Commit a1365a00 authored by Evan Hunt's avatar Evan Hunt

[master] remove unnecessary INSIST

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]
parent e04dff4b
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4577. [func] Make qtype of resolver fuzzing packet configurable 4577. [func] Make qtype of resolver fuzzing packet configurable
via command line. [RT #43540] via command line. [RT #43540]
......
...@@ -65,11 +65,18 @@ ...@@ -65,11 +65,18 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info> <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist> <itemizedlist>
<listitem>
<para>
Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed
in CVE-2017-3137. [RT #44734]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<command>dns64</command> with <command>break-dnssec yes;</command> <command>dns64</command> with <command>break-dnssec yes;</command>
can result in an assertion failure. This flaw is disclosed in can result in an assertion failure. This flaw is disclosed in
CVE-2017-3136.[RT #44653] CVE-2017-3136. [RT #44653]
</para> </para>
</listitem> </listitem>
<listitem> <listitem>
......
...@@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) { ...@@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) {
rdataset->attributes |= rdataset->attributes |=
DNS_RDATASETATTR_CACHE; DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer; rdataset->trust = dns_trust_answer;
if (chaining == 0) { if (external) {
/* /*
* This data is "the" answer * This data is outside of
* to our question only if * our query domain, and
* we're not chaining (i.e. * may not be cached.
* if we haven't followed
* a CNAME or DNAME).
*/ */
INSIST(!external); rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} else if (chaining == 0) {
/* /*
* Don't use found_cname here * Don't use found_cname here
* as we have just set it * as we have just set it
...@@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) { ...@@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) {
if (aa) if (aa)
rdataset->trust = rdataset->trust =
dns_trust_authanswer; dns_trust_authanswer;
} else if (external) {
/*
* This data is outside of
* our query domain, and
* may not be cached.
*/
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} }
/* /*
...@@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) { ...@@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) {
* If we are not chaining or the first CNAME * If we are not chaining or the first CNAME
* is a synthesised CNAME before the DNAME. * is a synthesised CNAME before the DNAME.
*/ */
if ((chaining == 0) || if (external) {
(chaining == 1U && synthcname)) rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} else if ((chaining == 0) ||
(chaining == 1U && synthcname))
{ {
/*
* This data is "the" answer to
* our question only if we're
* not chaining.
*/
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) { if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE; have_answer = ISC_TRUE;
found_dname = ISC_TRUE; found_dname = ISC_TRUE;
...@@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) { ...@@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) {
if (aa) if (aa)
rdataset->trust = rdataset->trust =
dns_trust_authanswer; dns_trust_authanswer;
} else if (external) {
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} }
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment