Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame] | 1 | Upstream-Status: Backport [https://ftp.isc.org/isc/bind9/9.11.4-P1/patches/CVE-2018-5740] |
| 2 | |
| 3 | CVE: CVE-2018-5740 |
| 4 | |
| 5 | Signed-off-by: Changqing Li <changqing.li@windriver.com> |
| 6 | |
| 7 | diff --git a/CHANGES b/CHANGES |
| 8 | index 750b600..3d8d655 100644 |
| 9 | --- a/CHANGES |
| 10 | +++ b/CHANGES |
| 11 | @@ -1,3 +1,9 @@ |
| 12 | + --- 9.11.4-P1 released --- |
| 13 | + |
| 14 | +4997. [security] named could crash during recursive processing |
| 15 | + of DNAME records when "deny-answer-aliases" was |
| 16 | + in use. (CVE-2018-5740) [GL #387] |
| 17 | + |
| 18 | --- 9.11.4 released --- |
| 19 | |
| 20 | --- 9.11.4rc2 released --- |
| 21 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
| 22 | index 8f674a2..41d1385 100644 |
| 23 | --- a/lib/dns/resolver.c |
| 24 | +++ b/lib/dns/resolver.c |
| 25 | @@ -6318,6 +6318,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, |
| 26 | unsigned int nlabels; |
| 27 | dns_fixedname_t fixed; |
| 28 | dns_name_t prefix; |
| 29 | + int order; |
| 30 | |
| 31 | REQUIRE(rdataset != NULL); |
| 32 | REQUIRE(rdataset->type == dns_rdatatype_cname || |
| 33 | @@ -6340,17 +6341,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, |
| 34 | tname = &cname.cname; |
| 35 | break; |
| 36 | case dns_rdatatype_dname: |
| 37 | + if (dns_name_fullcompare(qname, rname, &order, &nlabels) != |
| 38 | + dns_namereln_subdomain) |
| 39 | + { |
| 40 | + return (ISC_TRUE); |
| 41 | + } |
| 42 | result = dns_rdata_tostruct(&rdata, &dname, NULL); |
| 43 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
| 44 | dns_name_init(&prefix, NULL); |
| 45 | tname = dns_fixedname_initname(&fixed); |
| 46 | - nlabels = dns_name_countlabels(qname) - |
| 47 | - dns_name_countlabels(rname); |
| 48 | + nlabels = dns_name_countlabels(rname); |
| 49 | dns_name_split(qname, nlabels, &prefix, NULL); |
| 50 | result = dns_name_concatenate(&prefix, &dname.dname, tname, |
| 51 | NULL); |
| 52 | - if (result == DNS_R_NAMETOOLONG) |
| 53 | + if (result == DNS_R_NAMETOOLONG) { |
| 54 | + if (chainingp != NULL) { |
| 55 | + *chainingp = ISC_TRUE; |
| 56 | + } |
| 57 | return (ISC_TRUE); |
| 58 | + } |
| 59 | RUNTIME_CHECK(result == ISC_R_SUCCESS); |
| 60 | break; |
| 61 | default: |
| 62 | @@ -7071,7 +7080,9 @@ answer_response(fetchctx_t *fctx) { |
| 63 | } |
| 64 | if ((ardataset->type == dns_rdatatype_cname || |
| 65 | ardataset->type == dns_rdatatype_dname) && |
| 66 | - !is_answertarget_allowed(fctx, qname, aname, ardataset, |
| 67 | + type != ardataset->type && |
| 68 | + type != dns_rdatatype_any && |
| 69 | + !is_answertarget_allowed(fctx, qname, aname, ardataset, |
| 70 | NULL)) |
| 71 | { |
| 72 | return (DNS_R_SERVFAIL); |