af07b8
From 3bcd32572504ac9b92e3c6ec1e2cee3df3b68309 Mon Sep 17 00:00:00 2001
af07b8
From: Petr Mensik <pemensik@redhat.com>
af07b8
Date: Tue, 20 Sep 2022 11:34:42 +0200
af07b8
Subject: [PATCH 2/4] Fix CVE-2022-3080
af07b8
af07b8
5960.	[security]	Fix serve-stale crash that could happen when
af07b8
			stale-answer-client-timeout was set to 0 and there was
af07b8
			a stale CNAME in the cache for an incoming query.
af07b8
			(CVE-2022-3080) [GL #3517]
af07b8
---
af07b8
 lib/ns/include/ns/query.h |  1 +
af07b8
 lib/ns/query.c            | 42 ++++++++++++++++++++++++---------------
af07b8
 2 files changed, 27 insertions(+), 16 deletions(-)
af07b8
af07b8
diff --git a/lib/ns/include/ns/query.h b/lib/ns/include/ns/query.h
af07b8
index 4d48cf6..34b3070 100644
af07b8
--- a/lib/ns/include/ns/query.h
af07b8
+++ b/lib/ns/include/ns/query.h
af07b8
@@ -145,6 +145,7 @@ struct query_ctx {
af07b8
 	bool authoritative;		    /* authoritative query? */
af07b8
 	bool want_restart;		    /* CNAME chain or other
af07b8
 					     * restart needed */
af07b8
+	bool		refresh_rrset;	    /* stale RRset refresh needed */
af07b8
 	bool		need_wildcardproof; /* wildcard proof needed */
af07b8
 	bool		nxrewrite;	    /* negative answer from RPZ */
af07b8
 	bool		findcoveringnsec;   /* lookup covering NSEC */
af07b8
diff --git a/lib/ns/query.c b/lib/ns/query.c
af07b8
index 249321c..a450cb7 100644
af07b8
--- a/lib/ns/query.c
af07b8
+++ b/lib/ns/query.c
af07b8
@@ -5686,7 +5686,6 @@ query_lookup(query_ctx_t *qctx) {
af07b8
 	bool dbfind_stale = false;
af07b8
 	bool stale_timeout = false;
af07b8
 	bool stale_found = false;
af07b8
-	bool refresh_rrset = false;
af07b8
 	bool stale_refresh_window = false;
af07b8
 
af07b8
 	CCTRACE(ISC_LOG_DEBUG(3), "query_lookup");
af07b8
@@ -5868,8 +5867,7 @@ query_lookup(query_ctx_t *qctx) {
af07b8
 					"%s stale answer used, an attempt to "
af07b8
 					"refresh the RRset will still be made",
af07b8
 					namebuf);
af07b8
-				refresh_rrset = STALE(qctx->rdataset);
af07b8
-				qctx->client->nodetach = refresh_rrset;
af07b8
+				qctx->refresh_rrset = STALE(qctx->rdataset);
af07b8
 			}
af07b8
 		} else {
af07b8
 			/*
af07b8
@@ -5907,17 +5905,6 @@ query_lookup(query_ctx_t *qctx) {
af07b8
 
af07b8
 	result = query_gotanswer(qctx, result);
af07b8
 
af07b8
-	if (refresh_rrset) {
af07b8
-		/*
af07b8
-		 * If we reached this point then it means that we have found a
af07b8
-		 * stale RRset entry in cache and BIND is configured to allow
af07b8
-		 * queries to be answered with stale data if no active RRset
af07b8
-		 * is available, i.e. "stale-anwer-client-timeout 0". But, we
af07b8
-		 * still need to refresh the RRset.
af07b8
-		 */
af07b8
-		query_refresh_rrset(qctx);
af07b8
-	}
af07b8
-
af07b8
 cleanup:
af07b8
 	return (result);
af07b8
 }
af07b8
@@ -7737,11 +7724,14 @@ query_addanswer(query_ctx_t *qctx) {
af07b8
 
af07b8
 	/*
af07b8
 	 * On normal lookups, clear any rdatasets that were added on a
af07b8
-	 * lookup due to stale-answer-client-timeout.
af07b8
+	 * lookup due to stale-answer-client-timeout. Do not clear if we
af07b8
+	 * are going to refresh the RRset, because the stale contents are
af07b8
+	 * prioritized.
af07b8
 	 */
af07b8
 	if (QUERY_STALEOK(&qctx->client->query) &&
af07b8
-	    !QUERY_STALETIMEOUT(&qctx->client->query))
af07b8
+	    !QUERY_STALETIMEOUT(&qctx->client->query) && !qctx->refresh_rrset)
af07b8
 	{
af07b8
+		CCTRACE(ISC_LOG_DEBUG(3), "query_clear_stale");
af07b8
 		query_clear_stale(qctx->client);
af07b8
 		/*
af07b8
 		 * We can clear the attribute to prevent redundant clearing
af07b8
@@ -11457,9 +11447,29 @@ ns_query_done(query_ctx_t *qctx) {
af07b8
 	/*
af07b8
 	 * Client may have been detached after query_send(), so
af07b8
 	 * we test and store the flag state here, for safety.
af07b8
+	 * If we are refreshing the RRSet, we must not detach from the client
af07b8
+	 * in the query_send(), so we need to override the flag.
af07b8
 	 */
af07b8
+	if (qctx->refresh_rrset) {
af07b8
+		qctx->client->nodetach = true;
af07b8
+	}
af07b8
 	nodetach = qctx->client->nodetach;
af07b8
 	query_send(qctx->client);
af07b8
+
af07b8
+	if (qctx->refresh_rrset) {
af07b8
+		/*
af07b8
+		 * If we reached this point then it means that we have found a
af07b8
+		 * stale RRset entry in cache and BIND is configured to allow
af07b8
+		 * queries to be answered with stale data if no active RRset
af07b8
+		 * is available, i.e. "stale-anwer-client-timeout 0". But, we
af07b8
+		 * still need to refresh the RRset. To prevent adding duplicate
af07b8
+		 * RRsets, clear the RRsets from the message before doing the
af07b8
+		 * refresh.
af07b8
+		 */
af07b8
+		message_clearrdataset(qctx->client->message, 0);
af07b8
+		query_refresh_rrset(qctx);
af07b8
+	}
af07b8
+
af07b8
 	if (!nodetach) {
af07b8
 		qctx->detach_client = true;
af07b8
 	}
af07b8
-- 
af07b8
2.37.3
af07b8