From 6c8a97c78f2e602bfda0f224f3dce685e2300001 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Thu, 11 Nov 2021 16:17:02 +0200 Subject: [PATCH 1/2] Fix a crash on unexpected incoming DNS message during XoT xfer This commit fixes a peculiar corner case in the client-side DoT code because of which a crash could occur during a zone transfer. A junk DNS message should be sent at the end of a zone transfer via TLS to trigger the crash (abort). This commit, hopefully, fixes that. Also, this commit adds similar changes to the TCP DNS code, as it shares the same origin and most of the logic. --- lib/isc/netmgr/tcpdns.c | 17 +++++++++++++++++ lib/isc/netmgr/tlsdns.c | 16 ++++++++++++++-- 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c index fb8308d6db..5fed46018f 100644 --- a/lib/isc/netmgr/tcpdns.c +++ b/lib/isc/netmgr/tcpdns.c @@ -774,6 +774,23 @@ isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) { return (ISC_R_NOMORE); } + if (sock->recv_cb == NULL) { + /* + * recv_cb has been cleared - there is + * nothing to do + */ + return (ISC_R_CANCELED); + } else if (sock->statichandle == NULL && + atomic_load(&sock->connected) && + !atomic_load(&sock->connecting)) + { + /* + * It seems that some unexpected data (a DNS message) has + * arrived while we are wrapping up. + */ + return (ISC_R_CANCELED); + } + req = isc__nm_get_read_req(sock, NULL); REQUIRE(VALID_UVREQ(req)); diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c index 27895aa716..700874d28e 100644 --- a/lib/isc/netmgr/tlsdns.c +++ b/lib/isc/netmgr/tlsdns.c @@ -937,8 +937,20 @@ isc__nm_tlsdns_processbuffer(isc_nmsocket_t *sock) { } if (sock->recv_cb == NULL) { - /* recv_cb has been cleared - there is - * nothing to do */ + /* + * recv_cb has been cleared - there is + * nothing to do + */ + return (ISC_R_CANCELED); + } else if (sock->statichandle == NULL && + sock->tls.state == TLS_STATE_IO && + atomic_load(&sock->connected) && + !atomic_load(&sock->connecting)) + { + /* + * It seems that some unexpected data (a DNS message) has + * arrived while we are wrapping up. + */ return (ISC_R_CANCELED); } From 61d824cd415bdfac17c07ed08c93be669d586674 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Fri, 12 Nov 2021 10:47:25 +0200 Subject: [PATCH 2/2] Add an entry to CHANGES [GL #3004] Mentions that there is a fix to a bug in DoT code leading to an abort when a zone transfer over TLS ends with an unexpected DNS message. --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 0b211b353a..f5c859d8f9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5763. [bug] Fix a bug in DoT code leading to an abort when + a zone transfer ends with an unexpected DNS message. + [GL #3004] + 5762. [bug] Fix a "named" crash related to removing and restoring a `catalog-zone` entry in the configuration file and running `rndc reconfig`. [GL #1608]