Module Name: src Committed By: christos Date: Tue Feb 13 15:22:03 UTC 2024
Modified Files: src/external/mpl/bind/dist/lib/ns: query.c Log Message: Apply patch for CVE-2023-5517: A flaw in query-handling code can cause `named` to exit prematurely with an assertion failure when: - `nxdomain-redirect <domain>;` is configured, and - the resolver receives a PTR query for an RFC 1918 address that would normally result in an authoritative NXDOMAIN response. This issue affects BIND 9 versions 9.12.0 through 9.16.45, 9.18.0 through 9.18.21, 9.19.0 through 9.19.19, 9.16.8-S1 through 9.16.45-S1, and 9.18.11-S1 through 9.18.21-S1. To generate a diff of this commit: cvs rdiff -u -r1.17 -r1.18 src/external/mpl/bind/dist/lib/ns/query.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/external/mpl/bind/dist/lib/ns/query.c diff -u src/external/mpl/bind/dist/lib/ns/query.c:1.17 src/external/mpl/bind/dist/lib/ns/query.c:1.18 --- src/external/mpl/bind/dist/lib/ns/query.c:1.17 Mon Jun 26 18:03:01 2023 +++ src/external/mpl/bind/dist/lib/ns/query.c Tue Feb 13 10:22:03 2024 @@ -1,4 +1,4 @@ -/* $NetBSD: query.c,v 1.17 2023/06/26 22:03:01 christos Exp $ */ +/* $NetBSD: query.c,v 1.18 2024/02/13 15:22:03 christos Exp $ */ /* * Copyright (C) Internet Systems Consortium, Inc. ("ISC") @@ -459,10 +459,10 @@ static void query_addnxrrsetnsec(query_ctx_t *qctx); static isc_result_t -query_nxdomain(query_ctx_t *qctx, bool empty_wild); +query_nxdomain(query_ctx_t *qctx, isc_result_t result); static isc_result_t -query_redirect(query_ctx_t *qctx); +query_redirect(query_ctx_t *qctx, isc_result_t result); static isc_result_t query_ncache(query_ctx_t *qctx, isc_result_t result); @@ -7352,8 +7352,7 @@ query_usestale(query_ctx_t *qctx, isc_re * result from the search. */ static isc_result_t -query_gotanswer(query_ctx_t *qctx, isc_result_t res) { - isc_result_t result = res; +query_gotanswer(query_ctx_t *qctx, isc_result_t result) { char errmsg[256]; CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); @@ -7423,16 +7422,16 @@ root_key_sentinel: return (query_nodata(qctx, DNS_R_NXRRSET)); case DNS_R_EMPTYWILD: - return (query_nxdomain(qctx, true)); + return (query_nxdomain(qctx, DNS_R_EMPTYWILD)); case DNS_R_NXDOMAIN: - return (query_nxdomain(qctx, false)); + return (query_nxdomain(qctx, DNS_R_NXDOMAIN)); case DNS_R_COVERINGNSEC: return (query_coveringnsec(qctx)); case DNS_R_NCACHENXDOMAIN: - result = query_redirect(qctx); + result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } @@ -9250,10 +9249,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) * Handle NXDOMAIN and empty wildcard responses. */ static isc_result_t -query_nxdomain(query_ctx_t *qctx, bool empty_wild) { +query_nxdomain(query_ctx_t *qctx, isc_result_t result) { dns_section_t section; uint32_t ttl; - isc_result_t result; + bool empty_wild = (result == DNS_R_EMPTYWILD); CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); @@ -9262,7 +9261,7 @@ query_nxdomain(query_ctx_t *qctx, bool e INSIST(qctx->is_zone || REDIRECT(qctx->client)); if (!empty_wild) { - result = query_redirect(qctx); + result = query_redirect(qctx, result); if (result != ISC_R_COMPLETE) { return (result); } @@ -9350,7 +9349,7 @@ cleanup: * redirecting, so query processing should continue past it. */ static isc_result_t -query_redirect(query_ctx_t *qctx) { +query_redirect(query_ctx_t *qctx, isc_result_t saved_result) { isc_result_t result; CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); @@ -9391,7 +9390,7 @@ query_redirect(query_ctx_t *qctx) { SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); SAVE(qctx->client->query.redirect.sigrdataset, qctx->sigrdataset); - qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN; + qctx->client->query.redirect.result = saved_result; dns_name_copynf(qctx->fname, qctx->client->query.redirect.fname); qctx->client->query.redirect.authoritative = @@ -10006,7 +10005,7 @@ query_coveringnsec(query_ctx_t *qctx) { * We now have the proof that we have an NXDOMAIN. Apply * NXDOMAIN redirection if configured. */ - result = query_redirect(qctx); + result = query_redirect(qctx, DNS_R_COVERINGNSEC); if (result != ISC_R_COMPLETE) { redirected = true; goto cleanup;