mirror of
https://github.com/isc-projects/bind9.git
synced 2026-06-11 12:59:59 -04:00
4580. [bug] 4578 introduced a regression when handling CNAME to
referral below the current domain. [RT #44850]
(cherry picked from commit 638c7c635d)
This commit is contained in:
Mark Andrews
parent
457de041a9
commit
7fcbbd6fa9
4 changed files with 30 additions and 18 deletions
5
CHANGES
5
CHANGES
|
|
@ -1,3 +1,8 @@
|
|||
--- 9.11.1rc3 released ---
|
||||
|
||||
4580. [bug] 4578 introduced a regression when handling CNAME to
|
||||
referral below the current domain. [RT #44850]
|
||||
|
||||
--- 9.11.1rc2 released ---
|
||||
|
||||
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
|
||||
|
|
|
|||
|
|
@ -7,5 +7,5 @@
|
|||
# 9.10: 140-149, 170-179
|
||||
# 9.11: 160-169
|
||||
LIBINTERFACE = 168
|
||||
LIBREVISION = 1
|
||||
LIBREVISION = 2
|
||||
LIBAGE = 0
|
||||
|
|
|
|||
|
|
@ -6227,7 +6227,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
|
|||
|
||||
static isc_boolean_t
|
||||
is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
|
||||
dns_rdataset_t *rdataset)
|
||||
dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
|
||||
{
|
||||
isc_result_t result;
|
||||
dns_rbtnode_t *node = NULL;
|
||||
|
|
@ -6248,8 +6248,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
|
|||
REQUIRE(rdataset->type == dns_rdatatype_cname ||
|
||||
rdataset->type == dns_rdatatype_dname);
|
||||
|
||||
/* By default, we allow any target name. */
|
||||
if (view->denyanswernames == NULL)
|
||||
/*
|
||||
* By default, we allow any target name.
|
||||
* If newqname != NULL we also need to extract the newqname.
|
||||
*/
|
||||
if (chainingp == NULL && view->denyanswernames == NULL)
|
||||
return (ISC_TRUE);
|
||||
|
||||
result = dns_rdataset_first(rdataset);
|
||||
|
|
@ -6272,7 +6275,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
|
|||
dns_name_split(qname, nlabels, &prefix, NULL);
|
||||
result = dns_name_concatenate(&prefix, &dname.dname, tname,
|
||||
NULL);
|
||||
if (result == ISC_R_NOSPACE)
|
||||
if (result == DNS_R_NAMETOOLONG)
|
||||
return (ISC_TRUE);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
break;
|
||||
|
|
@ -6280,6 +6283,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
|
|||
INSIST(0);
|
||||
}
|
||||
|
||||
if (chainingp != NULL)
|
||||
*chainingp = ISC_TRUE;
|
||||
|
||||
if (view->denyanswernames == NULL)
|
||||
return (ISC_TRUE);
|
||||
|
||||
/*
|
||||
* If the owner name matches one in the exclusion list, either exactly
|
||||
* or partially, allow it.
|
||||
|
|
@ -6965,7 +6974,7 @@ answer_response(fetchctx_t *fctx) {
|
|||
if ((rdataset->type == dns_rdatatype_cname ||
|
||||
rdataset->type == dns_rdatatype_dname) &&
|
||||
!is_answertarget_allowed(fctx, qname, aname,
|
||||
rdataset))
|
||||
rdataset, NULL))
|
||||
{
|
||||
return (DNS_R_SERVFAIL);
|
||||
}
|
||||
|
|
@ -6988,7 +6997,9 @@ answer_response(fetchctx_t *fctx) {
|
|||
}
|
||||
if ((ardataset->type == dns_rdatatype_cname ||
|
||||
ardataset->type == dns_rdatatype_dname) &&
|
||||
!is_answertarget_allowed(fctx, qname, aname, ardataset)) {
|
||||
!is_answertarget_allowed(fctx, qname, aname, ardataset,
|
||||
NULL))
|
||||
{
|
||||
return (DNS_R_SERVFAIL);
|
||||
}
|
||||
aname->attributes |= DNS_NAMEATTR_CACHE;
|
||||
|
|
@ -7023,7 +7034,9 @@ answer_response(fetchctx_t *fctx) {
|
|||
log_formerr(fctx, "CNAME response for %s RR", buf);
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
|
||||
if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
|
||||
NULL))
|
||||
{
|
||||
return (DNS_R_SERVFAIL);
|
||||
}
|
||||
cname->attributes |= DNS_NAMEATTR_CACHE;
|
||||
|
|
@ -7055,7 +7068,8 @@ answer_response(fetchctx_t *fctx) {
|
|||
if (!validinanswer(drdataset, fctx)) {
|
||||
return (DNS_R_FORMERR);
|
||||
}
|
||||
if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
|
||||
if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
|
||||
&chaining)) {
|
||||
return (DNS_R_SERVFAIL);
|
||||
}
|
||||
dname->attributes |= DNS_NAMEATTR_CACHE;
|
||||
|
|
@ -7082,7 +7096,6 @@ answer_response(fetchctx_t *fctx) {
|
|||
sigrdataset->trust = trust;
|
||||
break;
|
||||
}
|
||||
chaining = ISC_TRUE;
|
||||
} else {
|
||||
log_formerr(fctx, "reply has no answer");
|
||||
return (DNS_R_FORMERR);
|
||||
|
|
@ -7097,13 +7110,7 @@ answer_response(fetchctx_t *fctx) {
|
|||
* Did chaining end before we got the final answer?
|
||||
*/
|
||||
if (chaining) {
|
||||
/*
|
||||
* Yes. This may be a negative reply, so hand off
|
||||
* authority section processing to the noanswer code.
|
||||
* If it isn't a noanswer response, no harm will be
|
||||
* done.
|
||||
*/
|
||||
return (noanswer_response(fctx, qname, 0));
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
|||
2
version
2
version
|
|
@ -7,5 +7,5 @@ MAJORVER=9
|
|||
MINORVER=11
|
||||
PATCHVER=1
|
||||
RELEASETYPE=rc
|
||||
RELEASEVER=2
|
||||
RELEASEVER=3
|
||||
EXTENSIONS=
|
||||
|
|
|
|||
Loading…
Reference in a new issue