Commit 5995fec5 authored by Mukund Sivaraman's avatar Mukund Sivaraman
Browse files

Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753)

parent 27424c35
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753]
4318. [security] Malformed control messages can trigger assertions
in named and rndc. (CVE-2016-1285) [RT #41666]
......
......@@ -174,6 +174,13 @@
#41666]
</para>
</listitem>
<listitem>
<para>
The resolver could abort with an assertion failure due to
improper DNAME handling when parsing fetch reply
messages. This flaw is disclosed in CVE-2016-1286. [RT #41753]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -7027,21 +7027,26 @@ answer_response(fetchctx_t *fctx) {
isc_boolean_t found_dname = ISC_FALSE;
dns_name_t *dname_name;
/*
* Only pass DNAME or RRSIG(DNAME).
*/
if (rdataset->type != dns_rdatatype_dname &&
(rdataset->type != dns_rdatatype_rrsig ||
rdataset->covers != dns_rdatatype_dname))
continue;
/*
* If we're not chaining, then the DNAME and
* its signature should not be external.
*/
if (!chaining && external) {
log_formerr(fctx, "external DNAME");
return (DNS_R_FORMERR);
}
found = ISC_FALSE;
aflag = 0;
if (rdataset->type == dns_rdatatype_dname) {
/*
* We're looking for something else,
* but we found a DNAME.
*
* If we're not chaining, then the
* DNAME should not be external.
*/
if (!chaining && external) {
log_formerr(fctx,
"external DNAME");
return (DNS_R_FORMERR);
}
found = ISC_TRUE;
want_chaining = ISC_TRUE;
POST(want_chaining);
......@@ -7070,9 +7075,7 @@ answer_response(fetchctx_t *fctx) {
&fctx->domain)) {
return (DNS_R_SERVFAIL);
}
} else if (rdataset->type == dns_rdatatype_rrsig
&& rdataset->covers ==
dns_rdatatype_dname) {
} else {
/*
* We've found a signature that
* covers the DNAME.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment