mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

[master] remove unnecessary INSIST

Browse Source 
4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]
This commit is contained in:
Evan Hunt 2017-02-23 14:34:33 -08:00
parent e04dff4bfd
commit a1365a0042
3 changed files with 24 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,3 +1,7 @@
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734]
4577. [func] Make qtype of resolver fuzzing packet configurable 4577. [func] Make qtype of resolver fuzzing packet configurable
via command line. [RT #43540] via command line. [RT #43540]

7
doc/arm/notes.xml
View File

@ -65,6 +65,13 @@
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info> <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
<itemizedlist> <itemizedlist>
<listitem>
<para>
Some chaining (i.e., type CNAME or DNAME) responses to upstream
queries could trigger assertion failures. This flaw is disclosed
in CVE-2017-3137. [RT #44734]
</para>
</listitem>
<listitem> <listitem>
<para> <para>
<command>dns64</command> with <command>break-dnssec yes;</command> <command>dns64</command> with <command>break-dnssec yes;</command>

36
lib/dns/resolver.c
View File

@ -7034,15 +7034,15 @@ answer_response(fetchctx_t *fctx) {
rdataset->attributes |= rdataset->attributes |=
DNS_RDATASETATTR_CACHE; DNS_RDATASETATTR_CACHE;
rdataset->trust = dns_trust_answer; rdataset->trust = dns_trust_answer;
if (chaining == 0) { if (external) {
/* /*
* This data is "the" answer * This data is outside of
* to our question only if * our query domain, and
* we're not chaining (i.e. * may not be cached.
* if we haven't followed
* a CNAME or DNAME).
*/ */
INSIST(!external); rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} else if (chaining == 0) {
/* /*
* Don't use found_cname here * Don't use found_cname here
* as we have just set it * as we have just set it
@ -7064,14 +7064,6 @@ answer_response(fetchctx_t *fctx) {
if (aa) if (aa)
rdataset->trust = rdataset->trust =
dns_trust_authanswer; dns_trust_authanswer;
} else if (external) {
/*
* This data is outside of
* our query domain, and
* may not be cached.
*/
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} }
/* /*
@ -7246,15 +7238,12 @@ answer_response(fetchctx_t *fctx) {
* If we are not chaining or the first CNAME * If we are not chaining or the first CNAME
* is a synthesised CNAME before the DNAME. * is a synthesised CNAME before the DNAME.
*/ */
if ((chaining == 0) || if (external) {
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} else if ((chaining == 0) ||
(chaining == 1U && synthcname)) (chaining == 1U && synthcname))
{ {
/*
* This data is "the" answer to
* our question only if we're
* not chaining.
*/
INSIST(!external);
if (aflag == DNS_RDATASETATTR_ANSWER) { if (aflag == DNS_RDATASETATTR_ANSWER) {
have_answer = ISC_TRUE; have_answer = ISC_TRUE;
found_dname = ISC_TRUE; found_dname = ISC_TRUE;
@ -7271,9 +7260,6 @@ answer_response(fetchctx_t *fctx) {
if (aa) if (aa)
rdataset->trust = rdataset->trust =
dns_trust_authanswer; dns_trust_authanswer;
} else if (external) {
rdataset->attributes |=
DNS_RDATASETATTR_EXTERNAL;
} }
} }