blob: d8769c45cc9f71745b62b02b39a7f57673ddafe3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8617.patch]
CVE: CVE-2020-8617
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index b597a18d49..6357a3a486 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1427,8 +1424,9 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
goto cleanup_context;
}
msg->verified_sig = 1;
- } else if (tsig.error != dns_tsigerror_badsig &&
- tsig.error != dns_tsigerror_badkey) {
+ } else if (!response || (tsig.error != dns_tsigerror_badsig &&
+ tsig.error != dns_tsigerror_badkey))
+ {
tsig_log(msg->tsigkey, 2, "signature was empty");
return (DNS_R_TSIGVERIFYFAILURE);
}
@@ -1484,7 +1482,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
}
}
- if (tsig.error != dns_rcode_noerror) {
+ if (response && tsig.error != dns_rcode_noerror) {
msg->tsigstatus = tsig.error;
if (tsig.error == dns_tsigerror_badtime)
ret = DNS_R_CLOCKSKEW;
|
