master

分支 (26)

标签 (19)

管理

管理

master

openEuler-24.03-LTS-Next

openEuler-24.09

openEuler-20.03-LTS-SP4

openEuler-22.03-LTS-SP3

openEuler-22.03-LTS-SP4

openEuler-22.03-LTS-SP1

openEuler-24.03-LTS

openEuler-22.03-LTS

openEuler-22.03-LTS-SP2

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-23.03

openEuler-23.09

openEuler-22.09

openEuler-20.03-LTS-SP2

openEuler-21.03

openEuler-21.09

openEuler-20.03-LTS-Next

openEuler-22.03-LTS-SP4-release

openEuler-24.03-LTS-release

openEuler-22.03-LTS-SP3-release

openEuler-23.09-rc5

openEuler-22.03-LTS-SP1-release

openEuler-22.09-release

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

bind
/
backport-CVE-2023-5517.patch

From c73262493658cb8623927ef6cc2f023501f7e809 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 10 Oct 2023 10:58:18 +1100
Subject: [PATCH] Save the correct result value to resume with
 nxdomain-redirect

The wrong result value was being saved for resumption with
nxdomain-redirect when performing the fetch.  This lead to an assert
when checking that RFC 1918 reverse queries where not leaking to
the global internet.

Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.18.24/patches/0002-CVE-2023-5517.patch

(cherry picked from commit 9d0fa07c5e7a39db89862a4f843d2190059afb4b)
---
 lib/ns/query.c | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index c1e9148..61749c8 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -465,10 +465,10 @@ static void
 query_addnxrrsetnsec(query_ctx_t *qctx);

 static isc_result_t
-query_nxdomain(query_ctx_t *qctx, isc_result_t res);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);

 static isc_result_t
-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);

 static isc_result_t
 query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7718,8 +7718,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
  * result from the search.
  */
 static isc_result_t
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
-	isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
 	char errmsg[256];

 	CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7795,7 +7794,7 @@ root_key_sentinel:
 		return (query_coveringnsec(qctx));

 	case DNS_R_NCACHENXDOMAIN:
-		result = query_redirect(qctx);
+		result = query_redirect(qctx, result);
 		if (result != ISC_R_COMPLETE) {
 			return (result);
 		}
@@ -9612,11 +9611,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
  * Handle NXDOMAIN and empty wildcard responses.
  */
 static isc_result_t
-query_nxdomain(query_ctx_t *qctx, isc_result_t res) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
 	dns_section_t section;
 	uint32_t ttl;
-	isc_result_t result = res;
-	bool empty_wild = (res == DNS_R_EMPTYWILD);
+	bool empty_wild = (result == DNS_R_EMPTYWILD);

 	CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");

@@ -9625,7 +9623,7 @@ query_nxdomain(query_ctx_t *qctx, isc_result_t res) {
 	INSIST(qctx->is_zone || REDIRECT(qctx->client));

 	if (!empty_wild) {
-		result = query_redirect(qctx);
+		result = query_redirect(qctx, result);
 		if (result != ISC_R_COMPLETE) {
 			return (result);
 		}
@@ -9713,7 +9711,7 @@ cleanup:
  * redirecting, so query processing should continue past it.
  */
 static isc_result_t
-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
 	isc_result_t result;

 	CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9754,7 +9752,7 @@ query_redirect(query_ctx_t *qctx) {
 		SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
 		SAVE(qctx->client->query.redirect.sigrdataset,
 		     qctx->sigrdataset);
-		qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+		qctx->client->query.redirect.result = saved_result;
 		dns_name_copy(qctx->fname, qctx->client->query.redirect.fname);
 		qctx->client->query.redirect.authoritative =
 			qctx->authoritative;
@@ -10415,7 +10413,7 @@ query_coveringnsec(query_ctx_t *qctx) {
 	 * We now have the proof that we have an NXDOMAIN.  Apply
 	 * NXDOMAIN redirection if configured.
 	 */
-	result = query_redirect(qctx);
+	result = query_redirect(qctx, DNS_R_COVERINGNSEC);
 	if (result != ISC_R_COMPLETE) {
 		redirected = true;
 		goto cleanup;
--
2.33.0