From 6fc38d1c75ce5a6172267e6ca162c4fdc09657ad Mon Sep 17 00:00:00 2001

From: Petr Mensik <pemensik@redhat.com>

Date: Tue, 27 Apr 2021 10:56:12 +0200

Subject: [PATCH 2/2] CVE-2021-25215

5616.	[security]	named crashed when a DNAME record placed in the ANSWER

			section during DNAME chasing turned out to be the final

			answer to a client query. (CVE-2021-25215) [GL #2540]

---

 bin/named/query.c | 13 ++++++++++---

 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/bin/named/query.c b/bin/named/query.c

index a95f5ad..11a888e 100644

--- a/bin/named/query.c

+++ b/bin/named/query.c

@@ -9301,10 +9301,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)

 		if (noqname != NULL)

 			query_addnoqnameproof(client, noqname);

 		/*

-		 * We shouldn't ever fail to add 'rdataset'

-		 * because it's already in the answer.

+		 * 'rdataset' will only be non-NULL here if the ANSWER section

+		 * of the message to be sent to the client already contains an

+		 * RRset with the same owner name and the same type as

+		 * 'rdataset'.  This should never happen, with one exception:

+		 * when chasing DNAME records, one of the DNAME records placed

+		 * in the ANSWER section may turn out to be the final answer to

+		 * the client's query, but we have no way of knowing that until

+		 * now.  In such a case, 'rdataset' will be freed later, so we

+		 * do not need to free it here.

 		 */

-		INSIST(rdataset == NULL);

+		INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);

 	}

  addauth:

-- 

2.26.3