[master] remove unnecessary INSIST

4578. [security] Some chaining (CNAME or DNAME) responses to upstream queries could trigger assertion failures. (CVE-2017-3137) [RT #44734]
2025-08-31 14:35:26 +00:00 · 2017-02-23 14:34:33 -08:00
parent e04dff4bfd
commit a1365a0042
3 changed files with 24 additions and 27 deletions
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) {
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
+					if (external) {
 						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
+						 * This data is outside of
+						 * our query domain, and
+						 * may not be cached.
 						 */
-						INSIST(!external);
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					} else if (chaining == 0) {
 						/*
 						 * Don't use found_cname here
 						 * as we have just set it
@@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
 					}

 					/*
@@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) {
 				 * If we are not chaining or the first CNAME
 				 * is a synthesised CNAME before the DNAME.
 				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
+				if (external) {
+					rdataset->attributes |=
+					    DNS_RDATASETATTR_EXTERNAL;
+				} else if ((chaining == 0) ||
+					   (chaining == 1U && synthcname))
 				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
@@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) {
 					if (aa)
 						rdataset->trust =
 						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
 				}
 			}