my basic testing found some more easy bugs to fix.  Here are
the actual changes.

Ben.

diff -u bind9-9.5.0.dfsg.P2/debian/changelog bind9-9.5.0.dfsg.P2/debian/changelog
--- bind9-9.5.0.dfsg.P2/debian/changelog
+++ bind9-9.5.0.dfsg.P2/debian/changelog
@@ -1,3 +1,15 @@
+bind9 (1:9.5.0.dfsg.P2-4.1) unstable; urgency=low
+
+  * Non-maintainer upload.
+  * Backported upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
+    by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
+    contacted him. Closes: #496954, #501800.
+  * Fix library dependencies for bind9utils
+  * Fix minor errors in package descriptions
+  * Add dependency of bind9 on net-tools (ifconfig used in init script)
+
+ -- Ben Hutchings <ben@decadent.org.uk>  Sun, 07 Dec 2008 17:08:28 +0000
+
 bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low
 
   * meta: fix typo in Depends: lsb-base.  Closes: #501365
diff -u bind9-9.5.0.dfsg.P2/debian/control bind9-9.5.0.dfsg.P2/debian/control
--- bind9-9.5.0.dfsg.P2/debian/control
+++ bind9-9.5.0.dfsg.P2/debian/control
@@ -10,7 +10,7 @@
 
 Package: bind9
 Architecture: any
-Depends: ${shlibs:Depends}, debconf | debconf-2.0, netbase, adduser, libdns43 (=${binary:Version}), libisccfg40 (=${binary:Version}), libisc44 (=${binary:Version}), libisccc40 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres40 (=${binary:Version}), libbind9-40 (=${binary:Version})
+Depends: ${shlibs:Depends}, debconf | debconf-2.0, netbase, adduser, libdns43 (=${binary:Version}), libisccfg40 (=${binary:Version}), libisc44 (=${binary:Version}), libisccc40 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres40 (=${binary:Version}), libbind9-40 (=${binary:Version}), net-tools
 Conflicts: bind, apparmor-profiles (<< 2.1+1075-0ubuntu4)
 Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4)
 Suggests: dnsutils, bind9-doc, resolvconf, ufw
@@ -22,7 +22,7 @@
 Package: bind9utils
 Architecture: any
 Replaces: bind9 (<= 1:9.5.0~b2-1)
-Depends: libbind9-40
+Depends: ${shlibs:Depends}
 Description: Utilities for BIND
  This package provides various utilities that are useful for maintaining a
  working BIND installation.
@@ -55,7 +55,7 @@
 Depends: libbind9-40 (= ${binary:Version}), liblwres40 (= ${binary:Version}) 
 Description: Static Libraries and Headers used by BIND
  This package delivers archive-style libraries, header files, and API man
- pages for libbind, libdns, libisc, and liblwres.  These are are only needed 
+ pages for libbind, libdns, libisc, and liblwres.  These are only needed 
  if you want to compile other packages that need more nameserver API than the 
  resolver code provided in libc.
 
@@ -149,7 +149,7 @@
  This package delivers various client programs related to DNS that are 
  derived from the BIND source tree.
  .
-  - dig	- query the DNS in various ways
+  - dig - query the DNS in various ways
   - nslookup - the older way to do it
   - nsupdate - perform dynamic updates (See RFC2136)
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/iptable.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/iptable.c
@@ -70,22 +70,39 @@
 
 	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? pfx.family : AF_INET;
-
 	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
-
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
 		return(result);
+	}
 
-	/* If the node already contains data, don't overwrite it */
-	if (node->data[ISC_IS6(family)] == NULL) {
-		if (pos)
-			node->data[ISC_IS6(family)] = &dns_iptable_pos;
-		else
-			node->data[ISC_IS6(family)] = &dns_iptable_neg;
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+ 		/* "any" or "none" */
+ 		INSIST(pfx.bitlen == 0);
+ 		if (pos) {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_pos;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_pos;
+ 		} else {
+ 			if (node->data[0] == NULL)
+ 				node->data[0] = &dns_iptable_neg;
+ 			if (node->data[1] == NULL)
+ 				node->data[1] = &dns_iptable_neg;
+ 		}
+ 	} else {
+ 		/* any other prefix */
+ 		if (node->data[ISC_IS6(family)] == NULL) {
+ 			if (pos)
+ 				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+ 			else
+ 				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+ 		}
 	}
 
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/dns/acl.c
+++ bind9-9.5.0.dfsg.P2/lib/dns/acl.c
@@ -148,7 +148,10 @@
 		return (ISC_FALSE);
 
 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
-	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+  	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+	    acl->iptable->radix->head->data[1] &&
+  	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
 		return (ISC_TRUE);
 
 	return (ISC_FALSE); /* All others */
@@ -220,8 +223,6 @@
 
 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -491,9 +492,8 @@
 	isc_boolean_t secure;
 	int bitlen, family;
 
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;
 
 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isccfg/aclconf.c
+++ bind9-9.5.0.dfsg.P2/lib/isccfg/aclconf.c
@@ -160,6 +160,51 @@
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
@@ -194,14 +239,18 @@
 	} else {
 		/*
 		 * Need to allocate a new ACL structure.  Count the items
-		 * in the ACL definition and allocate space for that many
-		 * elements (even though some or all of them may end up in
-		 * the iptable instead of the element array).
+		 * in the ACL definition that will require space in the
+		 * elemnts table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
 		 */
-		isc_boolean_t recurse = ISC_TF(nest_level == 0);
-		result = dns_acl_create(mctx,
-					cfg_list_length(caml, recurse),
-					&dacl);
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/radix.c
+++ bind9-9.5.0.dfsg.P2/lib/isc/radix.c
@@ -53,7 +53,7 @@
 
 	REQUIRE(target != NULL);
 
-	if (family != AF_INET6 && family != AF_INET)
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
 		return (ISC_R_NOTIMPLEMENTED);
 
 	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
@@ -64,6 +64,7 @@
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
 		memcpy(&prefix->add.sin6, dest, 16);
 	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
 		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
 		memcpy(&prefix->add.sin, dest, 4);
 	}
@@ -95,7 +96,8 @@
 _ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
 	INSIST(prefix != NULL);
 	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
-	       (prefix->family == AF_INET6 && prefix->bitlen <= 128));
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
 	REQUIRE(target != NULL);
 
 	/* If this prefix is a static allocation, copy it into new memory */
@@ -236,7 +238,7 @@
 	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
 	u_char *addr;
 	isc_uint32_t bitlen;
-	int family, tfamily = -1;
+	int tfamily = -1;
 	int cnt = 0;
 
 	REQUIRE(radix != NULL);
@@ -276,16 +278,12 @@
 		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
 				    isc_prefix_tochar(prefix),
 				    node->prefix->bitlen)) {
-			/* Bitlen 0 means "any" or "none",
-			   which is always treated as IPv4 */
-			family = node->prefix->bitlen ?
-				 prefix->family : AF_INET;
-			if (node->node_num[ISC_IS6(family)] != -1 &&
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
 				 ((*target == NULL) ||
 				  (*target)->node_num[ISC_IS6(tfamily)] >
-				   node->node_num[ISC_IS6(family)])) {
+				   node->node_num[ISC_IS6(prefix->family)])) {
 				*target = node;
-				tfamily = family;
+				tfamily = prefix->family;
 			}
 		}
 	}
@@ -303,7 +301,7 @@
 {
 	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
 	u_char *addr, *test_addr;
-	isc_uint32_t bitlen, family, check_bit, differ_bit;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
 	isc_uint32_t i, j, r;
 	isc_result_t result;
 
@@ -317,9 +315,7 @@
 	INSIST(prefix != NULL);
 
 	bitlen = prefix->bitlen;
-
-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
-	family = bitlen ? prefix->family : AF_INET;
+	fam = prefix->family;
 
 	if (radix->head == NULL) {
 		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
@@ -353,8 +349,14 @@
 			node->data[0] = source->data[0];
 			node->data[1] = source->data[1];
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 			node->data[0] = NULL;
 			node->data[1] = NULL;
 		}
@@ -417,25 +419,71 @@
 	if (differ_bit == bitlen && node->bit == bitlen) {
 		if (node->prefix != NULL) {
 			/* Set node_num only if it hasn't been set before */
-			if (node->node_num[ISC_IS6(family)] == -1)
-				node->node_num[ISC_IS6(family)] =
-					 ++radix->num_added_node;
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+ 					/* "any" or "none" */
+ 					int next = radix->num_added_node + 1;
+ 					if (node->node_num[0] == -1) {
+ 						node->node_num[0] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 					if (node->node_num[1] == -1) {
+ 						node->node_num[1] = next;
+ 						radix->num_added_node = next;
+ 					}
+ 				} else {
+ 					if (node->node_num[ISC_IS6(fam)] == -1)
+ 						node->node_num[ISC_IS6(fam)]
+ 						   = ++radix->num_added_node;
+ 				}
+			}
 			*target = node;
 			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
 		}
-		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
-		if (result != ISC_R_SUCCESS)
-			return (result);
 		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
 		       node->data[1] == NULL && node->node_num[1] == -1);
 		if (source != NULL) {
 			/* Merging node */
-			node->node_num[ISC_IS6(family)] =
-				radix->num_added_node +
-				source->node_num[ISC_IS6(family)];
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
 		} else {
-			node->node_num[ISC_IS6(family)] =
-				++radix->num_added_node;
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
 		}
 		*target = node;
 		return (ISC_R_SUCCESS);
@@ -477,7 +525,14 @@
 		new_node->data[0] = source->data[0];
 		new_node->data[1] = source->data[1];
 	} else {
-		new_node->node_num[ISC_IS6(family)] = ++radix->num_added_node;
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
 		new_node->data[0] = NULL;
 		new_node->data[1] = NULL;
 	}
only in patch2:
unchanged:
--- bind9-9.5.0.dfsg.P2.orig/lib/isc/include/isc/radix.h
+++ bind9-9.5.0.dfsg.P2/lib/isc/include/isc/radix.h
@@ -37,7 +37,7 @@
 #define NETADDR_TO_PREFIX_T(na,pt,bits) \
 	do { \
 		memset(&(pt), 0, sizeof(pt)); \
-		if((bits) && (na) != NULL) { \
+		if((na) != NULL) { \
 			(pt).family = (na)->family; \
 			(pt).bitlen = (bits); \
 			if ((pt).family == AF_INET6) { \
@@ -46,14 +46,16 @@
 			} else \
 				memcpy(&(pt).add.sin, &(na)->type.in, \
 				       ((bits)+7)/8); \
-		} else \
-			(pt).family = AF_INET; \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
 		isc_refcount_init(&(pt).refcount, 0); \
 	} while(0)
 
 typedef struct isc_prefix {
-    unsigned int family;	/* AF_INET | AF_INET6 */
-    unsigned int bitlen;
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
     isc_refcount_t refcount;
     union {
 		struct in_addr sin;
--- END ---

-- 
Ben Hutchings
It is impossible to make anything foolproof because fools are so
ingenious.
[signature.asc (application/pgp-signature, inline)]

Merged 496954 501800. Request was from Ben Hutchings <ben@decadent.org.uk> to control@bugs.debian.org. (Fri, 02 Jan 2009 16:51:08 GMT) Full text and rfc822 format available.

Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Sun, 04 Jan 2009 21:39:13 GMT) Full text and rfc822 format available.

Notification sent to Christian Motschke <motschke@itso-berlin.de>:
Bug acknowledged by developer. (Sun, 04 Jan 2009 21:39:13 GMT) Full text and rfc822 format available.

Message #119 received at 501800-close@bugs.debian.org (full text, mbox):

From: Ben Hutchings <ben@decadent.org.uk>
To: 501800-close@bugs.debian.org
Subject: Bug#501800: fixed in bind9 1:9.5.0.dfsg.P2-5.1
Date: Sun, 04 Jan 2009 21:32:05 +0000
Source: bind9
Source-Version: 1:9.5.0.dfsg.P2-5.1

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive:

bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
  to pool/main/b/bind9/bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
bind9_9.5.0.dfsg.P2-5.1.diff.gz
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1.diff.gz
bind9_9.5.0.dfsg.P2-5.1.dsc
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1.dsc
bind9_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9_9.5.0.dfsg.P2-5.1_i386.deb
bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
libdns43_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libdns43_9.5.0.dfsg.P2-5.1_i386.deb
libisc44_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisc44_9.5.0.dfsg.P2-5.1_i386.deb
libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
lwresd_9.5.0.dfsg.P2-5.1_i386.deb
  to pool/main/b/bind9/lwresd_9.5.0.dfsg.P2-5.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 501800@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ben Hutchings <ben@decadent.org.uk> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 02 Jan 2009 16:51:42 +0000
Source: bind9
Binary: bind9 bind9utils bind9-doc bind9-host libbind-dev libbind9-40 libdns43 libisc44 liblwres40 libisccc40 libisccfg40 dnsutils lwresd
Architecture: source all i386
Version: 1:9.5.0.dfsg.P2-5.1
Distribution: unstable
Urgency: low
Maintainer: LaMont Jones <lamont@debian.org>
Changed-By: Ben Hutchings <ben@decadent.org.uk>
Description: 
 bind9      - Internet Domain Name Server
 bind9-doc  - Documentation for BIND
 bind9-host - Version of 'host' bundled with BIND 9.X
 bind9utils - Utilities for BIND
 dnsutils   - Clients provided with BIND
 libbind-dev - Static Libraries and Headers used by BIND
 libbind9-40 - BIND9 Shared Library used by BIND
 libdns43   - DNS Shared Library used by BIND
 libisc44   - ISC Shared Library used by BIND
 libisccc40 - Command Channel Library used by BIND
 libisccfg40 - Config File Handling Library used by BIND
 liblwres40 - Lightweight Resolver Library used by BIND
 lwresd     - Lightweight Resolver Daemon
Closes: 486196 496954 501800
Changes: 
 bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided
     by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot
     contacted him. Closes: #496954, #501800.
   * Remove obsolete dh_installmanpages invocation which was adding
     unwanted manual pages to bind9. Closes: #486196.
Checksums-Sha1: 
 5386fd82dbd5cf1bf9d0284ba2f914b71ce47ba4 1433 bind9_9.5.0.dfsg.P2-5.1.dsc
 d8a8e2f316f1a38215290750bf1b7a427025e00c 263986 bind9_9.5.0.dfsg.P2-5.1.diff.gz
 913e897ae3f95174265864660a8ca81720ee7711 258548 bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 5fc3a806ffa95e7344f4eb86d19a1aff06d2c78c 238992 bind9_9.5.0.dfsg.P2-5.1_i386.deb
 f9501122bd6349341d7e530ec2aac8c9f0823f79 93210 bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 9571acb400edcb1948487b26cb3158e9dd2a1aa0 60552 bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 7c34aa30aaac46693b3839483a0ee2c48092a099 1246018 libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 9d72d501a76989b89700e404efdedda02159e6b0 31620 libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ce4be2365a9409c592cad6206b071157f326687c 543264 libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 3b2380c4a9ce2c68779e3c85f35fd586130b3cdb 146944 libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 d6b6f3ea333c2b9fe0d2cc7caec19d6663fba348 44662 liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 f925f930344f9351354b6b99ddf6051db266799d 26472 libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 f8b097efabcdf41ba3ead83b451ff45e7b3fb904 43534 libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 46b1596e02807bef99c1fc0cff2deb8c3614977e 144012 dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 0350c2d5184351e5c7c4e4edb1f5f76ffbfad701 198164 lwresd_9.5.0.dfsg.P2-5.1_i386.deb
Checksums-Sha256: 
 5dcb89e502e14923d128c2f6135f1916538a784e371070455547612fabc46773 1433 bind9_9.5.0.dfsg.P2-5.1.dsc
 ffb5b0f7a474084574825f2a56acf5402cfa218dffcf08713d01d325915b72b0 263986 bind9_9.5.0.dfsg.P2-5.1.diff.gz
 4a10942fe5e71a2aab7dfa97e9d11120c1326308b76753d052cc3765726c3825 258548 bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 c759e38286fb69c3aa3aa538fbd807067a7a0482f5fbd5aa6c691a0f4e481e14 238992 bind9_9.5.0.dfsg.P2-5.1_i386.deb
 75948b4b00f3e9151f546dbff1dd3c543041817f37be60c551ec741796e6e402 93210 bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 9e664b7221564fc4bcc1479a354f7dddfc9ec788a66652c89ee28f0e1f89c3fd 60552 bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 85b1d21d772eafd2f85a090940f2ea5ebcb76e552c8ce71b3346ad3a2961e386 1246018 libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 f364ecd0010c184fe439ab690d4a87cd88e7bd69d85e5116e1429d81fe5e0f91 31620 libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ce427238ea763f9603ce77603140278af02c010d530a340b0a23c9556665f234 543264 libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 643260a92f978cf79cbb7335979ff4fe3ce9c26147f9810f2a0ceab927a6066f 146944 libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 e3f750c9fc8985d956768df6dd66d6de2b74c714c4d8a2f9c5238b0a34e56c17 44662 liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 2d03efd716b1e1958f8e1f6d36eea5e99606a4d68cade330b45ed476f93734e5 26472 libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 8dc82e9e1f6e7b6da1a679ce552db2297b98c3d7be1057d5b30cf2c6d27d0f1b 43534 libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 2b34e7c3259c1c6e11d79a7c395da952f21b1613102c9eb9469ffe153cbbad81 144012 dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 7a6edea0679f3cdd9b5d5505dd096c477adea7e3628a92091bfc385eae88d75d 198164 lwresd_9.5.0.dfsg.P2-5.1_i386.deb
Files: 
 caeeca4a517e667fc239853fc0b66de8 1433 net optional bind9_9.5.0.dfsg.P2-5.1.dsc
 7ab1ca3523db07bf8c99448e9bfd20f4 263986 net optional bind9_9.5.0.dfsg.P2-5.1.diff.gz
 05558ab16e6a241076584ab73f7be1eb 258548 doc optional bind9-doc_9.5.0.dfsg.P2-5.1_all.deb
 79596986a13890f74a1faf1867b797fd 238992 net optional bind9_9.5.0.dfsg.P2-5.1_i386.deb
 9e9e5bcc6acb01f79dd4b0ce05ff3f89 93210 net optional bind9utils_9.5.0.dfsg.P2-5.1_i386.deb
 a4df9011277e7dfc75d92ec70a01685b 60552 net standard bind9-host_9.5.0.dfsg.P2-5.1_i386.deb
 fd96e30d6f0145ba0fc2fe69ba95b72f 1246018 libdevel optional libbind-dev_9.5.0.dfsg.P2-5.1_i386.deb
 d693367b74a2793b32cb9437e2df2699 31620 libs standard libbind9-40_9.5.0.dfsg.P2-5.1_i386.deb
 ae429e59b006c0feca5f556b7eaaf15d 543264 libs standard libdns43_9.5.0.dfsg.P2-5.1_i386.deb
 ece929a0bbd588fbe00f8486ee146d44 146944 libs standard libisc44_9.5.0.dfsg.P2-5.1_i386.deb
 29132cea9bddb4edaaa79dd32212b8f7 44662 libs standard liblwres40_9.5.0.dfsg.P2-5.1_i386.deb
 dc1b90295b02ea645f587195f04762fa 26472 libs optional libisccc40_9.5.0.dfsg.P2-5.1_i386.deb
 ca08885b7e3b923381a478de234c88a1 43534 libs optional libisccfg40_9.5.0.dfsg.P2-5.1_i386.deb
 9113a3ca567ea3653e9ea2c5364127f0 144012 net standard dnsutils_9.5.0.dfsg.P2-5.1_i386.deb
 1f0d4b470ed58f25c29927345dbe20a8 198164 net optional lwresd_9.5.0.dfsg.P2-5.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJXk8279ZNCRIGYgcRAlr7AKCwa6sT608auQFPmUa7RokyvpSN+gCdEcF2
zlF8PGjmSKHEL0GROEESgGU=
=lqoY
-----END PGP SIGNATURE-----





Reply sent to Ben Hutchings <ben@decadent.org.uk>:
You have taken responsibility. (Sun, 04 Jan 2009 21:39:14 GMT) Full text and rfc822 format available.

Notification sent to Maykel Moya <moya@latertulia.org>:
Bug acknowledged by developer. (Sun, 04 Jan 2009 21:39:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 12 Feb 2009 07:26:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 15:16:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.