mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Merge branch '4281-confidential-redirect-rfc1918-check-failure' into 'v9.19.20-release'

Browse Source 
[CVE-2023-5517] Fix handling of RFC 1918 reverse queries with "nxdomain-redirect" enabled

See merge request isc-private/bind9!584
This commit is contained in:
Michał Kępień
2024-01-05 11:09:29 +00:00
parent 720e737de4 2fbafc2675
commit 9fbafe83d2
3 changed files with 16 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -4,7 +4,8 @@
6317. [placeholder] 6317. [placeholder]
6316. [placeholder] 6316. [security] Specific queries could trigger an assertion check with
nxdomain-redirect enabled. (CVE-2023-5517) [GL #4281]
6315. [security] Speed up parsing of DNS messages with many different 6315. [security] Speed up parsing of DNS messages with many different
names. (CVE-2023-4408) [GL #4234] names. (CVE-2023-4408) [GL #4234]

4
doc/notes/notes-current.rst
View File

@@ -23,6 +23,10 @@ Security Fixes
University, and Yuval Shavitt from Tel-Aviv University for bringing University, and Yuval Shavitt from Tel-Aviv University for bringing
this vulnerability to our attention. :gl:`#4234` this vulnerability to our attention. :gl:`#4234`
- Specific queries could cause :iscman:`named` to crash with an
assertion failure when :any:`nxdomain-redirect` was enabled. This has
been fixed. :cve:`2023-5517` :gl:`#4281`
New Features New Features
~~~~~~~~~~~~ ~~~~~~~~~~~~

22
lib/ns/query.c
View File

@@ -477,10 +477,10 @@ static void
query_addnxrrsetnsec(query_ctx_t *qctx); query_addnxrrsetnsec(query_ctx_t *qctx);
static isc_result_t static isc_result_t
query_nxdomain(query_ctx_t *qctx, isc_result_t res); query_nxdomain(query_ctx_t *qctx, isc_result_t result);
static isc_result_t static isc_result_t
query_redirect(query_ctx_t *qctx); query_redirect(query_ctx_t *qctx, isc_result_t result);
static isc_result_t static isc_result_t
query_ncache(query_ctx_t *qctx, isc_result_t result); query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7695,8 +7695,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
* result from the search. * result from the search.
*/ */
static isc_result_t static isc_result_t
query_gotanswer(query_ctx_t *qctx, isc_result_t res) { query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
isc_result_t result = res;
char errmsg[256]; char errmsg[256];
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer"); CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7772,7 +7771,7 @@ root_key_sentinel:
return (query_coveringnsec(qctx)); return (query_coveringnsec(qctx));
case DNS_R_NCACHENXDOMAIN: case DNS_R_NCACHENXDOMAIN:
result = query_redirect(qctx); result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) { if (result != ISC_R_COMPLETE) {
return (result); return (result);
} }
@@ -9513,11 +9512,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
* Handle NXDOMAIN and empty wildcard responses. * Handle NXDOMAIN and empty wildcard responses.
*/ */
static isc_result_t static isc_result_t
query_nxdomain(query_ctx_t *qctx, isc_result_t res) { query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
dns_section_t section; dns_section_t section;
uint32_t ttl; uint32_t ttl;
isc_result_t result = res; bool empty_wild = (result == DNS_R_EMPTYWILD);
bool empty_wild = (res == DNS_R_EMPTYWILD);
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain"); CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
@@ -9526,7 +9524,7 @@ query_nxdomain(query_ctx_t *qctx, isc_result_t res) {
INSIST(qctx->is_zone || REDIRECT(qctx->client)); INSIST(qctx->is_zone || REDIRECT(qctx->client));
if (!empty_wild) { if (!empty_wild) {
result = query_redirect(qctx); result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) { if (result != ISC_R_COMPLETE) {
return (result); return (result);
} }
@@ -9614,7 +9612,7 @@ cleanup:
* redirecting, so query processing should continue past it. * redirecting, so query processing should continue past it.
*/ */
static isc_result_t static isc_result_t
query_redirect(query_ctx_t *qctx) { query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
isc_result_t result; isc_result_t result;
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect"); CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9655,7 +9653,7 @@ query_redirect(query_ctx_t *qctx) {
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset); SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
SAVE(qctx->client->query.redirect.sigrdataset, SAVE(qctx->client->query.redirect.sigrdataset,
qctx->sigrdataset); qctx->sigrdataset);
qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN; qctx->client->query.redirect.result = saved_result;
dns_name_copy(qctx->fname, qctx->client->query.redirect.fname); dns_name_copy(qctx->fname, qctx->client->query.redirect.fname);
qctx->client->query.redirect.authoritative = qctx->client->query.redirect.authoritative =
qctx->authoritative; qctx->authoritative;
@@ -10250,7 +10248,7 @@ query_coveringnsec(query_ctx_t *qctx) {
* We now have the proof that we have an NXDOMAIN. Apply * We now have the proof that we have an NXDOMAIN. Apply
* NXDOMAIN redirection if configured. * NXDOMAIN redirection if configured.
*/ */
result = query_redirect(qctx); result = query_redirect(qctx, DNS_R_COVERINGNSEC);
if (result != ISC_R_COMPLETE) { if (result != ISC_R_COMPLETE) {
redirected = true; redirected = true;
goto cleanup; goto cleanup;