Merge branch '3493-confidential-compression-buffer-reuse-v9_18' into 'security-v9_18'

[v9_18][CVE-2022-2881] compression buffer was not reused correctly

See merge request isc-private/bind9!436

CHANGES

@@ -1,3 +1,10 @@
+5958.	[security]	When an HTTP connection was reused to get
+			statistics from the stats channel, and zlib
+			compression was in use, each successive
+			response sent larger and larger blocks of memory,
+			potentially reading past the end of the allocated
+			buffer. (CVE-2022-2881) [GL #3493]
+
 5957.	[security]	Prevent excessive resource use while processing large
 			delegations. (CVE-2022-2795) [GL #3394]
 

doc/notes/notes-current.rst

@@ -24,6 +24,11 @@ Security Fixes
   Bremler-Barr & Shani Stajnrod from Reichman University for bringing
   this vulnerability to our attention. :gl:`#3394`
 
+- When an HTTP connection was reused to request statistics from the
+  stats channel, the content length of successive responses could grow
+  in size past the end of the allocated buffer. This has been fixed.
+  (CVE-2022-2881) :gl:`#3493`
+
 Known Issues
 ~~~~~~~~~~~~
 

lib/isc/httpd.c

@@ -202,6 +202,8 @@ free_buffer(isc_mem_t *mctx, isc_buffer_t *buffer) {
 	if (r.base != NULL) {
 		isc_mem_put(mctx, r.base, r.length);
 	}
+
+	isc_buffer_initnull(buffer);
 }
 
 isc_result_t
@@ -861,6 +863,7 @@ httpd_compress(isc_httpd_t *httpd) {
 
 	inputlen = isc_buffer_usedlength(&httpd->bodybuffer);
 	alloc_compspace(httpd, inputlen);
+	isc_buffer_clear(&httpd->compbuffer);
 	isc_buffer_region(&httpd->compbuffer, &r);
 
 	/*