From c5a9fd85a19a63f88a5f17c7e6d074ee22364093 Mon Sep 17 00:00:00 2001

From: Petr Mensik <pemensik@redhat.com>

Date: Tue, 18 Aug 2020 10:53:33 +0200

Subject: [PATCH] Fix CVE-2020-8622

5476.	[security]	It was possible to trigger an assertion failure when

			verifying the response to a TSIG-signed request.

			(CVE-2020-8622) [GL #2028]

---

 lib/dns/message.c | 24 +++++++++++++-----------

 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/lib/dns/message.c b/lib/dns/message.c

index d9e341a..7c813a5 100644

--- a/lib/dns/message.c

+++ b/lib/dns/message.c

@@ -1712,6 +1712,19 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,

 	msg->header_ok = 0;

 	msg->question_ok = 0;

+	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0) {

+		isc_buffer_usedregion(&origsource, &msg->saved);

+	} else {

+		msg->saved.length = isc_buffer_usedlength(&origsource);

+		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);

+		if (msg->saved.base == NULL) {

+			return (ISC_R_NOMEMORY);

+		}

+		memmove(msg->saved.base, isc_buffer_base(&origsource),

+			msg->saved.length);

+		msg->free_saved = 1;

+	}

+

 	isc_buffer_remainingregion(source, &r);

 	if (r.length < DNS_MESSAGE_HEADERLEN)

 		return (ISC_R_UNEXPECTEDEND);

@@ -1787,17 +1800,6 @@ dns_message_parse(dns_message_t *msg, isc_buffer_t *source,

 	}

  truncated:

-	if ((options & DNS_MESSAGEPARSE_CLONEBUFFER) == 0)

-		isc_buffer_usedregion(&origsource, &msg->saved);

-	else {

-		msg->saved.length = isc_buffer_usedlength(&origsource);

-		msg->saved.base = isc_mem_get(msg->mctx, msg->saved.length);

-		if (msg->saved.base == NULL)

-			return (ISC_R_NOMEMORY);

-		memmove(msg->saved.base, isc_buffer_base(&origsource),

-			msg->saved.length);

-		msg->free_saved = 1;

-	}

 	if (ret == ISC_R_UNEXPECTEDEND && ignore_tc)

 		return (DNS_R_RECOVERABLE);

-- 

2.26.2