aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
blob: ae5cc48d9cca94c48cce11e2019f68a9a5df8868 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 22 Feb 2016 12:22:43 +0530
Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
 (CVE-2016-1286) (#41753)

(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)

CVE: CVE-2016-1286
Upstream-Status: Backport

[Removed doc/arm/notes.xml changes from upstream patch.]

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/CHANGES b/CHANGES
--- a/CHANGES	2016-04-13 07:28:44.940873629 +0200
+++ b/CHANGES	2016-04-13 07:38:38.923167851 +0200
@@ -1,3 +1,7 @@
+4319.  [security]      Fix resolver assertion failure due to improper
+                       DNAME handling when parsing fetch reply messages.
+                       (CVE-2016-1286) [RT #41753]
+
 4318.	[security]	Malformed control messages can trigger assertions
 			in named and rndc. (CVE-2016-1285) [RT #41666]
 
diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
--- a/lib/dns/resolver.c	2016-04-13 07:28:43.088953790 +0200
+++ b/lib/dns/resolver.c	2016-04-13 07:38:20.411968925 +0200
@@ -6967,21 +6967,26 @@
 				isc_boolean_t found_dname = ISC_FALSE;
 				dns_name_t *dname_name;
 
+				/*
+				 * Only pass DNAME or RRSIG(DNAME).
+				 */
+				if (rdataset->type != dns_rdatatype_dname &&
+				    (rdataset->type != dns_rdatatype_rrsig ||
+				     rdataset->covers != dns_rdatatype_dname))
+					continue;
+
+				/*
+				 * If we're not chaining, then the DNAME and
+				 * its signature should not be external.
+				 */
+				if (!chaining && external) {
+					log_formerr(fctx, "external DNAME");
+					return (DNS_R_FORMERR);
+				}
+
 				found = ISC_FALSE;
 				aflag = 0;
 				if (rdataset->type == dns_rdatatype_dname) {
-					/*
-					 * We're looking for something else,
-					 * but we found a DNAME.
-					 *
-					 * If we're not chaining, then the
-					 * DNAME should not be external.
-					 */
-					if (!chaining && external) {
-						log_formerr(fctx,
-							    "external DNAME");
-						return (DNS_R_FORMERR);
-					}
 					found = ISC_TRUE;
 					want_chaining = ISC_TRUE;
 					POST(want_chaining);
@@ -7010,9 +7015,7 @@
 							&fctx->domain)) {
 						return (DNS_R_SERVFAIL);
 					}
-				} else if (rdataset->type == dns_rdatatype_rrsig
-					   && rdataset->covers ==
-					   dns_rdatatype_dname) {
+				} else {
 					/*
 					 * We've found a signature that
 					 * covers the DNAME.