Blame SOURCES/bind99-CVE-2016-1285-CVE-2016-1286.patch

b2eaff
diff --git a/bin/named/control.c b/bin/named/control.c
b2eaff
index fabe442..06eadce 100644
b2eaff
--- a/bin/named/control.c
b2eaff
+++ b/bin/named/control.c
b2eaff
@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
b2eaff
 #endif
b2eaff
 
b2eaff
 	data = isccc_alist_lookup(message, "_data");
b2eaff
-	if (data == NULL) {
b2eaff
+	if (!isccc_alist_alistp(data)) {
b2eaff
 		/*
b2eaff
 		 * No data section.
b2eaff
 		 */
b2eaff
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
b2eaff
index c46a6e1..ef32790 100644
b2eaff
--- a/bin/named/controlconf.c
b2eaff
+++ b/bin/named/controlconf.c
b2eaff
@@ -396,7 +396,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
b2eaff
 	 * Limit exposure to replay attacks.
b2eaff
 	 */
b2eaff
 	_ctrl = isccc_alist_lookup(request, "_ctrl");
b2eaff
-	if (_ctrl == NULL) {
b2eaff
+	if (!isccc_alist_alistp(_ctrl)) {
b2eaff
 		log_invalid(&conn->ccmsg, ISC_R_FAILURE);
b2eaff
 		goto cleanup_request;
b2eaff
 	}
b2eaff
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
b2eaff
index ba2c3f6..9a007e2 100644
b2eaff
--- a/bin/rndc/rndc.c
b2eaff
+++ b/bin/rndc/rndc.c
b2eaff
@@ -252,8 +252,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
b2eaff
 	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
b2eaff
 
b2eaff
 	data = isccc_alist_lookup(response, "_data");
b2eaff
-	if (data == NULL)
b2eaff
-		fatal("no data section in response");
b2eaff
+	if (!isccc_alist_alistp(data))
b2eaff
+		fatal("bad or missing data section in response");
b2eaff
 	result = isccc_cc_lookupstring(data, "err", &errormsg);
b2eaff
 	if (result == ISC_R_SUCCESS) {
b2eaff
 		failed = ISC_TRUE;
b2eaff
@@ -316,8 +316,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
b2eaff
 	DO("parse message", isccc_cc_fromwire(&source, &response, &secret));
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(response, "_ctrl");
b2eaff
-	if (_ctrl == NULL)
b2eaff
-		fatal("_ctrl section missing");
b2eaff
+	if (!isccc_alist_alistp(_ctrl))
b2eaff
+		fatal("bad or missing ctrl section in response");
b2eaff
 	nonce = 0;
b2eaff
 	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
b2eaff
 		nonce = 0;
b2eaff
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
b2eaff
index d220986..8696b15 100644
b2eaff
--- a/lib/dns/resolver.c
b2eaff
+++ b/lib/dns/resolver.c
b2eaff
@@ -5408,14 +5408,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
b2eaff
 }
b2eaff
 
b2eaff
 static inline isc_result_t
b2eaff
-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
b2eaff
-	     dns_name_t *oname, dns_fixedname_t *fixeddname)
b2eaff
+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
b2eaff
+	     unsigned int nlabels, dns_fixedname_t *fixeddname)
b2eaff
 {
b2eaff
 	isc_result_t result;
b2eaff
 	dns_rdata_t rdata = DNS_RDATA_INIT;
b2eaff
-	unsigned int nlabels;
b2eaff
-	int order;
b2eaff
-	dns_namereln_t namereln;
b2eaff
 	dns_rdata_dname_t dname;
b2eaff
 	dns_fixedname_t prefix;
b2eaff
 
b2eaff
@@ -5430,21 +5427,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
b2eaff
 	if (result != ISC_R_SUCCESS)
b2eaff
 		return (result);
b2eaff
 
b2eaff
-	/*
b2eaff
-	 * Get the prefix of qname.
b2eaff
-	 */
b2eaff
-	namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
b2eaff
-	if (namereln != dns_namereln_subdomain) {
b2eaff
-		char qbuf[DNS_NAME_FORMATSIZE];
b2eaff
-		char obuf[DNS_NAME_FORMATSIZE];
b2eaff
-
b2eaff
-		dns_rdata_freestruct(&dname);
b2eaff
-		dns_name_format(qname, qbuf, sizeof(qbuf));
b2eaff
-		dns_name_format(oname, obuf, sizeof(obuf));
b2eaff
-		log_formerr(fctx, "unrelated DNAME in answer: "
b2eaff
-				   "%s is not in %s", qbuf, obuf);
b2eaff
-		return (DNS_R_FORMERR);
b2eaff
-	}
b2eaff
 	dns_fixedname_init(&prefix);
b2eaff
 	dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
b2eaff
 	dns_fixedname_init(fixeddname);
b2eaff
@@ -6057,13 +6039,13 @@ static isc_result_t
b2eaff
 answer_response(fetchctx_t *fctx) {
b2eaff
 	isc_result_t result;
b2eaff
 	dns_message_t *message;
b2eaff
-	dns_name_t *name, *qname, tname, *ns_name;
b2eaff
+	dns_name_t *name, *dname = NULL, *qname, tname, *ns_name;
b2eaff
 	dns_rdataset_t *rdataset, *ns_rdataset;
b2eaff
 	isc_boolean_t done, external, chaining, aa, found, want_chaining;
b2eaff
 	isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
b2eaff
 	unsigned int aflag;
b2eaff
 	dns_rdatatype_t type;
b2eaff
-	dns_fixedname_t dname, fqname;
b2eaff
+	dns_fixedname_t fdname, fqname;
b2eaff
 	dns_view_t *view;
b2eaff
 
b2eaff
 	FCTXTRACE("answer_response");
b2eaff
@@ -6091,10 +6073,15 @@ answer_response(fetchctx_t *fctx) {
b2eaff
 	view = fctx->res->view;
b2eaff
 	result = dns_message_firstname(message, DNS_SECTION_ANSWER);
b2eaff
 	while (!done && result == ISC_R_SUCCESS) {
b2eaff
+		dns_namereln_t namereln;
b2eaff
+		int order;
b2eaff
+		unsigned int nlabels;
b2eaff
+
b2eaff
 		name = NULL;
b2eaff
 		dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
b2eaff
 		external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
b2eaff
-		if (dns_name_equal(name, qname)) {
b2eaff
+		namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
b2eaff
+		if (namereln == dns_namereln_equal) {
b2eaff
 			wanted_chaining = ISC_FALSE;
b2eaff
 			for (rdataset = ISC_LIST_HEAD(name->list);
b2eaff
 			     rdataset != NULL;
b2eaff
@@ -6219,10 +6206,11 @@ answer_response(fetchctx_t *fctx) {
b2eaff
 						 */
b2eaff
 						INSIST(!external);
b2eaff
 						if (aflag ==
b2eaff
-						    DNS_RDATASETATTR_ANSWER)
b2eaff
+						    DNS_RDATASETATTR_ANSWER) {
b2eaff
 							have_answer = ISC_TRUE;
b2eaff
-						name->attributes |=
b2eaff
-							DNS_NAMEATTR_ANSWER;
b2eaff
+							name->attributes |=
b2eaff
+								DNS_NAMEATTR_ANSWER;
b2eaff
+						}
b2eaff
 						rdataset->attributes |= aflag;
b2eaff
 						if (aa)
b2eaff
 							rdataset->trust =
b2eaff
@@ -6277,6 +6265,8 @@ answer_response(fetchctx_t *fctx) {
b2eaff
 			if (wanted_chaining)
b2eaff
 				chaining = ISC_TRUE;
b2eaff
 		} else {
b2eaff
+			dns_rdataset_t *dnameset = NULL;
b2eaff
+
b2eaff
 			/*
b2eaff
 			 * Look for a DNAME (or its SIG).  Anything else is
b2eaff
 			 * ignored.
b2eaff
@@ -6284,32 +6274,56 @@ answer_response(fetchctx_t *fctx) {
b2eaff
 			wanted_chaining = ISC_FALSE;
b2eaff
 			for (rdataset = ISC_LIST_HEAD(name->list);
b2eaff
 			     rdataset != NULL;
b2eaff
-			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
b2eaff
-				isc_boolean_t found_dname = ISC_FALSE;
b2eaff
-				dns_name_t *dname_name;
b2eaff
+			     rdataset = ISC_LIST_NEXT(rdataset, link))
b2eaff
+			{
b2eaff
+				/*
b2eaff
+				 * Only pass DNAME or RRSIG(DNAME).
b2eaff
+				 */
b2eaff
+				if (rdataset->type != dns_rdatatype_dname &&
b2eaff
+				    (rdataset->type != dns_rdatatype_rrsig ||
b2eaff
+				     rdataset->covers != dns_rdatatype_dname))
b2eaff
+					continue;
b2eaff
+
b2eaff
+				/*
b2eaff
+				 * If we're not chaining, then the DNAME and
b2eaff
+				 * its signature should not be external.
b2eaff
+				 */
b2eaff
+				if (!chaining && external) {
b2eaff
+					char qbuf[DNS_NAME_FORMATSIZE];
b2eaff
+					char obuf[DNS_NAME_FORMATSIZE];
b2eaff
+
b2eaff
+					dns_name_format(name, qbuf,
b2eaff
+							sizeof(qbuf));
b2eaff
+					dns_name_format(&fctx->domain, obuf,
b2eaff
+							sizeof(obuf));
b2eaff
+					log_formerr(fctx, "external DNAME or "
b2eaff
+						    "RRSIG covering DNAME "
b2eaff
+						    "in answer: %s is "
b2eaff
+						    "not in %s", qbuf, obuf);
b2eaff
+					return (DNS_R_FORMERR);
b2eaff
+				}
b2eaff
+
b2eaff
+				if (namereln != dns_namereln_subdomain) {
b2eaff
+					char qbuf[DNS_NAME_FORMATSIZE];
b2eaff
+					char obuf[DNS_NAME_FORMATSIZE];
b2eaff
+
b2eaff
+					dns_name_format(qname, qbuf,
b2eaff
+							sizeof(qbuf));
b2eaff
+					dns_name_format(name, obuf,
b2eaff
+							sizeof(obuf));
b2eaff
+					log_formerr(fctx, "unrelated DNAME "
b2eaff
+						    "in answer: %s is "
b2eaff
+						    "not in %s", qbuf, obuf);
b2eaff
+					return (DNS_R_FORMERR);
b2eaff
+				}
b2eaff
 
b2eaff
-				found = ISC_FALSE;
b2eaff
 				aflag = 0;
b2eaff
 				if (rdataset->type == dns_rdatatype_dname) {
b2eaff
-					/*
b2eaff
-					 * We're looking for something else,
b2eaff
-					 * but we found a DNAME.
b2eaff
-					 *
b2eaff
-					 * If we're not chaining, then the
b2eaff
-					 * DNAME should not be external.
b2eaff
-					 */
b2eaff
-					if (!chaining && external) {
b2eaff
-						log_formerr(fctx,
b2eaff
-							    "external DNAME");
b2eaff
-						return (DNS_R_FORMERR);
b2eaff
-					}
b2eaff
-					found = ISC_TRUE;
b2eaff
 					want_chaining = ISC_TRUE;
b2eaff
 					POST(want_chaining);
b2eaff
 					aflag = DNS_RDATASETATTR_ANSWER;
b2eaff
-					result = dname_target(fctx, rdataset,
b2eaff
-							      qname, name,
b2eaff
-							      &dname);
b2eaff
+					result = dname_target(rdataset, qname,
b2eaff
+							      nlabels, &fdname);
b2eaff
 					if (result == ISC_R_NOSPACE) {
b2eaff
 						/*
b2eaff
 						 * We can't construct the
b2eaff
@@ -6321,90 +6335,73 @@ answer_response(fetchctx_t *fctx) {
b2eaff
 					} else if (result != ISC_R_SUCCESS)
b2eaff
 						return (result);
b2eaff
 					else
b2eaff
-						found_dname = ISC_TRUE;
b2eaff
+						dnameset = rdataset;
b2eaff
 
b2eaff
-					dname_name = dns_fixedname_name(&dname);
b2eaff
+					dname = dns_fixedname_name(&fdname);
b2eaff
 					if (!is_answertarget_allowed(view,
b2eaff
-							qname,
b2eaff
-							rdataset->type,
b2eaff
-							dname_name,
b2eaff
-							&fctx->domain)) {
b2eaff
+							qname, rdataset->type,
b2eaff
+							dname, &fctx->domain)) {
b2eaff
 						return (DNS_R_SERVFAIL);
b2eaff
 					}
b2eaff
-				} else if (rdataset->type == dns_rdatatype_rrsig
b2eaff
-					   && rdataset->covers ==
b2eaff
-					   dns_rdatatype_dname) {
b2eaff
+				} else {
b2eaff
 					/*
b2eaff
 					 * We've found a signature that
b2eaff
 					 * covers the DNAME.
b2eaff
 					 */
b2eaff
-					found = ISC_TRUE;
b2eaff
 					aflag = DNS_RDATASETATTR_ANSWERSIG;
b2eaff
 				}
b2eaff
 
b2eaff
-				if (found) {
b2eaff
+				/*
b2eaff
+				 * We've found an answer to our
b2eaff
+				 * question.
b2eaff
+				 */
b2eaff
+				name->attributes |= DNS_NAMEATTR_CACHE;
b2eaff
+				rdataset->attributes |= DNS_RDATASETATTR_CACHE;
b2eaff
+				rdataset->trust = dns_trust_answer;
b2eaff
+				if (!chaining) {
b2eaff
 					/*
b2eaff
-					 * We've found an answer to our
b2eaff
-					 * question.
b2eaff
+					 * This data is "the" answer to
b2eaff
+					 * our question only if we're
b2eaff
+					 * not chaining.
b2eaff
 					 */
b2eaff
-					name->attributes |=
b2eaff
-						DNS_NAMEATTR_CACHE;
b2eaff
-					rdataset->attributes |=
b2eaff
-						DNS_RDATASETATTR_CACHE;
b2eaff
-					rdataset->trust = dns_trust_answer;
b2eaff
-					if (!chaining) {
b2eaff
-						/*
b2eaff
-						 * This data is "the" answer
b2eaff
-						 * to our question only if
b2eaff
-						 * we're not chaining.
b2eaff
-						 */
b2eaff
-						INSIST(!external);
b2eaff
-						if (aflag ==
b2eaff
-						    DNS_RDATASETATTR_ANSWER)
b2eaff
-							have_answer = ISC_TRUE;
b2eaff
+					INSIST(!external);
b2eaff
+					if (aflag == DNS_RDATASETATTR_ANSWER) {
b2eaff
+						have_answer = ISC_TRUE;
b2eaff
 						name->attributes |=
b2eaff
 							DNS_NAMEATTR_ANSWER;
b2eaff
-						rdataset->attributes |= aflag;
b2eaff
-						if (aa)
b2eaff
-							rdataset->trust =
b2eaff
-							  dns_trust_authanswer;
b2eaff
-					} else if (external) {
b2eaff
-						rdataset->attributes |=
b2eaff
-						    DNS_RDATASETATTR_EXTERNAL;
b2eaff
-					}
b2eaff
-
b2eaff
-					/*
b2eaff
-					 * DNAME chaining.
b2eaff
-					 */
b2eaff
-					if (found_dname) {
b2eaff
-						/*
b2eaff
-						 * Copy the dname into the
b2eaff
-						 * qname fixed name.
b2eaff
-						 *
b2eaff
-						 * Although we check for
b2eaff
-						 * failure of the copy
b2eaff
-						 * operation, in practice it
b2eaff
-						 * should never fail since
b2eaff
-						 * we already know that the
b2eaff
-						 * result fits in a fixedname.
b2eaff
-						 */
b2eaff
-						dns_fixedname_init(&fqname);
b2eaff
-						result = dns_name_copy(
b2eaff
-						  dns_fixedname_name(&dname),
b2eaff
-						  dns_fixedname_name(&fqname),
b2eaff
-						  NULL);
b2eaff
-						if (result != ISC_R_SUCCESS)
b2eaff
-							return (result);
b2eaff
-						wanted_chaining = ISC_TRUE;
b2eaff
-						name->attributes |=
b2eaff
-							DNS_NAMEATTR_CHAINING;
b2eaff
-						rdataset->attributes |=
b2eaff
-						    DNS_RDATASETATTR_CHAINING;
b2eaff
-						qname = dns_fixedname_name(
b2eaff
-								   &fqname);
b2eaff
 					}
b2eaff
+					rdataset->attributes |= aflag;
b2eaff
+					if (aa)
b2eaff
+						rdataset->trust =
b2eaff
+						  dns_trust_authanswer;
b2eaff
+				} else if (external) {
b2eaff
+					rdataset->attributes |=
b2eaff
+					    DNS_RDATASETATTR_EXTERNAL;
b2eaff
 				}
b2eaff
 			}
b2eaff
+
b2eaff
+			/*
b2eaff
+			 * DNAME chaining.
b2eaff
+			 */
b2eaff
+			if (dnameset != NULL) {
b2eaff
+				/*
b2eaff
+				 * Copy the dname into the qname fixed name.
b2eaff
+				 *
b2eaff
+				 * Although we check for failure of the copy
b2eaff
+				 * operation, in practice it should never fail
b2eaff
+				 * since we already know that the  result fits
b2eaff
+				 * in a fixedname.
b2eaff
+				 */
b2eaff
+				dns_fixedname_init(&fqname);
b2eaff
+				qname = dns_fixedname_name(&fqname);
b2eaff
+				result = dns_name_copy(dname, qname, NULL);
b2eaff
+				if (result != ISC_R_SUCCESS)
b2eaff
+					return (result);
b2eaff
+				wanted_chaining = ISC_TRUE;
b2eaff
+				name->attributes |= DNS_NAMEATTR_CHAINING;
b2eaff
+				dnameset->attributes |=
b2eaff
+					    DNS_RDATASETATTR_CHAINING;
b2eaff
+			}
b2eaff
 			if (wanted_chaining)
b2eaff
 				chaining = ISC_TRUE;
b2eaff
 		}
b2eaff
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
b2eaff
index ae5391a..10e5dc9 100644
b2eaff
--- a/lib/isccc/cc.c
b2eaff
+++ b/lib/isccc/cc.c
b2eaff
@@ -286,10 +286,10 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
b2eaff
 	 * Extract digest.
b2eaff
 	 */
b2eaff
 	_auth = isccc_alist_lookup(alist, "_auth");
b2eaff
-	if (_auth == NULL)
b2eaff
+	if (!isccc_alist_alistp(_auth))
b2eaff
 		return (ISC_R_FAILURE);
b2eaff
 	hmd5 = isccc_alist_lookup(_auth, "hmd5");
b2eaff
-	if (hmd5 == NULL)
b2eaff
+	if (!isccc_sexpr_binaryp(hmd5))
b2eaff
 		return (ISC_R_FAILURE);
b2eaff
 	/*
b2eaff
 	 * Compute digest.
b2eaff
@@ -543,7 +543,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
b2eaff
 	REQUIRE(ackp != NULL && *ackp == NULL);
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(message, "_ctrl");
b2eaff
-	if (_ctrl == NULL ||
b2eaff
+	if (!isccc_alist_alistp(_ctrl) ||
b2eaff
 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
b2eaff
 	    isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
b2eaff
 		return (ISC_R_FAILURE);
b2eaff
@@ -588,7 +588,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
b2eaff
 	isccc_sexpr_t *_ctrl;
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(message, "_ctrl");
b2eaff
-	if (_ctrl == NULL)
b2eaff
+	if (!isccc_alist_alistp(_ctrl))
b2eaff
 		return (ISC_FALSE);
b2eaff
 	if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
b2eaff
 		return (ISC_TRUE);
b2eaff
@@ -601,7 +601,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
b2eaff
 	isccc_sexpr_t *_ctrl;
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(message, "_ctrl");
b2eaff
-	if (_ctrl == NULL)
b2eaff
+	if (!isccc_alist_alistp(_ctrl))
b2eaff
 		return (ISC_FALSE);
b2eaff
 	if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
b2eaff
 		return (ISC_TRUE);
b2eaff
@@ -621,7 +621,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(message, "_ctrl");
b2eaff
 	_data = isccc_alist_lookup(message, "_data");
b2eaff
-	if (_ctrl == NULL || _data == NULL ||
b2eaff
+	if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
b2eaff
 	    isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
b2eaff
 	    isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
b2eaff
 		return (ISC_R_FAILURE);
b2eaff
@@ -810,7 +810,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
b2eaff
 	isccc_sexpr_t *_ctrl;
b2eaff
 
b2eaff
 	_ctrl = isccc_alist_lookup(message, "_ctrl");
b2eaff
-	if (_ctrl == NULL ||
b2eaff
+	if (!isccc_alist_alistp(_ctrl) ||
b2eaff
 	    isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
b2eaff
 	    isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
b2eaff
 		return (ISC_R_FAILURE);