37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
|
From c42cc79ef9a23d8273b273bb86a1c8c9995b28a0 Mon Sep 17 00:00:00 2001
|
||
|
|
From: UNKNOWN <>
|
||
|
|
Date: Tue, 27 Apr 2021 12:12:24 +0800
|
||
|
|
Subject: [PATCH v2 2/2] Fix CVE-2021-25215
|
||
|
|
|
||
|
|
Conflict:NA
|
||
|
|
Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25215.patch
|
||
|
|
|
||
|
|
|
||
|
|
diff --git a/bin/named/query.c b/bin/named/query.c
|
||
|
|
index 6e988f5..2e7700a 100644
|
||
|
|
--- a/bin/named/query.c
|
||
|
|
+++ b/bin/named/query.c
|
||
|
|
@@ -9092,10 +9092,17 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
|
||
|
|
if (noqname != NULL)
|
||
|
|
query_addnoqnameproof(client, noqname);
|
||
|
|
/*
|
||
|
|
- * We shouldn't ever fail to add 'rdataset'
|
||
|
|
- * because it's already in the answer.
|
||
|
|
+ * 'rdataset' will only be non-NULL here if the ANSWER section
|
||
|
|
+ * of the message to be sent to the client already contains an
|
||
|
|
+ * RRset with the same owner name and the same type as
|
||
|
|
+ * 'rdataset'. This should never happen, with one exception:
|
||
|
|
+ * when chasing DNAME records, one of the DNAME records placed
|
||
|
|
+ * in the ANSWER section may turn out to be the final answer to
|
||
|
|
+ * the client's query, but we have no way of knowing that until
|
||
|
|
+ * now. In such a case, 'rdataset' will be freed later, so we
|
||
|
|
+ * do not need to free it here.
|
||
|
|
*/
|
||
|
|
- INSIST(rdataset == NULL);
|
||
|
|
+ INSIST(rdataset == NULL || qtype == dns_rdatatype_dname);
|
||
|
|
}
|
||
|
|
|
||
|
|
addauth:
|
||
|
|
--
|
||
|
|
1.8.3.1
|