3218. [security] Cache lookup could return RRSIG data associated with

			nonexistent records, leading to an assertion
			failure. [RT #26590]

diff --git a/CHANGES b/CHANGES
index 86d88abf874eaf15999989daf3ad815b415429b9..a4306d2b137cccb4290eda4bdaa2ad2c28a90447 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,9 @@
+       --- 9.4-ESV-R5-P1 released ---
+
+3218.  [security]      Cache lookup could return RRSIG data associated with
+                       nonexistent records, leading to an assertion
+                       failure. [RT #26590]
+
        --- 9.4-ESV-R5 released ---
 
 3135.  [port]          FreeBSD: workaround broken IPV6_USE_MIN_MTU processing.

diff --git a/bin/named/query.c b/bin/named/query.c
index 5104558fdb8a8de5a3f3439aebf8e5816679384b..aca2e34cada35d86f5ed056144fa19ae47f526d1 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.257.18.56 2010/11/17 10:21:01 marka Exp $ */
+/* $Id: query.c,v 1.257.18.56.12.1 2011/11/16 09:33:40 each Exp $ */
 
 /*! \file */
 
@@ -1251,11 +1251,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
                        goto addname;
                if (result == DNS_R_NCACHENXRRSET) {
                        dns_rdataset_disassociate(rdataset);
-                       /*
-                        * Negative cache entries don't have sigrdatasets.
-                        */
-                       INSIST(sigrdataset == NULL ||
-                              ! dns_rdataset_isassociated(sigrdataset));
+                       if (sigrdataset != NULL &&
+                           dns_rdataset_isassociated(sigrdataset))
+                               dns_rdataset_disassociate(sigrdataset);
                }
                if (result == ISC_R_SUCCESS) {
                        mname = NULL;
@@ -1296,8 +1294,9 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
                        goto addname;
                if (result == DNS_R_NCACHENXRRSET) {
                        dns_rdataset_disassociate(rdataset);
-                       INSIST(sigrdataset == NULL ||
-                              ! dns_rdataset_isassociated(sigrdataset));
+                       if (sigrdataset != NULL &&
+                           dns_rdataset_isassociated(sigrdataset))
+                               dns_rdataset_disassociate(sigrdataset);
                }
                if (result == ISC_R_SUCCESS) {
                        mname = NULL;
@@ -1746,10 +1745,8 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
                goto setcache;
        if (result == DNS_R_NCACHENXRRSET) {
                dns_rdataset_disassociate(rdataset);
-               /*
-                * Negative cache entries don't have sigrdatasets.
-                */
-               INSIST(! dns_rdataset_isassociated(sigrdataset));
+               if (dns_rdataset_isassociated(sigrdataset))
+                       dns_rdataset_disassociate(sigrdataset);
        }
        if (result == ISC_R_SUCCESS) {
                /* Remember the result as a cache */

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index a1ad2a4045a1dd747b5cfc43cf94e433a985f7cf..df7162d3fb2b6af68fb0d1b550d8babe6e2ddd14 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.196.18.67 2011/06/09 00:42:47 each Exp $ */
+/* $Id: rbtdb.c,v 1.196.18.67.2.1 2011/11/16 09:33:41 each Exp $ */
 
 /*! \file */
 
@@ -3672,7 +3672,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
            result == DNS_R_NCACHENXRRSET) {
                bind_rdataset(search.rbtdb, node, found, search.now,
                              rdataset);
-               if (foundsig != NULL)
+               if (!NEGATIVE(found) && foundsig != NULL)
                        bind_rdataset(search.rbtdb, node, foundsig, search.now,
                                      sigrdataset);
        }
@@ -4258,7 +4258,7 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
        }
        if (found != NULL) {
                bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
-               if (foundsig != NULL)
+               if (!NEGATIVE(found) && foundsig != NULL)
                        bind_rdataset(rbtdb, rbtnode, foundsig, now,
                                      sigrdataset);
        }

diff --git a/version b/version
index 4c470646dad59b2de7be7d4d2af74bd9886e2e8b..e445b1bdcb217f5db4ed5ab53624230dc1073b12 100644 (file)
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.29.134.35 2011/07/21 02:11:00 marka Exp $
+# $Id: version,v 1.29.134.35.2.1 2011/11/16 09:33:40 each Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=4
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R5
+RELEASEVER=-R5-P1