From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 From: Mukund Sivaraman Date: Mon, 22 Feb 2016 12:22:43 +0530 Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) (#41753) (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) CVE: CVE-2016-1286 Upstream-Status: Backport [Removed doc/arm/notes.xml changes from upstream patch.] Signed-off-by: Sona Sarmadi --- diff -ruN a/CHANGES b/CHANGES --- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 +++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 @@ -1,3 +1,7 @@ +4319. [security] Fix resolver assertion failure due to improper + DNAME handling when parsing fetch reply messages. + (CVE-2016-1286) [RT #41753] + 4318. [security] Malformed control messages can trigger assertions in named and rndc. (CVE-2016-1285) [RT #41666] diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c --- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 +++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 @@ -6967,21 +6967,26 @@ isc_boolean_t found_dname = ISC_FALSE; dns_name_t *dname_name; + /* + * Only pass DNAME or RRSIG(DNAME). + */ + if (rdataset->type != dns_rdatatype_dname && + (rdataset->type != dns_rdatatype_rrsig || + rdataset->covers != dns_rdatatype_dname)) + continue; + + /* + * If we're not chaining, then the DNAME and + * its signature should not be external. + */ + if (!chaining && external) { + log_formerr(fctx, "external DNAME"); + return (DNS_R_FORMERR); + } + found = ISC_FALSE; aflag = 0; if (rdataset->type == dns_rdatatype_dname) { - /* - * We're looking for something else, - * but we found a DNAME. - * - * If we're not chaining, then the - * DNAME should not be external. - */ - if (!chaining && external) { - log_formerr(fctx, - "external DNAME"); - return (DNS_R_FORMERR); - } found = ISC_TRUE; want_chaining = ISC_TRUE; POST(want_chaining); @@ -7010,9 +7015,7 @@ &fctx->domain)) { return (DNS_R_SERVFAIL); } - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == - dns_rdatatype_dname) { + } else { /* * We've found a signature that * covers the DNAME.