mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '2540-confidential-issue-existing-dname' into 'security-main'

Browse Source 
[CVE-2021-25215] Properly answer queries for DNAME records that require the DNAME to be processed to resolve itself

See merge request isc-private/bind9!253
This commit is contained in:
Michał Kępień 2021-04-12 10:13:39 +00:00
commit 9879d2a6b4
3 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -43,7 +43,9 @@
5617. [placeholder]
5616. [placeholder]
5616. [security] named crashed when a DNAME record placed in the ANSWER
section during DNAME chasing turned out to be the final
answer to a client query. (CVE-2021-25215) [GL #2540]
5615. [security] Insufficient IXFR checks could result in named serving a
zone without an SOA record at the apex, leading to a

9
doc/notes/notes-current.rst
View File

@ -20,6 +20,15 @@ Security Fixes
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
- ``named`` crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank `Siva Kakarla`_ for bringing this
vulnerability to our attention. [GL #2540]
.. _Siva Kakarla: https://github.com/sivakesava1
Known Issues
~~~~~~~~~~~~

12
lib/ns/query.c
View File

@ -8173,10 +8173,16 @@ query_respond(query_ctx_t *qctx) {
query_addnoqnameproof(qctx);
/*
* We shouldn't ever fail to add 'rdataset'
* because it's already in the answer.
* 'qctx->rdataset' will only be non-NULL here if the ANSWER section of
* the message to be sent to the client already contains an RRset with
* the same owner name and the same type as 'qctx->rdataset'. This
* should never happen, with one exception: when chasing DNAME records,
* one of the DNAME records placed in the ANSWER section may turn out
* to be the final answer to the client's query, but we have no way of
* knowing that until now. In such a case, 'qctx->rdataset' will be
* freed later, so we do not need to free it here.
*/
INSIST(qctx->rdataset == NULL);
INSIST(qctx->rdataset == NULL || qctx->qtype == dns_rdatatype_dname);
query_addauth(qctx);