From cac3978af2466a703e434b9bd5c3a97663780e6f Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 5 Jul 2018 14:34:30 -0700
Subject: [PATCH 1/4] explicit DNAME query could trigger a crash if
 deny-answer-aliases was set

---
 lib/dns/resolver.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4118c7cc5d..db539c5d8b 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6608,6 +6608,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 	unsigned int nlabels;
 	dns_fixedname_t fixed;
 	dns_name_t prefix;
+	int order;
 
 	REQUIRE(rdataset != NULL);
 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
@@ -6630,17 +6631,24 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 		tname = &cname.cname;
 		break;
 	case dns_rdatatype_dname:
+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+		    dns_namereln_subdomain)
+		{
+			return (true);
+		}
 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_name_init(&prefix, NULL);
 		tname = dns_fixedname_initname(&fixed);
 		nlabels = dns_name_countlabels(qname) -
 			  dns_name_countlabels(rname);
+		INSIST(nlabels > 0);
 		dns_name_split(qname, nlabels, &prefix, NULL);
 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
 					      NULL);
-		if (result == DNS_R_NAMETOOLONG)
+		if (result == DNS_R_NAMETOOLONG) {
 			return (true);
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		break;
 	default:
@@ -8172,6 +8180,8 @@ rctx_answer_match(respctx_t *rctx) {
 	}
 	if ((rctx->ardataset->type == dns_rdatatype_cname ||
 	     rctx->ardataset->type == dns_rdatatype_dname) &&
+	    rctx->type != rctx->ardataset->type &&
+	    rctx->type != dns_rdatatype_any &&
 	    !is_answertarget_allowed(fctx, &fctx->name, rctx->aname,
 				     rctx->ardataset, NULL))
 	{

From 9d7ad52506a5108153809dd51a4b1c2c31f0f5b9 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 5 Jul 2018 18:57:48 -0700
Subject: [PATCH 2/4] test case

---
 bin/tests/system/chain/ns7/named.conf.in |  5 +++++
 bin/tests/system/chain/tests.sh          | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/bin/tests/system/chain/ns7/named.conf.in b/bin/tests/system/chain/ns7/named.conf.in
index defabb0a69..c314922a7c 100644
--- a/bin/tests/system/chain/ns7/named.conf.in
+++ b/bin/tests/system/chain/ns7/named.conf.in
@@ -21,6 +21,11 @@ options {
 	recursion yes;
 	allow-recursion { any; };
 	dnssec-validation yes;
+	deny-answer-aliases {
+		"example";
+	} except-from {
+		"example";
+	};
 };
 
 key rndc_key {
diff --git a/bin/tests/system/chain/tests.sh b/bin/tests/system/chain/tests.sh
index fa42243901..e7ad91ea9f 100644
--- a/bin/tests/system/chain/tests.sh
+++ b/bin/tests/system/chain/tests.sh
@@ -248,5 +248,22 @@ $RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "checking explicit DNAME query ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.7 dname short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo_i "checking DNAME via ANY query ($n)"
+ret=0
+$RNDCCMD 10.53.0.7 flush 2>&1 | sed 's/^/ns7 /' | cat_i
+$DIG $DIGOPTS @10.53.0.7 any short-dname.example > dig.out.7.$n 2>&1
+grep 'status: NOERROR' dig.out.7.$n > /dev/null 2>&1 || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

From 3f907b8beee81ef30f10ff9143555daf4445e122 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 24 Jul 2018 10:18:58 -0700
Subject: [PATCH 3/4] caclulate nlabels and set *chainingp correctly

---
 bin/tests/system/resolver/tests.sh | 1 +
 lib/dns/resolver.c                 | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 73066a881e..12d2819e30 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -204,6 +204,7 @@ n=`expr $n + 1`
 echo_i "checking DNAME target filtering (deny) ($n)"
 ret=0
 $DIG $DIGOPTS +tcp foo.baddname.example.net @10.53.0.1 a > dig.out.ns1.test${n} || ret=1
+grep "DNAME target foo.baddname.example.org denied for foo.baddname.example.net/IN" ns1/named.run >/dev/null || ret=1
 grep "status: SERVFAIL" dig.out.ns1.test${n} > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index db539c5d8b..0aca23253e 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6640,13 +6640,14 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_name_init(&prefix, NULL);
 		tname = dns_fixedname_initname(&fixed);
-		nlabels = dns_name_countlabels(qname) -
-			  dns_name_countlabels(rname);
-		INSIST(nlabels > 0);
+		nlabels = dns_name_countlabels(rname);
 		dns_name_split(qname, nlabels, &prefix, NULL);
 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
 					      NULL);
 		if (result == DNS_R_NAMETOOLONG) {
+			if (chainingp != NULL) {
+				*chainingp = true;
+			}
 			return (true);
 		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);

From b4b4277f5a849e6d6baad95636a0ef1d1ac60c60 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 5 Jul 2018 20:48:26 -0700
Subject: [PATCH 4/4] CHANGES, release note

---
 CHANGES           | 4 +++-
 doc/arm/notes.xml | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index f95ed64261..791851b185 100644
--- a/CHANGES
+++ b/CHANGES
@@ -30,7 +30,9 @@
 
 4998.	[test]		Make resolver and cacheclean tests more civilized.
 
-4997.	[placeholder]
+4997.	[security]	named could crash during recursive processing
+			of DNAME records when "deny-answer-aliases" was
+			in use. (CVE-2018-5740) [GL #387]
 
 4996.	[bug]		dig: Handle malformed +ednsopt option. [GL #403]
 
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index 6f30ff9e68..8a1f647af5 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -72,6 +72,13 @@
 	  remote queries. This flaw is disclosed in CVE-2018-5738. [GL #309]
 	</para>
       </listitem>
+      <listitem>
+	<para>
+	  <command>named</command> could crash during recursive processing
+	  of DNAME records when <command>deny-answer-aliases</command> was
+	  in use. This flaw is disclosed in CVE-2018-5740. [GL #387]
+	</para>
+      </listitem>
     </itemizedlist>
   </section>