You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
112 lines
3.6 KiB
112 lines
3.6 KiB
7 months ago
|
From bef141d5795429cab745f29f7d080d1e2ea8f164 Mon Sep 17 00:00:00 2001
|
||
|
From: Petr Mensik <pemensik@redhat.com>
|
||
|
Date: Mon, 12 Feb 2024 20:33:41 +0100
|
||
|
Subject: [PATCH] Prevent assertion failure when nxdomain-redirect is used with
|
||
|
RFC 1918 reverse zones
|
||
|
|
||
|
6316. [security] Specific queries could trigger an assertion check with
|
||
|
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
|
||
|
---
|
||
|
lib/ns/query.c | 25 ++++++++++++-------------
|
||
|
1 file changed, 12 insertions(+), 13 deletions(-)
|
||
|
|
||
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
||
|
index 4fe3e30..cc1d179 100644
|
||
|
--- a/lib/ns/query.c
|
||
|
+++ b/lib/ns/query.c
|
||
|
@@ -453,10 +453,10 @@ static void
|
||
|
query_addnxrrsetnsec(query_ctx_t *qctx);
|
||
|
|
||
|
static isc_result_t
|
||
|
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
|
||
|
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
|
||
|
|
||
|
static isc_result_t
|
||
|
-query_redirect(query_ctx_t *qctx);
|
||
|
+query_redirect(query_ctx_t *qctx, isc_result_t result);
|
||
|
|
||
|
static isc_result_t
|
||
|
query_ncache(query_ctx_t *qctx, isc_result_t result);
|
||
|
@@ -7262,8 +7262,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
|
||
|
* result from the search.
|
||
|
*/
|
||
|
static isc_result_t
|
||
|
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
|
||
|
- isc_result_t result = res;
|
||
|
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
|
||
|
char errmsg[256];
|
||
|
|
||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
|
||
|
@@ -7333,16 +7332,16 @@ root_key_sentinel:
|
||
|
return (query_nodata(qctx, DNS_R_NXRRSET));
|
||
|
|
||
|
case DNS_R_EMPTYWILD:
|
||
|
- return (query_nxdomain(qctx, true));
|
||
|
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
|
||
|
|
||
|
case DNS_R_NXDOMAIN:
|
||
|
- return (query_nxdomain(qctx, false));
|
||
|
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
|
||
|
|
||
|
case DNS_R_COVERINGNSEC:
|
||
|
return (query_coveringnsec(qctx));
|
||
|
|
||
|
case DNS_R_NCACHENXDOMAIN:
|
||
|
- result = query_redirect(qctx);
|
||
|
+ result = query_redirect(qctx, result);
|
||
|
if (result != ISC_R_COMPLETE) {
|
||
|
return (result);
|
||
|
}
|
||
|
@@ -9155,10 +9154,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
|
||
|
* Handle NXDOMAIN and empty wildcard responses.
|
||
|
*/
|
||
|
static isc_result_t
|
||
|
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
|
||
|
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
|
||
|
dns_section_t section;
|
||
|
uint32_t ttl;
|
||
|
- isc_result_t result;
|
||
|
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
|
||
|
|
||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
|
||
|
|
||
|
@@ -9167,7 +9166,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
|
||
|
INSIST(qctx->is_zone || REDIRECT(qctx->client));
|
||
|
|
||
|
if (!empty_wild) {
|
||
|
- result = query_redirect(qctx);
|
||
|
+ result = query_redirect(qctx, result);
|
||
|
if (result != ISC_R_COMPLETE) {
|
||
|
return (result);
|
||
|
}
|
||
|
@@ -9253,7 +9252,7 @@ cleanup:
|
||
|
* redirecting, so query processing should continue past it.
|
||
|
*/
|
||
|
static isc_result_t
|
||
|
-query_redirect(query_ctx_t *qctx) {
|
||
|
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
|
||
|
isc_result_t result;
|
||
|
|
||
|
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
|
||
|
@@ -9294,7 +9293,7 @@ query_redirect(query_ctx_t *qctx) {
|
||
|
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
|
||
|
SAVE(qctx->client->query.redirect.sigrdataset,
|
||
|
qctx->sigrdataset);
|
||
|
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
|
||
|
+ qctx->client->query.redirect.result = saved_result;
|
||
|
dns_name_copynf(qctx->fname,
|
||
|
qctx->client->query.redirect.fname);
|
||
|
qctx->client->query.redirect.authoritative =
|
||
|
@@ -9908,7 +9907,7 @@ query_coveringnsec(query_ctx_t *qctx) {
|
||
|
* We now have the proof that we have an NXDOMAIN. Apply
|
||
|
* NXDOMAIN redirection if configured.
|
||
|
*/
|
||
|
- result = query_redirect(qctx);
|
||
|
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
|
||
|
if (result != ISC_R_COMPLETE) {
|
||
|
redirected = true;
|
||
|
goto cleanup;
|
||
|
--
|
||
|
2.43.0
|
||
|
|