diff --git a/CHANGES b/CHANGES index 95a7fc82bd..bdfbf45a2d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6066. [security] Handle RRSIG lookups when serve-stale is active. + (CVE-2022-3736) [GL #3622] + 6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 305cea5933..a5b1df2982 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -24,6 +24,14 @@ Security Fixes ISC would like to thank Rob Schulhof from Infoblox for bringing this vulnerability to our attention. :gl:`#3523` +- :iscman:`named` could crash with an assertion failure when an RRSIG + query was received and :any:`stale-answer-client-timeout` was set to a + non-zero value. This has been fixed. (CVE-2022-3736) + + ISC would like to thank Borja Marcos from Sarenet (with assistance by + Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to + our attention. :gl:`#3622` + New Features ~~~~~~~~~~~~ diff --git a/lib/ns/query.c b/lib/ns/query.c index 36f3c40dc1..0ad4f0f13e 100644 --- a/lib/ns/query.c +++ b/lib/ns/query.c @@ -5237,6 +5237,15 @@ qctx_init(ns_client_t *client, dns_fetchevent_t **eventp, dns_rdatatype_t qtype, qctx->result = ISC_R_SUCCESS; qctx->findcoveringnsec = qctx->view->synthfromdnssec; + /* + * If it's an RRSIG or SIG query, we'll iterate the node. + */ + if (qctx->qtype == dns_rdatatype_rrsig || + qctx->qtype == dns_rdatatype_sig) + { + qctx->type = dns_rdatatype_any; + } + CALL_HOOK_NORETURN(NS_QUERY_QCTX_INITIALIZED, qctx); } @@ -5424,15 +5433,6 @@ query_setup(ns_client_t *client, dns_rdatatype_t qtype) { CALL_HOOK(NS_QUERY_SETUP, &qctx); - /* - * If it's a SIG query, we'll iterate the node. - */ - if (qctx.qtype == dns_rdatatype_rrsig || - qctx.qtype == dns_rdatatype_sig) - { - qctx.type = dns_rdatatype_any; - } - /* * Check SERVFAIL cache */