|
|
5d3444 |
From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001
|
|
|
5d3444 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
5d3444 |
Date: Tue, 27 Apr 2021 10:56:12 +0200
|
|
|
5d3444 |
Subject: [PATCH 2/2] CVE-2021-25215
|
|
|
5d3444 |
|
|
|
5d3444 |
5616. [security] named crashed when a DNAME record placed in the ANSWER
|
|
|
5d3444 |
section during DNAME chasing turned out to be the final
|
|
|
5d3444 |
answer to a client query. (CVE-2021-25215) [GL #2540]
|
|
|
5d3444 |
---
|
|
|
5d3444 |
bin/named/query.c | 13 ++++++++++---
|
|
|
5d3444 |
1 file changed, 10 insertions(+), 3 deletions(-)
|
|
|
5d3444 |
|
|
|
5d3444 |
diff --git a/bin/named/query.c b/bin/named/query.c
|
|
|
5d3444 |
index a95f5ad..11a888e 100644
|
|
|
5d3444 |
--- a/bin/named/query.c
|
|
|
5d3444 |
+++ b/bin/named/query.c
|
|
|
5d3444 |
@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
5d3444 |
if (noqname != NULL)
|
|
|
5d3444 |
query_addnoqnameproof(client, noqname);
|
|
|
5d3444 |
/*
|
|
|
5d3444 |
- * We shouldn't ever fail to add 'rdataset'
|
|
|
5d3444 |
- * because it's already in the answer.
|
|
|
5d3444 |
+ * 'rdataset' will only be non-NULL here if the ANSWER section
|
|
|
5d3444 |
+ * of the message to be sent to the client already contains an
|
|
|
5d3444 |
+ * RRset with the same owner name and the same type as
|
|
|
5d3444 |
+ * 'rdataset'. This should never happen, with one exception:
|
|
|
5d3444 |
+ * when chasing DNAME records, one of the DNAME records placed
|
|
|
5d3444 |
+ * in the ANSWER section may turn out to be the final answer to
|
|
|
5d3444 |
+ * the client's query, but we have no way of knowing that until
|
|
|
5d3444 |
+ * now. In such a case, 'rdataset' will be freed later, so we
|
|
|
5d3444 |
+ * do not need to free it here.
|
|
|
5d3444 |
*/
|
|
|
5d3444 |
- INSIST(rdataset == NULL);
|
|
|
5d3444 |
+ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
|
|
|
5d3444 |
}
|
|
|
5d3444 |
|
|
|
5d3444 |
addauth:
|
|
|
5d3444 |
--
|
|
|
5d3444 |
2.26.3
|
|
|
5d3444 |
|