| Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740] |
| |
| CVE: CVE-2018-5740 |
| |
| Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| |
| diff --git a/CHANGES b/CHANGES |
| index 750b600..3d8d655 100644 |
| --- a/CHANGES |
| +++ b/CHANGES |
| @@ -1,3 +1,9 @@ |
| + --- 9.11.4-P1 released --- |
| + |
| +4997. [security] named could crash during recursive processing |
| + of DNAME records when "deny-answer-aliases" was |
| + in use. (CVE-2018-5740) [GL #387] |
| + |
| --- 9.11.4 released --- |
| |
| --- 9.11.4rc2 released --- |
| diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
| index 8f674a2..41d1385 100644 |
| --- a/lib/dns/resolver.c |
| +++ b/lib/dns/resolver.c |
| @@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, |
| unsigned int nlabels; |
| dns_fixedname_t fixed; |
| dns_name_t prefix; |
| + int order; |
| |
| REQUIRE(rdataset != NULL); |
| REQUIRE(rdataset->type == dns_rdatatype_cname || |
| @@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, |
| tname = &cname.cname; |
| break; |
| case dns_rdatatype_dname: |
| + if (dns_name_fullcompare(qname, rname, &order, &nlabels) != |
| + dns_namereln_subdomain) |
| + { |
| + return (ISC_TRUE); |
| + } |
| result = dns_rdata_tostruct(&rdata, &dname, NULL); |
| RUNTIME_CHECK(result == ISC_R_SUCCESS); |
| dns_name_init(&prefix, NULL); |
| tname = dns_fixedname_initname(&fixed); |
| - nlabels = dns_name_countlabels(qname) - |
| - dns_name_countlabels(rname); |
| + nlabels = dns_name_countlabels(rname); |
| dns_name_split(qname, nlabels, &prefix, NULL); |
| result = dns_name_concatenate(&prefix, &dname.dname, tname, |
| NULL); |
| - if (result == DNS_R_NAMETOOLONG) |
| + if (result == DNS_R_NAMETOOLONG) { |
| + if (chainingp != NULL) { |
| + *chainingp = ISC_TRUE; |
| + } |
| return (ISC_TRUE); |
| + } |
| RUNTIME_CHECK(result == ISC_R_SUCCESS); |
| break; |
| default: |
| @@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) { |
| } |
| if ((ardataset->type == dns_rdatatype_cname || |
| ardataset->type == dns_rdatatype_dname) && |
| - !is_answertarget_allowed(fctx, qname, aname, ardataset, |
| + type != ardataset->type && |
| + type != dns_rdatatype_any && |
| + !is_answertarget_allowed(fctx, qname, aname, ardataset, |
| NULL)) |
| { |
| return (DNS_R_SERVFAIL); |