|
|
af07b8 |
From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001
|
|
|
af07b8 |
From: Petr Mensik <pemensik@redhat.com>
|
|
|
af07b8 |
Date: Tue, 20 Sep 2022 11:34:42 +0200
|
|
|
af07b8 |
Subject: [PATCH 2/4] Fix CVE-2022-3080
|
|
|
af07b8 |
|
|
|
af07b8 |
5960. [security] Fix serve-stale crash that could happen when
|
|
|
af07b8 |
stale-answer-client-timeout was set to 0 and there was
|
|
|
af07b8 |
a stale CNAME in the cache for an incoming query.
|
|
|
af07b8 |
(CVE-2022-3080) [GL #3517]
|
|
|
af07b8 |
---
|
|
|
af07b8 |
lib/ns/include/ns/query.h | 1 +
|
|
|
af07b8 |
lib/ns/query.c | 42 ++++++++++++++++++++++++---------------
|
|
|
af07b8 |
2 files changed, 27 insertions(+), 16 deletions(-)
|
|
|
af07b8 |
|
|
|
af07b8 |
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
|
|
|
af07b8 |
index 4d48cf6..34b3070 100644
|
|
|
af07b8 |
--- a/lib/ns/include/ns/query.h
|
|
|
af07b8 |
+++ b/lib/ns/include/ns/query.h
|
|
|
af07b8 |
@@ -145,6 +145,7 @@ struct query_ctx {
|
|
|
af07b8 |
bool authoritative; /* authoritative query? */
|
|
|
af07b8 |
bool want_restart; /* CNAME chain or other
|
|
|
af07b8 |
* restart needed */
|
|
|
af07b8 |
+ bool refresh_rrset; /* stale RRset refresh needed */
|
|
|
af07b8 |
bool need_wildcardproof; /* wildcard proof needed */
|
|
|
af07b8 |
bool nxrewrite; /* negative answer from RPZ */
|
|
|
af07b8 |
bool findcoveringnsec; /* lookup covering NSEC */
|
|
|
af07b8 |
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
|
|
af07b8 |
index 249321c..a450cb7 100644
|
|
|
af07b8 |
--- a/lib/ns/query.c
|
|
|
af07b8 |
+++ b/lib/ns/query.c
|
|
|
af07b8 |
@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) {
|
|
|
af07b8 |
bool dbfind_stale = false;
|
|
|
af07b8 |
bool stale_timeout = false;
|
|
|
af07b8 |
bool stale_found = false;
|
|
|
af07b8 |
- bool refresh_rrset = false;
|
|
|
af07b8 |
bool stale_refresh_window = false;
|
|
|
af07b8 |
|
|
|
af07b8 |
CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
|
|
|
af07b8 |
@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) {
|
|
|
af07b8 |
"%s stale answer used, an attempt to "
|
|
|
af07b8 |
"refresh the RRset will still be made",
|
|
|
af07b8 |
namebuf);
|
|
|
af07b8 |
- refresh_rrset = STALE(qctx->rdataset);
|
|
|
af07b8 |
- qctx->client->nodetach = refresh_rrset;
|
|
|
af07b8 |
+ qctx->refresh_rrset = STALE(qctx->rdataset);
|
|
|
af07b8 |
}
|
|
|
af07b8 |
} else {
|
|
|
af07b8 |
/*
|
|
|
af07b8 |
@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) {
|
|
|
af07b8 |
|
|
|
af07b8 |
result = query_gotanswer(qctx, result);
|
|
|
af07b8 |
|
|
|
af07b8 |
- if (refresh_rrset) {
|
|
|
af07b8 |
- /*
|
|
|
af07b8 |
- * If we reached this point then it means that we have found a
|
|
|
af07b8 |
- * stale RRset entry in cache and BIND is configured to allow
|
|
|
af07b8 |
- * queries to be answered with stale data if no active RRset
|
|
|
af07b8 |
- * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
|
|
af07b8 |
- * still need to refresh the RRset.
|
|
|
af07b8 |
- */
|
|
|
af07b8 |
- query_refresh_rrset(qctx);
|
|
|
af07b8 |
- }
|
|
|
af07b8 |
-
|
|
|
af07b8 |
cleanup:
|
|
|
af07b8 |
return (result);
|
|
|
af07b8 |
}
|
|
|
af07b8 |
@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) {
|
|
|
af07b8 |
|
|
|
af07b8 |
/*
|
|
|
af07b8 |
* On normal lookups, clear any rdatasets that were added on a
|
|
|
af07b8 |
- * lookup due to stale-answer-client-timeout.
|
|
|
af07b8 |
+ * lookup due to stale-answer-client-timeout. Do not clear if we
|
|
|
af07b8 |
+ * are going to refresh the RRset, because the stale contents are
|
|
|
af07b8 |
+ * prioritized.
|
|
|
af07b8 |
*/
|
|
|
af07b8 |
if (QUERY_STALEOK(&qctx->client->query) &&
|
|
|
af07b8 |
- !QUERY_STALETIMEOUT(&qctx->client->query))
|
|
|
af07b8 |
+ !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
|
|
|
af07b8 |
{
|
|
|
af07b8 |
+ CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
|
|
|
af07b8 |
query_clear_stale(qctx->client);
|
|
|
af07b8 |
/*
|
|
|
af07b8 |
* We can clear the attribute to prevent redundant clearing
|
|
|
af07b8 |
@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) {
|
|
|
af07b8 |
/*
|
|
|
af07b8 |
* Client may have been detached after query_send(), so
|
|
|
af07b8 |
* we test and store the flag state here, for safety.
|
|
|
af07b8 |
+ * If we are refreshing the RRSet, we must not detach from the client
|
|
|
af07b8 |
+ * in the query_send(), so we need to override the flag.
|
|
|
af07b8 |
*/
|
|
|
af07b8 |
+ if (qctx->refresh_rrset) {
|
|
|
af07b8 |
+ qctx->client->nodetach = true;
|
|
|
af07b8 |
+ }
|
|
|
af07b8 |
nodetach = qctx->client->nodetach;
|
|
|
af07b8 |
query_send(qctx->client);
|
|
|
af07b8 |
+
|
|
|
af07b8 |
+ if (qctx->refresh_rrset) {
|
|
|
af07b8 |
+ /*
|
|
|
af07b8 |
+ * If we reached this point then it means that we have found a
|
|
|
af07b8 |
+ * stale RRset entry in cache and BIND is configured to allow
|
|
|
af07b8 |
+ * queries to be answered with stale data if no active RRset
|
|
|
af07b8 |
+ * is available, i.e. "stale-anwer-client-timeout 0". But, we
|
|
|
af07b8 |
+ * still need to refresh the RRset. To prevent adding duplicate
|
|
|
af07b8 |
+ * RRsets, clear the RRsets from the message before doing the
|
|
|
af07b8 |
+ * refresh.
|
|
|
af07b8 |
+ */
|
|
|
af07b8 |
+ message_clearrdataset(qctx->client->message, 0);
|
|
|
af07b8 |
+ query_refresh_rrset(qctx);
|
|
|
af07b8 |
+ }
|
|
|
af07b8 |
+
|
|
|
af07b8 |
if (!nodetach) {
|
|
|
af07b8 |
qctx->detach_client = true;
|
|
|
af07b8 |
}
|
|
|
af07b8 |
--
|
|
|
af07b8 |
2.37.3
|
|
|
af07b8 |
|