From 276457f7a38f56a5f762238ab89bb45e27948af6 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 4 Jun 2013 11:22:47 -0700
Subject: [PATCH] [master] assertion failure in resolver.c

3584.	[security]	Caching data from an incompletely signed zone could
			trigger an assertion failure in resolver.c [RT #33690]
---
 CHANGES            |  3 +++
 lib/dns/resolver.c | 29 +++++++++++++++++++++++------
 2 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index a1d23265bc..f22abfe05e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3584.	[security]	Caching data from an incompletely signed zone could
+			trigger an assertion failure in resolver.c [RT #33690]
+
 3583.	[bug]		Address memory leak in GSS-API processing [RT #33574]
 
 3582.	[bug]		Silence false positive warning regarding missing file
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 7b7745d287..58f9ef0e41 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4436,7 +4436,7 @@ fctx_log(void *arg, int level, const char *fmt, ...) {
 
 static inline isc_result_t
 findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
-	    dns_name_t **noqname)
+	    dns_name_t **noqnamep)
 {
 	dns_rdataset_t *nrdataset, *next, *sigrdataset;
 	dns_rdata_rrsig_t rrsig;
@@ -4449,10 +4449,12 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 	dns_fixedname_t fclosest;
 	dns_name_t *nearest;
 	dns_fixedname_t fnearest;
+	dns_rdatatype_t found = dns_rdatatype_none;
+	dns_name_t *noqname = NULL;
 
 	FCTXTRACE("findnoqname");
 
-	REQUIRE(noqname != NULL && *noqname == NULL);
+	REQUIRE(noqnamep != NULL && *noqnamep == NULL);
 
 	/*
 	 * Find the SIG for this rdataset, if we have it.
@@ -4521,8 +4523,10 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 							&data, NULL, fctx_log,
 							fctx)))
 			{
-				if (!exists)
-					*noqname = nsec;
+				if (!exists) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec;
+				}
 			}
 
 			if (nrdataset->type == dns_rdatatype_nsec3 &&
@@ -4535,13 +4539,26 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
 							 closest, nearest,
 							 fctx_log, fctx)))
 			{
-				if (!exists && setnearest)
-					*noqname = nsec;
+				if (!exists && setnearest) {
+					noqname = nsec;
+					found = dns_rdatatype_nsec3;
+				}
 			}
 		}
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
+	if (noqname != NULL) {
+		for (sigrdataset = ISC_LIST_HEAD(noqname->list);
+		     sigrdataset != NULL;
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+			if (sigrdataset->type == dns_rdatatype_rrsig &&
+			    sigrdataset->covers == found)
+				break;
+		}
+		if (sigrdataset != NULL)
+			*noqnamep = noqname;
+	}
 	return (result);
 }