Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 1 | From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 |
| 2 | From: Mukund Sivaraman <muks@isc.org> |
| 3 | Date: Mon, 22 Feb 2016 12:22:43 +0530 |
| 4 | Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling |
| 5 | (CVE-2016-1286) (#41753) |
| 6 | |
| 7 | (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) |
| 8 | |
| 9 | CVE: CVE-2016-1286 |
| 10 | Upstream-Status: Backport |
| 11 | |
| 12 | [Removed doc/arm/notes.xml changes from upstream patch.] |
| 13 | |
| 14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> |
| 15 | --- |
| 16 | diff -ruN a/CHANGES b/CHANGES |
| 17 | --- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 |
| 18 | +++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 |
| 19 | @@ -1,3 +1,7 @@ |
| 20 | +4319. [security] Fix resolver assertion failure due to improper |
| 21 | + DNAME handling when parsing fetch reply messages. |
| 22 | + (CVE-2016-1286) [RT #41753] |
| 23 | + |
| 24 | 4318. [security] Malformed control messages can trigger assertions |
| 25 | in named and rndc. (CVE-2016-1285) [RT #41666] |
| 26 | |
| 27 | diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c |
| 28 | --- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 |
| 29 | +++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 |
| 30 | @@ -6967,21 +6967,26 @@ |
| 31 | isc_boolean_t found_dname = ISC_FALSE; |
| 32 | dns_name_t *dname_name; |
| 33 | |
| 34 | + /* |
| 35 | + * Only pass DNAME or RRSIG(DNAME). |
| 36 | + */ |
| 37 | + if (rdataset->type != dns_rdatatype_dname && |
| 38 | + (rdataset->type != dns_rdatatype_rrsig || |
| 39 | + rdataset->covers != dns_rdatatype_dname)) |
| 40 | + continue; |
| 41 | + |
| 42 | + /* |
| 43 | + * If we're not chaining, then the DNAME and |
| 44 | + * its signature should not be external. |
| 45 | + */ |
| 46 | + if (!chaining && external) { |
| 47 | + log_formerr(fctx, "external DNAME"); |
| 48 | + return (DNS_R_FORMERR); |
| 49 | + } |
| 50 | + |
| 51 | found = ISC_FALSE; |
| 52 | aflag = 0; |
| 53 | if (rdataset->type == dns_rdatatype_dname) { |
| 54 | - /* |
| 55 | - * We're looking for something else, |
| 56 | - * but we found a DNAME. |
| 57 | - * |
| 58 | - * If we're not chaining, then the |
| 59 | - * DNAME should not be external. |
| 60 | - */ |
| 61 | - if (!chaining && external) { |
| 62 | - log_formerr(fctx, |
| 63 | - "external DNAME"); |
| 64 | - return (DNS_R_FORMERR); |
| 65 | - } |
| 66 | found = ISC_TRUE; |
| 67 | want_chaining = ISC_TRUE; |
| 68 | POST(want_chaining); |
| 69 | @@ -7010,9 +7015,7 @@ |
| 70 | &fctx->domain)) { |
| 71 | return (DNS_R_SERVFAIL); |
| 72 | } |
| 73 | - } else if (rdataset->type == dns_rdatatype_rrsig |
| 74 | - && rdataset->covers == |
| 75 | - dns_rdatatype_dname) { |
| 76 | + } else { |
| 77 | /* |
| 78 | * We've found a signature that |
| 79 | * covers the DNAME. |