upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fix #3397: Fix that when the cache contains an unsigned DNAME in

Browse source 
the middle of a cname chain, a result without the DNAME could
  be returned.


git-svn-id: file:///svn/unbound/trunk@4446 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-01-22 14:30:16 +00:00
parent df6fbb82be
commit 859ca7db68
2 changed files with 19 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -4,6 +4,9 @@
tls-service-key, tls-service-pem, stub-tls-upstream and tls-service-key, tls-service-pem, stub-tls-upstream and
forward-tls-upstream. forward-tls-upstream.
- Fix #3397: Fix that cachedb could return a partial CNAME chain. - Fix #3397: Fix that cachedb could return a partial CNAME chain.
- Fix #3397: Fix that when the cache contains an unsigned DNAME in
the middle of a cname chain, a result without the DNAME could
be returned.
19 January 2018: Wouter 19 January 2018: Wouter
- tag 1.6.8 for release with CVE fix. - tag 1.6.8 for release with CVE fix.

18
services/cache/dns.c vendored
View file

@ -568,7 +568,7 @@ rrset_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
/** synthesize DNAME+CNAME response from cached DNAME item */ /** synthesize DNAME+CNAME response from cached DNAME item */
static struct dns_msg* static struct dns_msg*
synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region, synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
time_t now, struct query_info* q) time_t now, struct query_info* q, struct module_env* env)
{ {
struct dns_msg* msg; struct dns_msg* msg;
struct ub_packed_rrset_key* ck; struct ub_packed_rrset_key* ck;
@ -580,8 +580,19 @@ synth_dname_msg(struct ub_packed_rrset_key* rrset, struct regional* region,
return NULL; return NULL;
/* only allow validated (with DNSSEC) DNAMEs used from cache /* only allow validated (with DNSSEC) DNAMEs used from cache
* for insecure DNAMEs, query again. */ * for insecure DNAMEs, query again. */
if(d->security != sec_status_secure) if(d->security != sec_status_secure) {
/* but if we have a CNAME cached with this name, then we
* have previously already allowed this name to pass.
* the next cache lookup is going to fetch that CNAME itself,
* but it is better to have the (unsigned)DNAME + CNAME in
* that case */
struct ub_packed_rrset_key* cname_rrset = rrset_cache_lookup(
env->rrset_cache, q->qname, q->qname_len,
LDNS_RR_TYPE_CNAME, q->qclass, 0, now, 0);
if(!cname_rrset)
return NULL; return NULL;
lock_rw_unlock(&cname_rrset->entry.lock);
}
msg = gen_dns_msg(region, q, 2); /* DNAME + CNAME RRset */ msg = gen_dns_msg(region, q, 2); /* DNAME + CNAME RRset */
if(!msg) if(!msg)
return NULL; return NULL;
@ -748,7 +759,8 @@ dns_cache_lookup(struct module_env* env,
(rrset=find_closest_of_type(env, qname, qnamelen, qclass, now, (rrset=find_closest_of_type(env, qname, qnamelen, qclass, now,
LDNS_RR_TYPE_DNAME, 1))) { LDNS_RR_TYPE_DNAME, 1))) {
/* synthesize a DNAME+CNAME message based on this */ /* synthesize a DNAME+CNAME message based on this */
struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k); struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k,
env);
if(msg) { if(msg) {
lock_rw_unlock(&rrset->entry.lock); lock_rw_unlock(&rrset->entry.lock);
return msg; return msg;