From 76c3c9fe9f3f1353b47214b8f98b3d7f53e10bc7 Mon Sep 17 00:00:00 2001 From: Mukund Sivaraman Date: Mon, 22 Feb 2016 12:22:43 +0530 Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753) (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) (cherry picked from commit 456e1eadd2a3a2fb9617e60d4db90ef4ba7c6ba3) CVE: CVE-2016-1286 Upstream-Status: Backport [Skipped CHANGES and doc/arm/notes.xml changes.] Signed-off-by: Sona Sarmadi --- CHANGES | 4 ++++ doc/arm/notes.xml | 7 +++++++ lib/dns/resolver.c | 33 ++++++++++++++++++--------------- 3 files changed, 29 insertions(+), 15 deletions(-) diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 735f7d2..0602070 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6701,21 +6701,26 @@ answer_response(fetchctx_t *fctx) { isc_boolean_t found_dname = ISC_FALSE; dns_name_t *dname_name; + /* + * Only pass DNAME or RRSIG(DNAME). + */ + if (rdataset->type != dns_rdatatype_dname && + (rdataset->type != dns_rdatatype_rrsig || + rdataset->covers != dns_rdatatype_dname)) + continue; + + /* + * If we're not chaining, then the DNAME and + * its signature should not be external. + */ + if (!chaining && external) { + log_formerr(fctx, "external DNAME"); + return (DNS_R_FORMERR); + } + found = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_dname) { - /* - * We're looking for something else, - * but we found a DNAME. - * - * If we're not chaining, then the - * DNAME should not be external. - */ - if (!chaining && external) { - log_formerr(fctx, - "external DNAME"); - return (DNS_R_FORMERR); - } found = ISC_TRUE; want_chaining = ISC_TRUE; POST(want_chaining); @@ -6744,9 +6749,7 @@ answer_response(fetchctx_t *fctx) { &fctx->domain)) { return (DNS_R_SERVFAIL); } - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_dname) { + } else { /* * We've found a signature that * covers the DNAME. -- 1.9.1