|
1 This patch was derived from a source code patch provided by ISC to |
|
2 resolve ISC ticket RT #43522. [9.6-ESV-R11-S10] |
|
3 |
|
4 --- old/./CHANGES Wed Jan 11 23:20:20 2017 |
|
5 +++ new/./CHANGES Wed Jan 11 23:20:20 2017 |
|
6 @@ -1,3 +1,9 @@ |
|
7 + --- 9.6-ESV-R11-S10 released --- |
|
8 + |
|
9 +4508. [security] Named incorrectly tried to cache TKEY records which |
|
10 + could trigger a assertion failure when there was |
|
11 + a class mismatch. (CVE-2016-9131) [RT #43522] |
|
12 + |
|
13 --- 9.6-ESV-R11-S9 released --- |
|
14 |
|
15 4489. [security] It was possible to trigger assertions when processing |
|
16 --- old/lib/dns/resolver.c Wed Jan 11 23:20:20 2017 |
|
17 +++ new/lib/dns/resolver.c Wed Jan 11 23:20:20 2017 |
|
18 @@ -1,5 +1,5 @@ |
|
19 /* |
|
20 - * Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") |
|
21 + * Copyright (C) 2004-2016 Internet Systems Consortium, Inc. ("ISC") |
|
22 * Copyright (C) 1999-2003 Internet Software Consortium. |
|
23 * |
|
24 * Permission to use, copy, modify, and/or distribute this software for any |
|
25 @@ -5848,6 +5848,25 @@ |
|
26 ISC_LOG_NOTICE, "NSEC3 in answer"); |
|
27 return (DNS_R_FORMERR); |
|
28 } |
|
29 + if (rdataset->type == dns_rdatatype_tkey) { |
|
30 + /* |
|
31 + * TKEY is not a valid record in a |
|
32 + * response to any query we can make. |
|
33 + */ |
|
34 + isc_log_write(dns_lctx, |
|
35 + DNS_LOGCATEGORY_RESOLVER, |
|
36 + DNS_LOGMODULE_RESOLVER, |
|
37 + ISC_LOG_NOTICE, "TKEY in answer"); |
|
38 + return (DNS_R_FORMERR); |
|
39 + } |
|
40 + if (rdataset->rdclass != fctx->res->rdclass) { |
|
41 + isc_log_write(dns_lctx, |
|
42 + DNS_LOGCATEGORY_RESOLVER, |
|
43 + DNS_LOGMODULE_RESOLVER, |
|
44 + ISC_LOG_NOTICE, "Mismatched class " |
|
45 + "in answer"); |
|
46 + return (DNS_R_FORMERR); |
|
47 + } |
|
48 if (rdataset->type == type && !found_cname) { |
|
49 /* |
|
50 * We've found an ordinary answer. |
|
51 @@ -6017,6 +6036,15 @@ |
|
52 rdataset != NULL; |
|
53 rdataset = ISC_LIST_NEXT(rdataset, link)) |
|
54 { |
|
55 + if (rdataset->rdclass != fctx->res->rdclass) { |
|
56 + isc_log_write(dns_lctx, |
|
57 + DNS_LOGCATEGORY_RESOLVER, |
|
58 + DNS_LOGMODULE_RESOLVER, |
|
59 + ISC_LOG_NOTICE, "Mismatched class " |
|
60 + "in answer"); |
|
61 + return (DNS_R_FORMERR); |
|
62 + } |
|
63 + |
|
64 /* |
|
65 * Only pass DNAME or RRSIG(DNAME). |
|
66 */ |