diff --git a/CHANGES b/CHANGES index 408f76a..6af3921 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ + --- 9.10.8-P1 released --- + +4997. [security] named could crash during recursive processing + of DNAME records when "deny-answer-aliases" was + in use. (CVE-2018-5740) [GL #387] + --- 9.10.8 released --- --- 9.10.8rc2 released --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index dacf783..884e2a6 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6251,6 +6251,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, unsigned int nlabels; dns_fixedname_t fixed; dns_name_t prefix; + int order; REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == dns_rdatatype_cname || @@ -6273,18 +6274,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, tname = &cname.cname; break; case dns_rdatatype_dname: + if (dns_name_fullcompare(qname, rname, &order, &nlabels) != + dns_namereln_subdomain) + { + return (ISC_TRUE); + } result = dns_rdata_tostruct(&rdata, &dname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_name_init(&prefix, NULL); dns_fixedname_init(&fixed); tname = dns_fixedname_name(&fixed); - nlabels = dns_name_countlabels(qname) - - dns_name_countlabels(rname); + nlabels = dns_name_countlabels(rname); dns_name_split(qname, nlabels, &prefix, NULL); result = dns_name_concatenate(&prefix, &dname.dname, tname, NULL); - if (result == DNS_R_NAMETOOLONG) + if (result == DNS_R_NAMETOOLONG) { + if (chainingp != NULL) { + *chainingp = ISC_TRUE; + } return (ISC_TRUE); + } RUNTIME_CHECK(result == ISC_R_SUCCESS); break; default: @@ -7013,7 +7022,9 @@ answer_response(fetchctx_t *fctx) { } if ((ardataset->type == dns_rdatatype_cname || ardataset->type == dns_rdatatype_dname) && - !is_answertarget_allowed(fctx, qname, aname, ardataset, + type != ardataset->type && + type != dns_rdatatype_any && + !is_answertarget_allowed(fctx, qname, aname, ardataset, NULL)) { return (DNS_R_SERVFAIL);