Module Name: src
Committed By: christos
Date: Tue Feb 13 15:22:03 UTC 2024
Modified Files:
src/external/mpl/bind/dist/lib/ns: query.c
Log Message:
Apply patch for CVE-2023-5517:
A flaw in query-handling code can cause `named` to exit prematurely
with an assertion failure when: - `nxdomain-redirect <domain>;` is
configured, and - the resolver receives a PTR query for an RFC 1918
address that would normally result in an authoritative NXDOMAIN
response. This issue affects BIND 9 versions 9.12.0 through 9.16.45,
9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through
9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1.
To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 src/external/mpl/bind/dist/lib/ns/query.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/external/mpl/bind/dist/lib/ns/query.c
diff -u src/external/mpl/bind/dist/lib/ns/query.c:1.17 src/external/mpl/bind/dist/lib/ns/query.c:1.18
--- src/external/mpl/bind/dist/lib/ns/query.c:1.17 Mon Jun 26 18:03:01 2023
+++ src/external/mpl/bind/dist/lib/ns/query.c Tue Feb 13 10:22:03 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: query.c,v 1.17 2023/06/26 22:03:01 christos Exp $ */
+/* $NetBSD: query.c,v 1.18 2024/02/13 15:22:03 christos Exp $ */
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -459,10 +459,10 @@ static void
query_addnxrrsetnsec(query_ctx_t *qctx);
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7352,8 +7352,7 @@ query_usestale(query_ctx_t *qctx, isc_re
* result from the search.
*/
static isc_result_t
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
- isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
char errmsg[256];
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7423,16 +7422,16 @@ root_key_sentinel:
return (query_nodata(qctx, DNS_R_NXRRSET));
case DNS_R_EMPTYWILD:
- return (query_nxdomain(qctx, true));
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
case DNS_R_NXDOMAIN:
- return (query_nxdomain(qctx, false));
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
case DNS_R_COVERINGNSEC:
return (query_coveringnsec(qctx));
case DNS_R_NCACHENXDOMAIN:
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9250,10 +9249,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx)
* Handle NXDOMAIN and empty wildcard responses.
*/
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
dns_section_t section;
uint32_t ttl;
- isc_result_t result;
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
@@ -9262,7 +9261,7 @@ query_nxdomain(query_ctx_t *qctx, bool e
INSIST(qctx->is_zone || REDIRECT(qctx->client));
if (!empty_wild) {
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9350,7 +9349,7 @@ cleanup:
* redirecting, so query processing should continue past it.
*/
static isc_result_t
-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
isc_result_t result;
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9391,7 +9390,7 @@ query_redirect(query_ctx_t *qctx) {
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
SAVE(qctx->client->query.redirect.sigrdataset,
qctx->sigrdataset);
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+ qctx->client->query.redirect.result = saved_result;
dns_name_copynf(qctx->fname,
qctx->client->query.redirect.fname);
qctx->client->query.redirect.authoritative =
@@ -10006,7 +10005,7 @@ query_coveringnsec(query_ctx_t *qctx) {
* We now have the proof that we have an NXDOMAIN. Apply
* NXDOMAIN redirection if configured.
*/
- result = query_redirect(qctx);
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
if (result != ISC_R_COMPLETE) {
redirected = true;
goto cleanup;
