mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

2066. [security] Handle SIG queries gracefully. [RT #16300]

Browse Source
This commit is contained in:
Mark Andrews
2006-08-31 03:56:36 +00:00
parent 285254345c
commit f34249bb28
3 changed files with 18 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@@ -43,7 +43,7 @@
2067. [bug] 'rndc' could close the socket too early triggering 2067. [bug] 'rndc' could close the socket too early triggering
a INSIST under Windows. [RT #16317] a INSIST under Windows. [RT #16317]
2066. [placeholder] rt16300 2066. [security] Handle SIG queries gracefully. [RT #16300]
2065. [bug] libbind: probe for HPUX prototypes for 2065. [bug] libbind: probe for HPUX prototypes for
endprotoent_r() and endservent_r(). [RT 16313] endprotoent_r() and endservent_r(). [RT 16313]

6
bin/named/query.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: query.c,v 1.288 2006/06/04 23:59:33 marka Exp $ */ /* $Id: query.c,v 1.289 2006/08/31 03:56:36 marka Exp $ */
/*! \file */ /*! \file */
@@ -3369,7 +3369,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
is_zone = ISC_FALSE; is_zone = ISC_FALSE;
qtype = event->qtype; qtype = event->qtype;
if (qtype == dns_rdatatype_rrsig) if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
type = dns_rdatatype_any; type = dns_rdatatype_any;
else else
type = qtype; type = qtype;
@@ -3410,7 +3410,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
/* /*
* If it's a SIG query, we'll iterate the node. * If it's a SIG query, we'll iterate the node.
*/ */
if (qtype == dns_rdatatype_rrsig) if (qtype == dns_rdatatype_rrsig || qtype == dns_rdatatype_sig)
type = dns_rdatatype_any; type = dns_rdatatype_any;
else else
type = qtype; type = qtype;

23
lib/dns/resolver.c
View File

@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: resolver.c,v 1.334 2006/08/30 23:09:18 marka Exp $ */ /* $Id: resolver.c,v 1.335 2006/08/31 03:56:36 marka Exp $ */
/*! \file */ /*! \file */
@@ -779,7 +779,8 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
INSIST(result != ISC_R_SUCCESS || INSIST(result != ISC_R_SUCCESS ||
dns_rdataset_isassociated(event->rdataset) || dns_rdataset_isassociated(event->rdataset) ||
fctx->type == dns_rdatatype_any || fctx->type == dns_rdatatype_any ||
fctx->type == dns_rdatatype_rrsig); fctx->type == dns_rdatatype_rrsig ||
fctx->type == dns_rdatatype_sig);
isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event)); isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
count++; count++;
@@ -3387,7 +3388,8 @@ validated(isc_task_t *task, isc_event_t *event) {
if (hevent != NULL) { if (hevent != NULL) {
if (!negative && !chaining && if (!negative && !chaining &&
(fctx->type == dns_rdatatype_any || (fctx->type == dns_rdatatype_any ||
fctx->type == dns_rdatatype_rrsig)) { fctx->type == dns_rdatatype_rrsig ||
fctx->type == dns_rdatatype_sig)) {
/* /*
* Don't bind rdatasets; the caller * Don't bind rdatasets; the caller
* will iterate the node. * will iterate the node.
@@ -3508,7 +3510,8 @@ validated(isc_task_t *task, isc_event_t *event) {
if (!ISC_LIST_EMPTY(fctx->validators)) { if (!ISC_LIST_EMPTY(fctx->validators)) {
INSIST(!negative); INSIST(!negative);
INSIST(fctx->type == dns_rdatatype_any || INSIST(fctx->type == dns_rdatatype_any ||
fctx->type == dns_rdatatype_rrsig); fctx->type == dns_rdatatype_rrsig ||
fctx->type == dns_rdatatype_sig);
/* /*
* Don't send a response yet - we have * Don't send a response yet - we have
* more rdatasets that still need to * more rdatasets that still need to
@@ -3662,14 +3665,15 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
return (result); return (result);
anodep = &event->node; anodep = &event->node;
/* /*
* If this is an ANY or SIG query, we're not going * If this is an ANY, SIG or RRSIG query, we're not
* to return any rdatasets, unless we encountered * going to return any rdatasets, unless we encountered
* a CNAME or DNAME as "the answer". In this case, * a CNAME or DNAME as "the answer". In this case,
* we're going to return DNS_R_CNAME or DNS_R_DNAME * we're going to return DNS_R_CNAME or DNS_R_DNAME
* and we must set up the rdatasets. * and we must set up the rdatasets.
*/ */
if ((fctx->type != dns_rdatatype_any && if ((fctx->type != dns_rdatatype_any &&
fctx->type != dns_rdatatype_rrsig) || fctx->type != dns_rdatatype_rrsig &&
fctx->type != dns_rdatatype_sig) ||
(name->attributes & DNS_NAMEATTR_CHAINING) != 0) { (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
ardataset = event->rdataset; ardataset = event->rdataset;
asigrdataset = event->sigrdataset; asigrdataset = event->sigrdataset;
@@ -3728,7 +3732,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
*/ */
if (secure_domain && rdataset->trust != dns_trust_glue) { if (secure_domain && rdataset->trust != dns_trust_glue) {
/* /*
* SIGs are validated as part of validating the * RRSIGs are validated as part of validating the
* type they cover. * type they cover.
*/ */
if (rdataset->type == dns_rdatatype_rrsig) if (rdataset->type == dns_rdatatype_rrsig)
@@ -3798,7 +3802,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
if (ANSWER(rdataset) && need_validation) { if (ANSWER(rdataset) && need_validation) {
if (fctx->type != dns_rdatatype_any && if (fctx->type != dns_rdatatype_any &&
fctx->type != dns_rdatatype_rrsig) { fctx->type != dns_rdatatype_rrsig &&
fctx->type != dns_rdatatype_sig) {
/* /*
* This is The Answer. We will * This is The Answer. We will
* validate it, but first we cache * validate it, but first we cache