From 813a1d0f943f7b4ecf43c449a08762a8d8557a45 Mon Sep 17 00:00:00 2001
From: UNKNOWN <>
Date: Tue, 27 Apr 2021 12:02:53 +0800
Subject: [PATCH v2 1/2] Fix CVE-2021-25214

Conflict:NA
Reference:https://downloads.isc.org/isc/bind9/private/40732ca6e4fcc9d0/patches/CVE-2021-25214.patch


diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 558f40c..bae6d41 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -474,6 +474,20 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 	    dns_rdatatype_ismeta(rdata->type))
 		FAIL(DNS_R_FORMERR);
 
+	/*
+	 * Immediately reject the entire transfer if the RR that is currently
+	 * being processed is an SOA record that is not placed at the zone
+	 * apex.
+	 */
+	if (rdata->type == dns_rdatatype_soa &&
+	    !dns_name_equal(&xfr->name, name)) {
+		char namebuf[DNS_NAME_FORMATSIZE];
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		xfrin_log(xfr, ISC_LOG_DEBUG(3), "SOA name mismatch: '%s'",
+			  namebuf);
+		FAIL(DNS_R_NOTZONETOP);
+	}
+
  redo:
 	switch (xfr->state) {
 	case XFRST_SOAQUERY:
-- 
1.8.3.1