From 6d70ccd1289a747745f859d3255fda423fa297fa Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Tue, 16 Jan 2024 15:58:53 -0800 Subject: [PATCH] fix a message parsing regression the fix for CVE-2023-4408 introduced a regression in the message parser, which could cause a crash if duplicate rdatasets were found in the question section. this commit ensures that rdatasets are correctly disassociated and freed when this occurs. (cherry picked from commit 4c19d35614f8cd80d8748156a5bad361e19abc28) --- lib/dns/message.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/dns/message.c b/lib/dns/message.c index cc42b01ae0..d09eb498dd 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -1164,7 +1164,9 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, cleanup: if (rdataset != NULL) { - INSIST(!dns_rdataset_isassociated(rdataset)); + if (dns_rdataset_isassociated(rdataset)) { + dns_rdataset_disassociate(rdataset); + } isc_mempool_put(msg->rdspool, rdataset); } if (free_name) {