From 85555f29d78fe896a289b8c7c938b9833f4dcaa5 Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Wed, 15 Jan 2020 14:39:38 -0300
Subject: [PATCH 1/3] Fixed crash when querying for non existing domain in
 chaos class

Function dns_view_findzonecut in view.c wasn't correctly handling
classes other than IN (chaos, hesiod, etc) whenever the name being
looked up wasn't in cache or in any of the configured zone views' database.

That resulted in a NULL fname being used in resolver.c:4900, which
in turn was triggering abort.
---
 lib/dns/view.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/lib/dns/view.c b/lib/dns/view.c
index f21d065cfc..38c6634a36 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1245,8 +1245,9 @@ dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
 			ztoptions |= DNS_ZTFIND_NOEXACT;
 		result = dns_zt_find(view->zonetable, name, ztoptions,
 				     NULL, &zone);
-	} else
+	} else {
 		result = ISC_R_NOTFOUND;
+	}
 	UNLOCK(&view->lock);
 	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH)
 		result = dns_zone_getdb(zone, &db);
@@ -1261,12 +1262,15 @@ dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
 			 * We have a cache; try it.
 			 */
 			dns_db_attach(view->cachedb, &db);
-		} else {
+		} else if (use_hints && view->hints != NULL) {
 			/*
 			 * Maybe we have hints...
 			 */
 			try_hints = true;
 			goto finish;
+		} else {
+			result = DNS_R_NXDOMAIN;
+			goto cleanup;
 		}
 	} else if (result != ISC_R_SUCCESS) {
 		/*
@@ -1287,6 +1291,7 @@ dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
 			result = ISC_R_SUCCESS;
 		else if (result != ISC_R_SUCCESS)
 			goto cleanup;
+
 		if (use_cache && view->cachedb != NULL && db != view->hints) {
 			/*
 			 * We found an answer, but the cache may be better.
@@ -1327,13 +1332,16 @@ dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
 				 * have a zone delegation, so use it.
 				 */
 				use_zone = true;
-			} else {
+				result = ISC_R_SUCCESS;
+			} else if (use_hints && view->hints != NULL) {
 				/*
 				 * Maybe we have hints...
 				 */
 				try_hints = true;
+				result = ISC_R_SUCCESS;
+			} else {
+				result = DNS_R_NXDOMAIN;
 			}
-			result = ISC_R_SUCCESS;
 		} else {
 			/*
 			 * Something bad happened.
@@ -1358,7 +1366,7 @@ dns_view_findzonecut(dns_view_t *view, const dns_name_t *name,
 		if (sigrdataset != NULL &&
 		    dns_rdataset_isassociated(&zrdataset))
 			dns_rdataset_clone(&zsigrdataset, sigrdataset);
-	} else if (try_hints && use_hints && view->hints != NULL) {
+	} else if (try_hints) {
 		/*
 		 * We've found nothing so far, but we have hints.
 		 */

From 7417b79c7a84b6f02547e15915326f1a5129028b Mon Sep 17 00:00:00 2001
From: Diego Fronza <diego@isc.org>
Date: Wed, 15 Jan 2020 15:22:06 -0300
Subject: [PATCH 2/3] Added test for the proposed fix

Added test to ensure that NXDOMAIN is returned when BIND is queried for a
non existing domain in CH class (if a view of CHAOS class is configured)
and that it also doesn't crash anymore in those cases.
---
 bin/tests/system/resolver/ns1/chaostest.db  | 5 +++++
 bin/tests/system/resolver/ns1/named.conf.in | 5 ++++-
 bin/tests/system/resolver/tests.sh          | 8 ++++++++
 3 files changed, 17 insertions(+), 1 deletion(-)
 create mode 100644 bin/tests/system/resolver/ns1/chaostest.db

diff --git a/bin/tests/system/resolver/ns1/chaostest.db b/bin/tests/system/resolver/ns1/chaostest.db
new file mode 100644
index 0000000000..4c967b90dd
--- /dev/null
+++ b/bin/tests/system/resolver/ns1/chaostest.db
@@ -0,0 +1,5 @@
+$TTL		3600
+@		CHAOS SOA       @ @ 1970010100 86400 600 86400 300
+@		CHAOS NS        @
+version         CHAOS TXT       "CH 1.0"
+hostname        CHAOS TXT       "unknown"
diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in
index c7d5d14ce5..b26a156601 100644
--- a/bin/tests/system/resolver/ns1/named.conf.in
+++ b/bin/tests/system/resolver/ns1/named.conf.in
@@ -46,7 +46,10 @@ server fd92:7065:b8e:ffff::1000 {
  * "globalcache" before the recursive "default"/IN view is configured.
  */
 view "class" chaos {
-	match-clients { none; };
+	zone "chaostest" CHAOS {
+                type master;
+                file "chaostest.db";
+        };
 };
 
 /*
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 788e082528..5604236f5a 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -805,5 +805,13 @@ grep "running as: .* -m record,size,mctx " ns1/named.run > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking NXDOMAIN is returned when querying non existing domain in CH class ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 id.hostname txt ch > dig.ns1.out.${n} || ret=1
+grep "status: NXDOMAIN" dig.ns1.out.${n} > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From 42e1fb832248f34bcec76bba63e498cede3a9108 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Wed, 22 Jan 2020 10:23:34 -0800
Subject: [PATCH 3/3] CHANGES

---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index c858ca5164..35abb47810 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+5350.	[bug]		When a view was configured with class CHAOS, the
+			server could crash while processing a query for a
+			non-existent record. [GL #1540]
+
 5349.	[bug]		Fix a race in task_pause/unpause. [GL #1571]
 
 5348.	[bug]		dnssec-settime -Psync was not being honoured.