[master] remove unnecessary INSIST

4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734]
2025-08-28 21:17:54 +00:00 · 2017-02-23 14:34:33 -08:00 · 2017-02-23 14:34:33 -08:00 · a1365a0042
commit a1365a0042
parent e04dff4bfd
3 changed files with 24 additions and 27 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
 4577.	[func]		Make qtype of resolver fuzzing packet configurable
 			via command line. [RT #43540]

--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@ -65,11 +65,18 @@

  <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
    <itemizedlist>
+      <listitem>
+	<para>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</para>
+      </listitem>
      <listitem>
 	<para>
 	  <command>dns64</command> with <command>break-dnssec yes;</command>
 	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136.[RT #44653]
+	  CVE-2017-3136. [RT #44653]
 	</para>
      </listitem>
      <listitem>
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) {
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
+					if (external) {
 						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
+						 * This data is outside of
+						 * our query domain, and
+						 * may not be cached.
 						 */
-						INSIST(!external);
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					} else if (chaining == 0) {
 						/*
 						 * Don't use found_cname here
 						 * as we have just set it
@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
 					}

 					/*
@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) {
 				 * If we are not chaining or the first CNAME
 				 * is a synthesised CNAME before the DNAME.
 				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
+				if (external) {
+					rdataset->attributes |=
+					    DNS_RDATASETATTR_EXTERNAL;
+				} else if ((chaining == 0) ||
+					   (chaining == 1U && synthcname))
 				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) {
 					if (aa)
 						rdataset->trust =
 						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
 				}
 			}