diff --git a/CHANGES b/CHANGES index 5da4d02..c64cd8d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ + --- 9.12.2-P1 released --- + +4997. [security] named could crash during recursive processing + of DNAME records when "deny-answer-aliases" was + in use. (CVE-2018-5740) [GL #387] + --- 9.12.2 released --- --- 9.12.2rc2 released --- diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index a9d55d1c..796f2ba 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -6566,6 +6566,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, unsigned int nlabels; dns_fixedname_t fixed; dns_name_t prefix; + int order; REQUIRE(rdataset != NULL); REQUIRE(rdataset->type == dns_rdatatype_cname || @@ -6588,17 +6589,25 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname, tname = &cname.cname; break; case dns_rdatatype_dname: + if (dns_name_fullcompare(qname, rname, &order, &nlabels) != + dns_namereln_subdomain) + { + return (ISC_TRUE); + } result = dns_rdata_tostruct(&rdata, &dname, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_name_init(&prefix, NULL); tname = dns_fixedname_initname(&fixed); - nlabels = dns_name_countlabels(qname) - - dns_name_countlabels(rname); + nlabels = dns_name_countlabels(rname); dns_name_split(qname, nlabels, &prefix, NULL); result = dns_name_concatenate(&prefix, &dname.dname, tname, NULL); - if (result == DNS_R_NAMETOOLONG) + if (result == DNS_R_NAMETOOLONG) { + if (chainingp != NULL) { + *chainingp = ISC_TRUE; + } return (ISC_TRUE); + } RUNTIME_CHECK(result == ISC_R_SUCCESS); break; default: @@ -8126,6 +8135,8 @@ rctx_answer_match(respctx_t *rctx) { } if ((rctx->ardataset->type == dns_rdatatype_cname || rctx->ardataset->type == dns_rdatatype_dname) && + rctx->type != rctx->ardataset->type && + rctx->type != dns_rdatatype_any && !is_answertarget_allowed(fctx, &fctx->name, rctx->aname, rctx->ardataset, NULL)) {