1 files changed, 373 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
new file mode 100644
index 0000000000..3d9de888ff
--- /dev/null
+++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
@@ -0,0 +1,373 @@
+From 9324d7e53151e9dfa4b25af994a28c2e0b11f729 Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <roland@golang.org>
+Date: Thu, 27 May 2021 10:40:06 -0700
+Subject: [PATCH] net: verify results from Lookup* are valid domain names
+Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e]
+CVE: CVE-2021-33195
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
+LookupAddr check that the returned domain names are in fact valid DNS
+names using the existing isDomainName function.
+Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
+reporting this issue.
+Updates #46241
+Fixes #46356
+Fixes CVE-2021-33195
+Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
+Trust: Roland Shoemaker <roland@golang.org>
+Run-TryBot: Roland Shoemaker <roland@golang.org>
+TryBot-Result: Go Bot <gobot@golang.org>
+Reviewed-by: Filippo Valsorda <filippo@golang.org>
+Reviewed-by: Katie Hockman <katie@golang.org>
+(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
+Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
+---
+ src/net/dnsclient_unix_test.go | 157 +++++++++++++++++++++++++++++++++
+ src/net/lookup.go              | 111 ++++++++++++++++++++---
+ 2 files changed, 255 insertions(+), 13 deletions(-)
+diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
+index 2ad40df..b8617d9 100644
+--- a/src/net/dnsclient_unix_test.go
+++ b/src/net/dnsclient_unix_test.go
+@@ -1800,3 +1800,160 @@ func TestPTRandNonPTR(t *testing.T) {
+                t.Errorf("names = %q; want %q", names, want)
+        }
+ }
+
+func TestCVE202133195(t *testing.T) {
+       fake := fakeDNSServer{
+               rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
+                       r := dnsmessage.Message{
+                               Header: dnsmessage.Header{
+                                       ID:                 q.Header.ID,
+                                       Response:           true,
+                                       RCode:              dnsmessage.RCodeSuccess,
+                                       RecursionAvailable: true,
+                               },
+                               Questions: q.Questions,
+                       }
+                       switch q.Questions[0].Type {
+                       case dnsmessage.TypeCNAME:
+                               r.Answers = []dnsmessage.Resource{}
+                       case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
+                               r.Answers = append(r.Answers,
+                                       dnsmessage.Resource{
+                                               Header: dnsmessage.ResourceHeader{
+                                                       Name:   dnsmessage.MustNewName("<html>.golang.org."),
+                                                       Type:   dnsmessage.TypeA,
+                                                       Class:  dnsmessage.ClassINET,
+                                                       Length: 4,
+                                               },
+                                               Body: &dnsmessage.AResource{
+                                                       A: TestAddr,
+                                               },
+                                       },
+                               )
+                       case dnsmessage.TypeSRV:
+                               n := q.Questions[0].Name
+                               if n.String() == "_hdr._tcp.golang.org." {
+                                       n = dnsmessage.MustNewName("<html>.golang.org.")
+                               }
+                               r.Answers = append(r.Answers,
+                                       dnsmessage.Resource{
+                                               Header: dnsmessage.ResourceHeader{
+                                                       Name:   n,
+                                                       Type:   dnsmessage.TypeSRV,
+                                                       Class:  dnsmessage.ClassINET,
+                                                       Length: 4,
+                                               },
+                                               Body: &dnsmessage.SRVResource{
+                                                       Target: dnsmessage.MustNewName("<html>.golang.org."),
+                                               },
+                                       },
+                               )
+                       case dnsmessage.TypeMX:
+                               r.Answers = append(r.Answers,
+                                       dnsmessage.Resource{
+                                               Header: dnsmessage.ResourceHeader{
+                                                       Name:   dnsmessage.MustNewName("<html>.golang.org."),
+                                                       Type:   dnsmessage.TypeMX,
+                                                       Class:  dnsmessage.ClassINET,
+                                                       Length: 4,
+                                               },
+                                               Body: &dnsmessage.MXResource{
+                                                       MX: dnsmessage.MustNewName("<html>.golang.org."),
+                                               },
+                                       },
+                               )
+                       case dnsmessage.TypeNS:
+                               r.Answers = append(r.Answers,
+                                       dnsmessage.Resource{
+                                               Header: dnsmessage.ResourceHeader{
+                                                       Name:   dnsmessage.MustNewName("<html>.golang.org."),
+                                                       Type:   dnsmessage.TypeNS,
+                                                       Class:  dnsmessage.ClassINET,
+                                                       Length: 4,
+                                               },
+                                               Body: &dnsmessage.NSResource{
+                                                       NS: dnsmessage.MustNewName("<html>.golang.org."),
+                                               },
+                                       },
+                               )
+                       case dnsmessage.TypePTR:
+                               r.Answers = append(r.Answers,
+                                       dnsmessage.Resource{
+                                               Header: dnsmessage.ResourceHeader{
+                                                       Name:   dnsmessage.MustNewName("<html>.golang.org."),
+                                                       Type:   dnsmessage.TypePTR,
+                                                       Class:  dnsmessage.ClassINET,
+                                                       Length: 4,
+                                               },
+                                               Body: &dnsmessage.PTRResource{
+                                                       PTR: dnsmessage.MustNewName("<html>.golang.org."),
+                                               },
+                                       },
+                               )
+                       }
+                       return r, nil
+               },
+       }
+
+       r := Resolver{PreferGo: true, Dial: fake.DialContext}
+       // Change the default resolver to match our manipulated resolver
+       originalDefault := DefaultResolver
+       DefaultResolver = &r
+       defer func() {
+               DefaultResolver = originalDefault
+       }()
+
+       _, err := r.LookupCNAME(context.Background(), "golang.org")
+       if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, err = LookupCNAME("golang.org")
+       if expected := "lookup golang.org: CNAME target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+
+       _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
+       if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, _, err = LookupSRV("target", "tcp", "golang.org")
+       if expected := "lookup golang.org: SRV target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+
+       _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
+       if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, _, err = LookupSRV("hdr", "tcp", "golang.org")
+       if expected := "lookup golang.org: SRV header name is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+
+       _, err = r.LookupMX(context.Background(), "golang.org")
+       if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, err = LookupMX("golang.org")
+       if expected := "lookup golang.org: MX target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+
+       _, err = r.LookupNS(context.Background(), "golang.org")
+       if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, err = LookupNS("golang.org")
+       if expected := "lookup golang.org: NS target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+
+       _, err = r.LookupAddr(context.Background(), "1.2.3.4")
+       if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+       _, err = LookupAddr("1.2.3.4")
+       if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil || err.Error() != expected {
+               t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
+       }
+}
+diff --git a/src/net/lookup.go b/src/net/lookup.go
+index 9cebd10..05e88e4 100644
+--- a/src/net/lookup.go
+++ b/src/net/lookup.go
+@@ -364,8 +364,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
+//
+// The returned canonical name is validated to be a properly
+// formatted presentation-format domain name.
+ func LookupCNAME(host string) (cname string, err error) {
+-       return DefaultResolver.lookupCNAME(context.Background(), host)
+       return DefaultResolver.LookupCNAME(context.Background(), host)
+ }
+ 
+ // LookupCNAME returns the canonical name for the given host.
+@@ -378,8 +381,18 @@ func LookupCNAME(host string) (cname string, err error) {
+ // LookupCNAME does not return an error if host does not
+ // contain DNS "CNAME" records, as long as host resolves to
+ // address records.
+-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
+-       return r.lookupCNAME(ctx, host)
+//
+// The returned canonical name is validated to be a properly
+// formatted presentation-format domain name.
+func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
+       cname, err := r.lookupCNAME(ctx, host)
+       if err != nil {
+               return "", err
+       }
+       if !isDomainName(cname) {
+               return "", &DNSError{Err: "CNAME target is invalid", Name: host}
+       }
+       return cname, nil
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -391,8 +404,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
+//
+// The returned service names are validated to be properly
+// formatted presentation-format domain names.
+ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
+-       return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
+       return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
+ }
+ 
+ // LookupSRV tries to resolve an SRV query of the given service,
+@@ -404,28 +420,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
+ // That is, it looks up _service._proto.name. To accommodate services
+ // publishing SRV records under non-standard names, if both service
+ // and proto are empty strings, LookupSRV looks up name directly.
+-func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []*SRV, err error) {
+-       return r.lookupSRV(ctx, service, proto, name)
+//
+// The returned service names are validated to be properly
+// formatted presentation-format domain names.
+func (r *Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []*SRV, error) {
+       cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
+       if err != nil {
+               return "", nil, err
+       }
+       if cname != "" && !isDomainName(cname) {
+               return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
+       }
+       for _, addr := range addrs {
+               if addr == nil {
+                       continue
+               }
+               if !isDomainName(addr.Target) {
+                       return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
+               }
+       }
+       return cname, addrs, nil
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
+//
+// The returned mail server names are validated to be properly
+// formatted presentation-format domain names.
+ func LookupMX(name string) ([]*MX, error) {
+-       return DefaultResolver.lookupMX(context.Background(), name)
+       return DefaultResolver.LookupMX(context.Background(), name)
+ }
+ 
+ // LookupMX returns the DNS MX records for the given domain name sorted by preference.
+//
+// The returned mail server names are validated to be properly
+// formatted presentation-format domain names.
+ func (r *Resolver) LookupMX(ctx context.Context, name string) ([]*MX, error) {
+-       return r.lookupMX(ctx, name)
+       records, err := r.lookupMX(ctx, name)
+       if err != nil {
+               return nil, err
+       }
+       for _, mx := range records {
+               if mx == nil {
+                       continue
+               }
+               if !isDomainName(mx.Host) {
+                       return nil, &DNSError{Err: "MX target is invalid", Name: name}
+               }
+       }
+       return records, nil
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
+//
+// The returned name server names are validated to be properly
+// formatted presentation-format domain names.
+ func LookupNS(name string) ([]*NS, error) {
+-       return DefaultResolver.lookupNS(context.Background(), name)
+       return DefaultResolver.LookupNS(context.Background(), name)
+ }
+ 
+ // LookupNS returns the DNS NS records for the given domain name.
+//
+// The returned name server names are validated to be properly
+// formatted presentation-format domain names.
+ func (r *Resolver) LookupNS(ctx context.Context, name string) ([]*NS, error) {
+-       return r.lookupNS(ctx, name)
+       records, err := r.lookupNS(ctx, name)
+       if err != nil {
+               return nil, err
+       }
+       for _, ns := range records {
+               if ns == nil {
+                       continue
+               }
+               if !isDomainName(ns.Host) {
+                       return nil, &DNSError{Err: "NS target is invalid", Name: name}
+               }
+       }
+       return records, nil
+ }
+ 
+ // LookupTXT returns the DNS TXT records for the given domain name.
+@@ -441,14 +511,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+ //
+// The returned names are validated to be properly formatted presentation-format
+// domain names.
+//
+ // When using the host C library resolver, at most one result will be
+ // returned. To bypass the host resolver, use a custom Resolver.
+ func LookupAddr(addr string) (names []string, err error) {
+-       return DefaultResolver.lookupAddr(context.Background(), addr)
+       return DefaultResolver.LookupAddr(context.Background(), addr)
+ }
+ 
+ // LookupAddr performs a reverse lookup for the given address, returning a list
+ // of names mapping to that address.
+-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
+-       return r.lookupAddr(ctx, addr)
+//
+// The returned names are validated to be properly formatted presentation-format
+// domain names.
+func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
+       names, err := r.lookupAddr(ctx, addr)
+       if err != nil {
+               return nil, err
+       }
+       for _, name := range names {
+               if !isDomainName(name) {
+                       return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
+               }
+       }
+       return names, nil
+ }

diff --git a/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch new file mode 100644 index 0000000000..3d9de888ff --- /dev/null +++ b/meta/recipes-devtools/go/go-1.14/CVE-2021-33195.patch
@@ -0,0 +1,373 @@
	1	From 9324d7e53151e9dfa4b25af994a28c2e0b11f729 Mon Sep 17 00:00:00 2001
	2	From: Roland Shoemaker <roland@golang.org>
	3	Date: Thu, 27 May 2021 10:40:06 -0700
	4	Subject: [PATCH] net: verify results from Lookup* are valid domain names
	5
	6	Upstream-Status: Backport [https://github.com/golang/go/commit/31d60cda1f58b7558fc5725d2b9e4531655d980e]
	7	CVE: CVE-2021-33195
	8	Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
	9
	10
	11	For the methods LookupCNAME, LookupSRV, LookupMX, LookupNS, and
	12	LookupAddr check that the returned domain names are in fact valid DNS
	13	names using the existing isDomainName function.
	14
	15	Thanks to Philipp Jeitner and Haya Shulman from Fraunhofer SIT for
	16	reporting this issue.
	17
	18	Updates #46241
	19	Fixes #46356
	20	Fixes CVE-2021-33195
	21
	22	Change-Id: I47a4f58c031cb752f732e88bbdae7f819f0af4f3
	23	Reviewed-on: https://go-review.googlesource.com/c/go/+/323131
	24	Trust: Roland Shoemaker <roland@golang.org>
	25	Run-TryBot: Roland Shoemaker <roland@golang.org>
	26	TryBot-Result: Go Bot <gobot@golang.org>
	27	Reviewed-by: Filippo Valsorda <filippo@golang.org>
	28	Reviewed-by: Katie Hockman <katie@golang.org>
	29	(cherry picked from commit cdcd02842da7c004efd023881e3719105209c908)
	30	Reviewed-on: https://go-review.googlesource.com/c/go/+/323269
	31	---
	32	src/net/dnsclient_unix_test.go \| 157 +++++++++++++++++++++++++++++++++
	33	src/net/lookup.go \| 111 ++++++++++++++++++++---
	34	2 files changed, 255 insertions(+), 13 deletions(-)
	35
	36	diff --git a/src/net/dnsclient_unix_test.go b/src/net/dnsclient_unix_test.go
	37	index 2ad40df..b8617d9 100644
	38	--- a/src/net/dnsclient_unix_test.go
	39	+++ b/src/net/dnsclient_unix_test.go
	40	@@ -1800,3 +1800,160 @@ func TestPTRandNonPTR(t *testing.T) {
	41	t.Errorf("names = %q; want %q", names, want)
	42	}
	43	}
	44	+
	45	+func TestCVE202133195(t *testing.T) {
	46	+ fake := fakeDNSServer{
	47	+ rh: func(n, _ string, q dnsmessage.Message, _ time.Time) (dnsmessage.Message, error) {
	48	+ r := dnsmessage.Message{
	49	+ Header: dnsmessage.Header{
	50	+ ID: q.Header.ID,
	51	+ Response: true,
	52	+ RCode: dnsmessage.RCodeSuccess,
	53	+ RecursionAvailable: true,
	54	+ },
	55	+ Questions: q.Questions,
	56	+ }
	57	+ switch q.Questions[0].Type {
	58	+ case dnsmessage.TypeCNAME:
	59	+ r.Answers = []dnsmessage.Resource{}
	60	+ case dnsmessage.TypeA: // CNAME lookup uses a A/AAAA as a proxy
	61	+ r.Answers = append(r.Answers,
	62	+ dnsmessage.Resource{
	63	+ Header: dnsmessage.ResourceHeader{
	64	+ Name: dnsmessage.MustNewName("<html>.golang.org."),
	65	+ Type: dnsmessage.TypeA,
	66	+ Class: dnsmessage.ClassINET,
	67	+ Length: 4,
	68	+ },
	69	+ Body: &dnsmessage.AResource{
	70	+ A: TestAddr,
	71	+ },
	72	+ },
	73	+ )
	74	+ case dnsmessage.TypeSRV:
	75	+ n := q.Questions[0].Name
	76	+ if n.String() == "_hdr._tcp.golang.org." {
	77	+ n = dnsmessage.MustNewName("<html>.golang.org.")
	78	+ }
	79	+ r.Answers = append(r.Answers,
	80	+ dnsmessage.Resource{
	81	+ Header: dnsmessage.ResourceHeader{
	82	+ Name: n,
	83	+ Type: dnsmessage.TypeSRV,
	84	+ Class: dnsmessage.ClassINET,
	85	+ Length: 4,
	86	+ },
	87	+ Body: &dnsmessage.SRVResource{
	88	+ Target: dnsmessage.MustNewName("<html>.golang.org."),
	89	+ },
	90	+ },
	91	+ )
	92	+ case dnsmessage.TypeMX:
	93	+ r.Answers = append(r.Answers,
	94	+ dnsmessage.Resource{
	95	+ Header: dnsmessage.ResourceHeader{
	96	+ Name: dnsmessage.MustNewName("<html>.golang.org."),
	97	+ Type: dnsmessage.TypeMX,
	98	+ Class: dnsmessage.ClassINET,
	99	+ Length: 4,
	100	+ },
	101	+ Body: &dnsmessage.MXResource{
	102	+ MX: dnsmessage.MustNewName("<html>.golang.org."),
	103	+ },
	104	+ },
	105	+ )
	106	+ case dnsmessage.TypeNS:
	107	+ r.Answers = append(r.Answers,
	108	+ dnsmessage.Resource{
	109	+ Header: dnsmessage.ResourceHeader{
	110	+ Name: dnsmessage.MustNewName("<html>.golang.org."),
	111	+ Type: dnsmessage.TypeNS,
	112	+ Class: dnsmessage.ClassINET,
	113	+ Length: 4,
	114	+ },
	115	+ Body: &dnsmessage.NSResource{
	116	+ NS: dnsmessage.MustNewName("<html>.golang.org."),
	117	+ },
	118	+ },
	119	+ )
	120	+ case dnsmessage.TypePTR:
	121	+ r.Answers = append(r.Answers,
	122	+ dnsmessage.Resource{
	123	+ Header: dnsmessage.ResourceHeader{
	124	+ Name: dnsmessage.MustNewName("<html>.golang.org."),
	125	+ Type: dnsmessage.TypePTR,
	126	+ Class: dnsmessage.ClassINET,
	127	+ Length: 4,
	128	+ },
	129	+ Body: &dnsmessage.PTRResource{
	130	+ PTR: dnsmessage.MustNewName("<html>.golang.org."),
	131	+ },
	132	+ },
	133	+ )
	134	+ }
	135	+ return r, nil
	136	+ },
	137	+ }
	138	+
	139	+ r := Resolver{PreferGo: true, Dial: fake.DialContext}
	140	+ // Change the default resolver to match our manipulated resolver
	141	+ originalDefault := DefaultResolver
	142	+ DefaultResolver = &r
	143	+ defer func() {
	144	+ DefaultResolver = originalDefault
	145	+ }()
	146	+
	147	+ _, err := r.LookupCNAME(context.Background(), "golang.org")
	148	+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil \|\| err.Error() != expected {
	149	+ t.Errorf("Resolver.LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
	150	+ }
	151	+ _, err = LookupCNAME("golang.org")
	152	+ if expected := "lookup golang.org: CNAME target is invalid"; err == nil \|\| err.Error() != expected {
	153	+ t.Errorf("LookupCNAME returned unexpected error, got %q, want %q", err.Error(), expected)
	154	+ }
	155	+
	156	+ _, _, err = r.LookupSRV(context.Background(), "target", "tcp", "golang.org")
	157	+ if expected := "lookup golang.org: SRV target is invalid"; err == nil \|\| err.Error() != expected {
	158	+ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
	159	+ }
	160	+ _, _, err = LookupSRV("target", "tcp", "golang.org")
	161	+ if expected := "lookup golang.org: SRV target is invalid"; err == nil \|\| err.Error() != expected {
	162	+ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
	163	+ }
	164	+
	165	+ _, _, err = r.LookupSRV(context.Background(), "hdr", "tcp", "golang.org")
	166	+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil \|\| err.Error() != expected {
	167	+ t.Errorf("Resolver.LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
	168	+ }
	169	+ _, _, err = LookupSRV("hdr", "tcp", "golang.org")
	170	+ if expected := "lookup golang.org: SRV header name is invalid"; err == nil \|\| err.Error() != expected {
	171	+ t.Errorf("LookupSRV returned unexpected error, got %q, want %q", err.Error(), expected)
	172	+ }
	173	+
	174	+ _, err = r.LookupMX(context.Background(), "golang.org")
	175	+ if expected := "lookup golang.org: MX target is invalid"; err == nil \|\| err.Error() != expected {
	176	+ t.Errorf("Resolver.LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
	177	+ }
	178	+ _, err = LookupMX("golang.org")
	179	+ if expected := "lookup golang.org: MX target is invalid"; err == nil \|\| err.Error() != expected {
	180	+ t.Errorf("LookupMX returned unexpected error, got %q, want %q", err.Error(), expected)
	181	+ }
	182	+
	183	+ _, err = r.LookupNS(context.Background(), "golang.org")
	184	+ if expected := "lookup golang.org: NS target is invalid"; err == nil \|\| err.Error() != expected {
	185	+ t.Errorf("Resolver.LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
	186	+ }
	187	+ _, err = LookupNS("golang.org")
	188	+ if expected := "lookup golang.org: NS target is invalid"; err == nil \|\| err.Error() != expected {
	189	+ t.Errorf("LookupNS returned unexpected error, got %q, want %q", err.Error(), expected)
	190	+ }
	191	+
	192	+ _, err = r.LookupAddr(context.Background(), "1.2.3.4")
	193	+ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil \|\| err.Error() != expected {
	194	+ t.Errorf("Resolver.LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
	195	+ }
	196	+ _, err = LookupAddr("1.2.3.4")
	197	+ if expected := "lookup 1.2.3.4: PTR target is invalid"; err == nil \|\| err.Error() != expected {
	198	+ t.Errorf("LookupAddr returned unexpected error, got %q, want %q", err.Error(), expected)
	199	+ }
	200	+}
	201	diff --git a/src/net/lookup.go b/src/net/lookup.go
	202	index 9cebd10..05e88e4 100644
	203	--- a/src/net/lookup.go
	204	+++ b/src/net/lookup.go
	205	@@ -364,8 +364,11 @@ func (r *Resolver) LookupPort(ctx context.Context, network, service string) (por
	206	// LookupCNAME does not return an error if host does not
	207	// contain DNS "CNAME" records, as long as host resolves to
	208	// address records.
	209	+//
	210	+// The returned canonical name is validated to be a properly
	211	+// formatted presentation-format domain name.
	212	func LookupCNAME(host string) (cname string, err error) {
	213	- return DefaultResolver.lookupCNAME(context.Background(), host)
	214	+ return DefaultResolver.LookupCNAME(context.Background(), host)
	215	}
	216
	217	// LookupCNAME returns the canonical name for the given host.
	218	@@ -378,8 +381,18 @@ func LookupCNAME(host string) (cname string, err error) {
	219	// LookupCNAME does not return an error if host does not
	220	// contain DNS "CNAME" records, as long as host resolves to
	221	// address records.
	222	-func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string, err error) {
	223	- return r.lookupCNAME(ctx, host)
	224	+//
	225	+// The returned canonical name is validated to be a properly
	226	+// formatted presentation-format domain name.
	227	+func (r *Resolver) LookupCNAME(ctx context.Context, host string) (string, error) {
	228	+ cname, err := r.lookupCNAME(ctx, host)
	229	+ if err != nil {
	230	+ return "", err
	231	+ }
	232	+ if !isDomainName(cname) {
	233	+ return "", &DNSError{Err: "CNAME target is invalid", Name: host}
	234	+ }
	235	+ return cname, nil
	236	}
	237
	238	// LookupSRV tries to resolve an SRV query of the given service,
	239	@@ -391,8 +404,11 @@ func (r *Resolver) LookupCNAME(ctx context.Context, host string) (cname string,
	240	// That is, it looks up _service._proto.name. To accommodate services
	241	// publishing SRV records under non-standard names, if both service
	242	// and proto are empty strings, LookupSRV looks up name directly.
	243	+//
	244	+// The returned service names are validated to be properly
	245	+// formatted presentation-format domain names.
	246	func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err error) {
	247	- return DefaultResolver.lookupSRV(context.Background(), service, proto, name)
	248	+ return DefaultResolver.LookupSRV(context.Background(), service, proto, name)
	249	}
	250
	251	// LookupSRV tries to resolve an SRV query of the given service,
	252	@@ -404,28 +420,82 @@ func LookupSRV(service, proto, name string) (cname string, addrs []*SRV, err err
	253	// That is, it looks up _service._proto.name. To accommodate services
	254	// publishing SRV records under non-standard names, if both service
	255	// and proto are empty strings, LookupSRV looks up name directly.
	256	-func (r Resolver) LookupSRV(ctx context.Context, service, proto, name string) (cname string, addrs []SRV, err error) {
	257	- return r.lookupSRV(ctx, service, proto, name)
	258	+//
	259	+// The returned service names are validated to be properly
	260	+// formatted presentation-format domain names.
	261	+func (r Resolver) LookupSRV(ctx context.Context, service, proto, name string) (string, []SRV, error) {
	262	+ cname, addrs, err := r.lookupSRV(ctx, service, proto, name)
	263	+ if err != nil {
	264	+ return "", nil, err
	265	+ }
	266	+ if cname != "" && !isDomainName(cname) {
	267	+ return "", nil, &DNSError{Err: "SRV header name is invalid", Name: name}
	268	+ }
	269	+ for _, addr := range addrs {
	270	+ if addr == nil {
	271	+ continue
	272	+ }
	273	+ if !isDomainName(addr.Target) {
	274	+ return "", nil, &DNSError{Err: "SRV target is invalid", Name: name}
	275	+ }
	276	+ }
	277	+ return cname, addrs, nil
	278	}
	279
	280	// LookupMX returns the DNS MX records for the given domain name sorted by preference.
	281	+//
	282	+// The returned mail server names are validated to be properly
	283	+// formatted presentation-format domain names.
	284	func LookupMX(name string) ([]*MX, error) {
	285	- return DefaultResolver.lookupMX(context.Background(), name)
	286	+ return DefaultResolver.LookupMX(context.Background(), name)
	287	}
	288
	289	// LookupMX returns the DNS MX records for the given domain name sorted by preference.
	290	+//
	291	+// The returned mail server names are validated to be properly
	292	+// formatted presentation-format domain names.
	293	func (r Resolver) LookupMX(ctx context.Context, name string) ([]MX, error) {
	294	- return r.lookupMX(ctx, name)
	295	+ records, err := r.lookupMX(ctx, name)
	296	+ if err != nil {
	297	+ return nil, err
	298	+ }
	299	+ for _, mx := range records {
	300	+ if mx == nil {
	301	+ continue
	302	+ }
	303	+ if !isDomainName(mx.Host) {
	304	+ return nil, &DNSError{Err: "MX target is invalid", Name: name}
	305	+ }
	306	+ }
	307	+ return records, nil
	308	}
	309
	310	// LookupNS returns the DNS NS records for the given domain name.
	311	+//
	312	+// The returned name server names are validated to be properly
	313	+// formatted presentation-format domain names.
	314	func LookupNS(name string) ([]*NS, error) {
	315	- return DefaultResolver.lookupNS(context.Background(), name)
	316	+ return DefaultResolver.LookupNS(context.Background(), name)
	317	}
	318
	319	// LookupNS returns the DNS NS records for the given domain name.
	320	+//
	321	+// The returned name server names are validated to be properly
	322	+// formatted presentation-format domain names.
	323	func (r Resolver) LookupNS(ctx context.Context, name string) ([]NS, error) {
	324	- return r.lookupNS(ctx, name)
	325	+ records, err := r.lookupNS(ctx, name)
	326	+ if err != nil {
	327	+ return nil, err
	328	+ }
	329	+ for _, ns := range records {
	330	+ if ns == nil {
	331	+ continue
	332	+ }
	333	+ if !isDomainName(ns.Host) {
	334	+ return nil, &DNSError{Err: "NS target is invalid", Name: name}
	335	+ }
	336	+ }
	337	+ return records, nil
	338	}
	339
	340	// LookupTXT returns the DNS TXT records for the given domain name.
	341	@@ -441,14 +511,29 @@ func (r *Resolver) LookupTXT(ctx context.Context, name string) ([]string, error)
	342	// LookupAddr performs a reverse lookup for the given address, returning a list
	343	// of names mapping to that address.
	344	//
	345	+// The returned names are validated to be properly formatted presentation-format
	346	+// domain names.
	347	+//
	348	// When using the host C library resolver, at most one result will be
	349	// returned. To bypass the host resolver, use a custom Resolver.
	350	func LookupAddr(addr string) (names []string, err error) {
	351	- return DefaultResolver.lookupAddr(context.Background(), addr)
	352	+ return DefaultResolver.LookupAddr(context.Background(), addr)
	353	}
	354
	355	// LookupAddr performs a reverse lookup for the given address, returning a list
	356	// of names mapping to that address.
	357	-func (r *Resolver) LookupAddr(ctx context.Context, addr string) (names []string, err error) {
	358	- return r.lookupAddr(ctx, addr)
	359	+//
	360	+// The returned names are validated to be properly formatted presentation-format
	361	+// domain names.
	362	+func (r *Resolver) LookupAddr(ctx context.Context, addr string) ([]string, error) {
	363	+ names, err := r.lookupAddr(ctx, addr)
	364	+ if err != nil {
	365	+ return nil, err
	366	+ }
	367	+ for _, name := range names {
	368	+ if !isDomainName(name) {
	369	+ return nil, &DNSError{Err: "PTR target is invalid", Name: addr}
	370	+ }
	371	+ }
	372	+ return names, nil
	373	}