upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-27 12:13:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Clear dns64_aaaaok immediately after use

Browse source 
The DNS64 state information stored in client->query.dns64_aaaaok
could cause an assertion failure in query_respond() if the server
was configured in such a way as to trigger a new recursion before
the query had been reset - for example, by using the filter-aaaa
plugin, which may need to recurse to find out whether an A record
exists.

This has been addressed by clearing DNS64 state information
immediately after the call to query_filter64().

(cherry picked from commit 7213b038f0)
This commit is contained in:
Evan Hunt 2026-05-03 22:00:39 -07:00 committed by Ondřej Surý (GitLab job 7314636)
parent ddea991c07
commit d42b3e7b91
5 changed files with 21 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
bin/tests/system/filters/ns1/unsigned.db
View file

@ -23,3 +23,8 @@ dual A 1.0.0.6
dual AAAA 2001:db8::6
mx A 1.0.0.3
mx AAAA 2001:db8::3
; one of these AAAA addresses is excluded in named.conf
excludeone A 1.0.0.6
excludeone AAAA ::1
excludeone AAAA 2001:db8::6

5
bin/tests/system/filters/ns4/unsigned.db
View file

@ -23,3 +23,8 @@ dual A 1.0.0.6
dual AAAA 2001:db8::6
mx A 1.0.0.3
mx AAAA 2001:db8::3
; one of these AAAA addresses is excluded in named.conf
excludeone A 1.0.0.6
excludeone AAAA ::1
excludeone AAAA 2001:db8::6

6
bin/tests/system/filters/ns5/named.conf.j2
View file

@ -23,9 +23,9 @@ options {
dnssec-validation no;
notify yes;
dns64 64:ff9b::/96 {
clients { any; };
exclude { any; };
mapped { any; };
clients { any; };
exclude { ::1/128; };
mapped { any; };
};
minimal-responses no;
};

4
bin/tests/system/filters/tests_filter_dns64.py
View file

@ -25,3 +25,7 @@ def test_filter_dns64():
msg = isctest.query.create("aaaa-only.unsigned", "aaaa")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res)
msg = isctest.query.create("excludeone.unsigned", "aaaa")
res = isctest.query.tcp(msg, "10.53.0.5")
isctest.check.noerror(res)

4
lib/ns/query.c
View file

@ -8250,6 +8250,10 @@ query_addanswer(query_ctx_t *qctx) {
} else if (qctx->client->query.dns64_aaaaok != NULL) {
query_filter64(qctx);
ns_client_putrdataset(qctx->client, &qctx->rdataset);
isc_mem_cput(qctx->client->manager->mctx,
qctx->client->query.dns64_aaaaok,
qctx->client->query.dns64_aaaaoklen, sizeof(bool));
qctx->client->query.dns64_aaaaoklen = 0;
} else {
if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
query_prefetch(qctx->client, qctx->fname,