From f6ca6392adf7f5a94c804d8a8a1233d90170f490 Mon Sep 17 00:00:00 2001

From: Petr Mensik <pemensik@redhat.com>

Date: Fri, 15 May 2020 14:56:33 +0200

Subject: [PATCH] CVE-2020-8617

5390.	[security]	Replaying a TSIG BADTIME response as a request could

			trigger an assertion failure. (CVE-2020-8617)

			[GL #1703]

---

 lib/dns/tsig.c | 7 ++++---

 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c

index c6f9d1b..aee8eb0 100644

--- a/lib/dns/tsig.c

+++ b/lib/dns/tsig.c

@@ -1431,8 +1431,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,

 			goto cleanup_context;

 		}

 		msg->verified_sig = 1;

-	} else if (tsig.error != dns_tsigerror_badsig &&

-		   tsig.error != dns_tsigerror_badkey) {

+	} else if (!response || (tsig.error != dns_tsigerror_badsig &&

+				 tsig.error != dns_tsigerror_badkey))

+	{

 		tsig_log(msg->tsigkey, 2, "signature was empty");

 		return (DNS_R_TSIGVERIFYFAILURE);

 	}

@@ -1488,7 +1489,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,

 		}

 	}

-	if (tsig.error != dns_rcode_noerror) {

+	if (response && tsig.error != dns_rcode_noerror) {

 		msg->tsigstatus = tsig.error;

 		if (tsig.error == dns_tsigerror_badtime)

 			ret = DNS_R_CLOCKSKEW;

-- 

2.21.1