|
|
7e32a4 |
From f05af77f32742b8e601d766e1f2fe6a480c7e735 Mon Sep 17 00:00:00 2001
|
|
|
7e32a4 |
From: rpm-build <rpm-build>
|
|
|
7e32a4 |
Date: Wed, 8 Feb 2017 12:23:20 +0100
|
|
|
7e32a4 |
Subject: [PATCH] 4557. [security] Combining dns64 and rpz can result in
|
|
|
7e32a4 |
dereferencing a NULL pointer (read). (CVE-2017-3135)
|
|
|
7e32a4 |
[RT#44434]
|
|
|
7e32a4 |
|
|
|
7e32a4 |
---
|
|
|
7e32a4 |
bin/named/query.c | 59 +++++++++++++++++++++++++-----------------------------
|
|
|
7e32a4 |
lib/dns/message.c | 6 +++---
|
|
|
7e32a4 |
lib/dns/rdataset.c | 1 +
|
|
|
7e32a4 |
3 files changed, 31 insertions(+), 35 deletions(-)
|
|
|
7e32a4 |
|
|
|
7e32a4 |
diff --git a/bin/named/query.c b/bin/named/query.c
|
|
|
7e32a4 |
index 1975dfc..f60078b 100644
|
|
|
7e32a4 |
--- a/bin/named/query.c
|
|
|
7e32a4 |
+++ b/bin/named/query.c
|
|
|
7e32a4 |
@@ -5591,9 +5591,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
dns_rpz_st_t *rpz_st;
|
|
|
7e32a4 |
isc_boolean_t resuming;
|
|
|
7e32a4 |
int line = -1;
|
|
|
7e32a4 |
- isc_boolean_t dns64_exclude, dns64;
|
|
|
7e32a4 |
+ isc_boolean_t dns64_exclude, dns64, rpz;
|
|
|
7e32a4 |
dns_clientinfomethods_t cm;
|
|
|
7e32a4 |
dns_clientinfo_t ci;
|
|
|
7e32a4 |
+ dns_name_t *rpzqname;
|
|
|
7e32a4 |
|
|
|
7e32a4 |
CTRACE("query_find");
|
|
|
7e32a4 |
|
|
|
7e32a4 |
@@ -5619,7 +5620,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
zone = NULL;
|
|
|
7e32a4 |
need_wildcardproof = ISC_FALSE;
|
|
|
7e32a4 |
empty_wild = ISC_FALSE;
|
|
|
7e32a4 |
- dns64_exclude = dns64 = ISC_FALSE;
|
|
|
7e32a4 |
+ dns64_exclude = dns64 = rpz = ISC_FALSE;
|
|
|
7e32a4 |
options = 0;
|
|
|
7e32a4 |
resuming = ISC_FALSE;
|
|
|
7e32a4 |
is_zone = ISC_FALSE;
|
|
|
7e32a4 |
@@ -5736,6 +5737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
authoritative = ISC_FALSE;
|
|
|
7e32a4 |
version = NULL;
|
|
|
7e32a4 |
need_wildcardproof = ISC_FALSE;
|
|
|
7e32a4 |
+ rpz = ISC_FALSE;
|
|
|
7e32a4 |
|
|
|
7e32a4 |
if (client->view->checknames &&
|
|
|
7e32a4 |
!dns_rdata_checkowner(client->query.qname,
|
|
|
7e32a4 |
@@ -5860,11 +5862,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
}
|
|
|
7e32a4 |
|
|
|
7e32a4 |
/*
|
|
|
7e32a4 |
- * Now look for an answer in the database.
|
|
|
7e32a4 |
+ * Now look for an answer in the database. If this is a dns64
|
|
|
7e32a4 |
+ * AAAA lookup on a rpz database adjust the qname.
|
|
|
7e32a4 |
*/
|
|
|
7e32a4 |
- result = dns_db_findext(db, client->query.qname, version, type,
|
|
|
7e32a4 |
+ if (dns64 && rpz)
|
|
|
7e32a4 |
+ rpzqname = client->query.rpz_st->qname;
|
|
|
7e32a4 |
+ else
|
|
|
7e32a4 |
+ rpzqname = client->query.qname;
|
|
|
7e32a4 |
+
|
|
|
7e32a4 |
+ result = dns_db_findext(db, rpzqname, version, type,
|
|
|
7e32a4 |
client->query.dboptions, client->now,
|
|
|
7e32a4 |
&node, fname, &cm, &ci, rdataset, sigrdataset);
|
|
|
7e32a4 |
+ /*
|
|
|
7e32a4 |
+ * Fixup fname and sigrdataset.
|
|
|
7e32a4 |
+ */
|
|
|
7e32a4 |
+ if (dns64 && rpz) {
|
|
|
7e32a4 |
+ isc_result_t rresult;
|
|
|
7e32a4 |
+
|
|
|
7e32a4 |
+ rresult = dns_name_copy(client->query.qname, fname, NULL);
|
|
|
7e32a4 |
+ RUNTIME_CHECK(rresult == ISC_R_SUCCESS);
|
|
|
7e32a4 |
+ if (sigrdataset != NULL &&
|
|
|
7e32a4 |
+ dns_rdataset_isassociated(sigrdataset))
|
|
|
7e32a4 |
+ dns_rdataset_disassociate(sigrdataset);
|
|
|
7e32a4 |
+ }
|
|
|
7e32a4 |
|
|
|
7e32a4 |
resume:
|
|
|
7e32a4 |
CTRACE("query_find: resume");
|
|
|
7e32a4 |
@@ -6067,9 +6087,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
switch (rpz_st->m.policy) {
|
|
|
7e32a4 |
case DNS_RPZ_POLICY_NXDOMAIN:
|
|
|
7e32a4 |
result = DNS_R_NXDOMAIN;
|
|
|
7e32a4 |
+ rpz = ISC_TRUE;
|
|
|
7e32a4 |
break;
|
|
|
7e32a4 |
case DNS_RPZ_POLICY_NODATA:
|
|
|
7e32a4 |
result = DNS_R_NXRRSET;
|
|
|
7e32a4 |
+ rpz = ISC_TRUE;
|
|
|
7e32a4 |
break;
|
|
|
7e32a4 |
case DNS_RPZ_POLICY_RECORD:
|
|
|
7e32a4 |
result = rpz_st->m.result;
|
|
|
7e32a4 |
@@ -6089,6 +6111,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
rdataset->ttl = ISC_MIN(rdataset->ttl,
|
|
|
7e32a4 |
rpz_st->m.ttl);
|
|
|
7e32a4 |
}
|
|
|
7e32a4 |
+ rpz = ISC_TRUE;
|
|
|
7e32a4 |
break;
|
|
|
7e32a4 |
case DNS_RPZ_POLICY_WILDCNAME:
|
|
|
7e32a4 |
result = dns_rdataset_first(rdataset);
|
|
|
7e32a4 |
@@ -6130,7 +6153,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
|
|
|
7e32a4 |
DNS_MESSAGEFLAG_AD);
|
|
|
7e32a4 |
query_putrdataset(client, &sigrdataset);
|
|
|
7e32a4 |
- rpz_st->q.is_zone = is_zone;
|
|
|
7e32a4 |
is_zone = ISC_TRUE;
|
|
|
7e32a4 |
rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
|
|
|
7e32a4 |
rpz_st->m.type, zone, rpz_st->qname);
|
|
|
7e32a4 |
@@ -6509,15 +6531,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
rdataset = NULL;
|
|
|
7e32a4 |
sigrdataset = NULL;
|
|
|
7e32a4 |
type = qtype = dns_rdatatype_a;
|
|
|
7e32a4 |
- rpz_st = client->query.rpz_st;
|
|
|
7e32a4 |
- if (rpz_st != NULL) {
|
|
|
7e32a4 |
- /*
|
|
|
7e32a4 |
- * Arrange for RPZ rewriting of any A records.
|
|
|
7e32a4 |
- */
|
|
|
7e32a4 |
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
|
|
|
7e32a4 |
- is_zone = rpz_st->q.is_zone;
|
|
|
7e32a4 |
- rpz_st_clear(client);
|
|
|
7e32a4 |
- }
|
|
|
7e32a4 |
dns64 = ISC_TRUE;
|
|
|
7e32a4 |
goto db_find;
|
|
|
7e32a4 |
}
|
|
|
7e32a4 |
@@ -6786,15 +6799,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
sigrdataset = NULL;
|
|
|
7e32a4 |
fname = NULL;
|
|
|
7e32a4 |
type = qtype = dns_rdatatype_a;
|
|
|
7e32a4 |
- rpz_st = client->query.rpz_st;
|
|
|
7e32a4 |
- if (rpz_st != NULL) {
|
|
|
7e32a4 |
- /*
|
|
|
7e32a4 |
- * Arrange for RPZ rewriting of any A records.
|
|
|
7e32a4 |
- */
|
|
|
7e32a4 |
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
|
|
|
7e32a4 |
- is_zone = rpz_st->q.is_zone;
|
|
|
7e32a4 |
- rpz_st_clear(client);
|
|
|
7e32a4 |
- }
|
|
|
7e32a4 |
dns64 = ISC_TRUE;
|
|
|
7e32a4 |
goto db_find;
|
|
|
7e32a4 |
}
|
|
|
7e32a4 |
@@ -7296,15 +7300,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
|
|
7e32a4 |
rdataset = NULL;
|
|
|
7e32a4 |
sigrdataset = NULL;
|
|
|
7e32a4 |
type = qtype = dns_rdatatype_a;
|
|
|
7e32a4 |
- rpz_st = client->query.rpz_st;
|
|
|
7e32a4 |
- if (rpz_st != NULL) {
|
|
|
7e32a4 |
- /*
|
|
|
7e32a4 |
- * Arrange for RPZ rewriting of any A records.
|
|
|
7e32a4 |
- */
|
|
|
7e32a4 |
- if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
|
|
|
7e32a4 |
- is_zone = rpz_st->q.is_zone;
|
|
|
7e32a4 |
- rpz_st_clear(client);
|
|
|
7e32a4 |
- }
|
|
|
7e32a4 |
dns64_exclude = dns64 = ISC_TRUE;
|
|
|
7e32a4 |
goto db_find;
|
|
|
7e32a4 |
}
|
|
|
7e32a4 |
diff --git a/lib/dns/message.c b/lib/dns/message.c
|
|
|
7e32a4 |
index 884107e..1417067 100644
|
|
|
7e32a4 |
--- a/lib/dns/message.c
|
|
|
7e32a4 |
+++ b/lib/dns/message.c
|
|
|
7e32a4 |
@@ -1234,8 +1234,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
7e32a4 |
{
|
|
|
7e32a4 |
isc_region_t r;
|
|
|
7e32a4 |
unsigned int count, rdatalen;
|
|
|
7e32a4 |
- dns_name_t *name;
|
|
|
7e32a4 |
- dns_name_t *name2;
|
|
|
7e32a4 |
+ dns_name_t *name = NULL;
|
|
|
7e32a4 |
+ dns_name_t *name2 = NULL;
|
|
|
7e32a4 |
dns_offsets_t *offsets;
|
|
|
7e32a4 |
dns_rdataset_t *rdataset;
|
|
|
7e32a4 |
dns_rdatalist_t *rdatalist;
|
|
|
7e32a4 |
@@ -1245,7 +1245,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
|
|
|
7e32a4 |
dns_rdata_t *rdata;
|
|
|
7e32a4 |
dns_ttl_t ttl;
|
|
|
7e32a4 |
dns_namelist_t *section;
|
|
|
7e32a4 |
- isc_boolean_t free_name, free_rdataset;
|
|
|
7e32a4 |
+ isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE;
|
|
|
7e32a4 |
isc_boolean_t preserve_order, best_effort, seen_problem;
|
|
|
7e32a4 |
isc_boolean_t issigzero;
|
|
|
7e32a4 |
|
|
|
7e32a4 |
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
|
|
|
7e32a4 |
index 026d771..483ddfb 100644
|
|
|
7e32a4 |
--- a/lib/dns/rdataset.c
|
|
|
7e32a4 |
+++ b/lib/dns/rdataset.c
|
|
|
7e32a4 |
@@ -336,6 +336,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
|
|
|
7e32a4 |
*/
|
|
|
7e32a4 |
|
|
|
7e32a4 |
REQUIRE(DNS_RDATASET_VALID(rdataset));
|
|
|
7e32a4 |
+ REQUIRE(rdataset->methods != NULL);
|
|
|
7e32a4 |
REQUIRE(countp != NULL);
|
|
|
7e32a4 |
REQUIRE((order == NULL) == (order_arg == NULL));
|
|
|
7e32a4 |
REQUIRE(cctx != NULL && cctx->mctx != NULL);
|
|
|
7e32a4 |
--
|
|
|
7e32a4 |
2.9.3
|
|
|
7e32a4 |
|