| Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch] |
| CVE: CVE-2020-8617 |
| Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> |
| --- |
| diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c |
| index b597a18d49..6357a3a486 100644 |
| --- a/lib/dns/tsig.c |
| +++ b/lib/dns/tsig.c |
| @@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
| goto cleanup_context; |
| } |
| msg->verified_sig = 1; |
| - } else if (tsig.error != dns_tsigerror_badsig && |
| - tsig.error != dns_tsigerror_badkey) { |
| + } else if (!response || (tsig.error != dns_tsigerror_badsig && |
| + tsig.error != dns_tsigerror_badkey)) |
| + { |
| tsig_log(msg->tsigkey, 2, "signature was empty"); |
| return (DNS_R_TSIGVERIFYFAILURE); |
| } |
| @@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg, |
| } |
| } |
| |
| - if (tsig.error != dns_rcode_noerror) { |
| + if (response && tsig.error != dns_rcode_noerror) { |
| msg->tsigstatus = tsig.error; |
| if (tsig.error == dns_tsigerror_badtime) |
| ret = DNS_R_CLOCKSKEW; |