7e32a4
From f05af77f32742b8e601d766e1f2fe6a480c7e735 Mon Sep 17 00:00:00 2001
7e32a4
From: rpm-build <rpm-build>
7e32a4
Date: Wed, 8 Feb 2017 12:23:20 +0100
7e32a4
Subject: [PATCH] 4557.   [security]      Combining dns64 and rpz can result in
7e32a4
 dereferencing                         a NULL pointer (read).  (CVE-2017-3135)
7e32a4
 [RT#44434]
7e32a4
7e32a4
---
7e32a4
 bin/named/query.c  | 59 +++++++++++++++++++++++++-----------------------------
7e32a4
 lib/dns/message.c  |  6 +++---
7e32a4
 lib/dns/rdataset.c |  1 +
7e32a4
 3 files changed, 31 insertions(+), 35 deletions(-)
7e32a4
7e32a4
diff --git a/bin/named/query.c b/bin/named/query.c
7e32a4
index 1975dfc..f60078b 100644
7e32a4
--- a/bin/named/query.c
7e32a4
+++ b/bin/named/query.c
7e32a4
@@ -5591,9 +5591,10 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 	dns_rpz_st_t *rpz_st;
7e32a4
 	isc_boolean_t resuming;
7e32a4
 	int line = -1;
7e32a4
-	isc_boolean_t dns64_exclude, dns64;
7e32a4
+	isc_boolean_t dns64_exclude, dns64, rpz;
7e32a4
 	dns_clientinfomethods_t cm;
7e32a4
 	dns_clientinfo_t ci;
7e32a4
+	dns_name_t *rpzqname;
7e32a4
 
7e32a4
 	CTRACE("query_find");
7e32a4
 
7e32a4
@@ -5619,7 +5620,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 	zone = NULL;
7e32a4
 	need_wildcardproof = ISC_FALSE;
7e32a4
 	empty_wild = ISC_FALSE;
7e32a4
-	dns64_exclude = dns64 = ISC_FALSE;
7e32a4
+	dns64_exclude = dns64 = rpz = ISC_FALSE;
7e32a4
 	options = 0;
7e32a4
 	resuming = ISC_FALSE;
7e32a4
 	is_zone = ISC_FALSE;
7e32a4
@@ -5736,6 +5737,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 	authoritative = ISC_FALSE;
7e32a4
 	version = NULL;
7e32a4
 	need_wildcardproof = ISC_FALSE;
7e32a4
+	rpz = ISC_FALSE;
7e32a4
 
7e32a4
 	if (client->view->checknames &&
7e32a4
 	    !dns_rdata_checkowner(client->query.qname,
7e32a4
@@ -5860,11 +5862,29 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 	}
7e32a4
 
7e32a4
 	/*
7e32a4
-	 * Now look for an answer in the database.
7e32a4
+	 * Now look for an answer in the database.  If this is a dns64
7e32a4
+	 * AAAA lookup on a rpz database adjust the qname.
7e32a4
 	 */
7e32a4
-	result = dns_db_findext(db, client->query.qname, version, type,
7e32a4
+	if (dns64 && rpz)
7e32a4
+		rpzqname = client->query.rpz_st->qname;
7e32a4
+	else
7e32a4
+		rpzqname = client->query.qname;
7e32a4
+
7e32a4
+	result = dns_db_findext(db, rpzqname, version, type,
7e32a4
 				client->query.dboptions, client->now,
7e32a4
 				&node, fname, &cm, &ci, rdataset, sigrdataset);
7e32a4
+	/*
7e32a4
+	 * Fixup fname and sigrdataset.
7e32a4
+	 */
7e32a4
+	if (dns64 && rpz) {
7e32a4
+		isc_result_t rresult;
7e32a4
+
7e32a4
+		rresult = dns_name_copy(client->query.qname, fname, NULL);
7e32a4
+		RUNTIME_CHECK(rresult == ISC_R_SUCCESS);
7e32a4
+		if (sigrdataset != NULL &&
7e32a4
+		    dns_rdataset_isassociated(sigrdataset))
7e32a4
+			dns_rdataset_disassociate(sigrdataset);
7e32a4
+	}
7e32a4
 
7e32a4
  resume:
7e32a4
 	CTRACE("query_find: resume");
7e32a4
@@ -6067,9 +6087,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 			switch (rpz_st->m.policy) {
7e32a4
 			case DNS_RPZ_POLICY_NXDOMAIN:
7e32a4
 				result = DNS_R_NXDOMAIN;
7e32a4
+				rpz = ISC_TRUE;
7e32a4
 				break;
7e32a4
 			case DNS_RPZ_POLICY_NODATA:
7e32a4
 				result = DNS_R_NXRRSET;
7e32a4
+				rpz = ISC_TRUE;
7e32a4
 				break;
7e32a4
 			case DNS_RPZ_POLICY_RECORD:
7e32a4
 				result = rpz_st->m.result;
7e32a4
@@ -6089,6 +6111,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 					rdataset->ttl = ISC_MIN(rdataset->ttl,
7e32a4
 							    rpz_st->m.ttl);
7e32a4
 				}
7e32a4
+				rpz = ISC_TRUE;
7e32a4
 				break;
7e32a4
 			case DNS_RPZ_POLICY_WILDCNAME:
7e32a4
 				result = dns_rdataset_first(rdataset);
7e32a4
@@ -6130,7 +6153,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 			client->attributes &= ~(NS_CLIENTATTR_WANTDNSSEC |
7e32a4
 						DNS_MESSAGEFLAG_AD);
7e32a4
 			query_putrdataset(client, &sigrdataset);
7e32a4
-			rpz_st->q.is_zone = is_zone;
7e32a4
 			is_zone = ISC_TRUE;
7e32a4
 			rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy,
7e32a4
 					rpz_st->m.type, zone, rpz_st->qname);
7e32a4
@@ -6509,15 +6531,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 			rdataset = NULL;
7e32a4
 			sigrdataset = NULL;
7e32a4
 			type = qtype = dns_rdatatype_a;
7e32a4
-			rpz_st = client->query.rpz_st;
7e32a4
-			if (rpz_st != NULL) {
7e32a4
-				/*
7e32a4
-				 * Arrange for RPZ rewriting of any A records.
7e32a4
-				 */
7e32a4
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
7e32a4
-					is_zone = rpz_st->q.is_zone;
7e32a4
-				rpz_st_clear(client);
7e32a4
-			}
7e32a4
 			dns64 = ISC_TRUE;
7e32a4
 			goto db_find;
7e32a4
 		}
7e32a4
@@ -6786,15 +6799,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 			sigrdataset = NULL;
7e32a4
 			fname = NULL;
7e32a4
 			type = qtype = dns_rdatatype_a;
7e32a4
-			rpz_st = client->query.rpz_st;
7e32a4
-			if (rpz_st != NULL) {
7e32a4
-				/*
7e32a4
-				 * Arrange for RPZ rewriting of any A records.
7e32a4
-				 */
7e32a4
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
7e32a4
-					is_zone = rpz_st->q.is_zone;
7e32a4
-				rpz_st_clear(client);
7e32a4
-			}
7e32a4
 			dns64 = ISC_TRUE;
7e32a4
 			goto db_find;
7e32a4
 		}
7e32a4
@@ -7296,15 +7300,6 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
7e32a4
 			rdataset = NULL;
7e32a4
 			sigrdataset = NULL;
7e32a4
 			type = qtype = dns_rdatatype_a;
7e32a4
-			rpz_st = client->query.rpz_st;
7e32a4
-			if (rpz_st != NULL) {
7e32a4
-				/*
7e32a4
-				 * Arrange for RPZ rewriting of any A records.
7e32a4
-				 */
7e32a4
-				if ((rpz_st->state & DNS_RPZ_REWRITTEN) != 0)
7e32a4
-					is_zone = rpz_st->q.is_zone;
7e32a4
-				rpz_st_clear(client);
7e32a4
-			}
7e32a4
 			dns64_exclude = dns64 = ISC_TRUE;
7e32a4
 			goto db_find;
7e32a4
 		}
7e32a4
diff --git a/lib/dns/message.c b/lib/dns/message.c
7e32a4
index 884107e..1417067 100644
7e32a4
--- a/lib/dns/message.c
7e32a4
+++ b/lib/dns/message.c
7e32a4
@@ -1234,8 +1234,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
7e32a4
 {
7e32a4
 	isc_region_t r;
7e32a4
 	unsigned int count, rdatalen;
7e32a4
-	dns_name_t *name;
7e32a4
-	dns_name_t *name2;
7e32a4
+	dns_name_t *name = NULL;
7e32a4
+	dns_name_t *name2 = NULL;
7e32a4
 	dns_offsets_t *offsets;
7e32a4
 	dns_rdataset_t *rdataset;
7e32a4
 	dns_rdatalist_t *rdatalist;
7e32a4
@@ -1245,7 +1245,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
7e32a4
 	dns_rdata_t *rdata;
7e32a4
 	dns_ttl_t ttl;
7e32a4
 	dns_namelist_t *section;
7e32a4
-	isc_boolean_t free_name, free_rdataset;
7e32a4
+	isc_boolean_t free_name = ISC_FALSE, free_rdataset = ISC_FALSE;
7e32a4
 	isc_boolean_t preserve_order, best_effort, seen_problem;
7e32a4
 	isc_boolean_t issigzero;
7e32a4
 
7e32a4
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
7e32a4
index 026d771..483ddfb 100644
7e32a4
--- a/lib/dns/rdataset.c
7e32a4
+++ b/lib/dns/rdataset.c
7e32a4
@@ -336,6 +336,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
7e32a4
 	 */
7e32a4
 
7e32a4
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
7e32a4
+	REQUIRE(rdataset->methods != NULL);
7e32a4
 	REQUIRE(countp != NULL);
7e32a4
 	REQUIRE((order == NULL) == (order_arg == NULL));
7e32a4
 	REQUIRE(cctx != NULL && cctx->mctx != NULL);
7e32a4
-- 
7e32a4
2.9.3
7e32a4