3693. [security] memcpy was incorrectly called with overlapping

                        ranges resulting in malformed names being generated
                        on some platforms.  This could cause INSIST failures
                        when serving NSEC3 signed zones.  [RT #35120]

(cherry picked from commit fa467e60c590072fd6848522456eb2cc41582c59)

diff --git a/CHANGES b/CHANGES
index e93da38023672d1c4a55ca3da9f0fb0e9cde4d46..d3443c62c498404aec5c54be4dd7a75eeb4acd9d 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,10 +1,9 @@
        --- 9.6-ESV-R10-P2 released ---
 
 3693.  [security]      memcpy was incorrectly called with overlapping
-                       ranges resulting a malformed names being generated
-                       on some platforms.  This was subsequently detected
-                       resulting in INSIST failures when serving NSEC3
-                       signed zones.  [RT #35120]
+                       ranges resulting in malformed names being generated
+                       on some platforms.  This could cause INSIST failures
+                       when serving NSEC3 signed zones.  [RT #35120]
 
        --- 9.6-ESV-R10-P1 released ---
 

diff --git a/bin/named/query.c b/bin/named/query.c
index de1907530635040d8bf5d59e928af9a1059e4a36..5b5b9a89ee0d3749382e9a5f996dd96f2ecab455 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -3679,8 +3679,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
        dns_fixedname_t fixed;
        dns_hash_t hash;
        dns_name_t name;
-       int order;
-       unsigned int count;
+       unsigned int skip = 0, labels;
        dns_rdata_nsec3_t nsec3;
        dns_rdata_t rdata = DNS_RDATA_INIT;
        isc_boolean_t optout;
@@ -3693,6 +3692,7 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
 
        dns_name_init(&name, NULL);
        dns_name_clone(qname, &name);
+       labels = dns_name_countlabels(&name);
 
        /*
         * Map unknown algorithm to known value.
@@ -3724,13 +3724,14 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
                dns_rdata_reset(&rdata);
                optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
                if (found != NULL && optout &&
-                   dns_name_fullcompare(&name, dns_db_origin(db), &order,
-                                        &count) == dns_namereln_subdomain) {
+                   dns_name_issubdomain(&name, dns_db_origin(db)))
+               {
                        dns_rdataset_disassociate(rdataset);
                        if (dns_rdataset_isassociated(sigrdataset))
                                dns_rdataset_disassociate(sigrdataset);
-                       count = dns_name_countlabels(&name) - 1;
-                       dns_name_getlabelsequence(&name, 1, count, &name);
+                       skip++;
+                       dns_name_getlabelsequence(qname, skip, labels - skip,
+                                                 &name);
                        ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
                                      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
                                      "looking for closest provable encloser");
@@ -3748,7 +3749,11 @@ query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
                ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
                              NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
                              "expected covering NSEC3, got an exact match");
-       if (found != NULL)
+       if (found == qname) {
+               if (skip != 0U)
+                       dns_name_getlabelsequence(qname, skip, labels - skip,
+                                                 found);
+       } else if (found != NULL)
                dns_name_copy(&name, found, NULL);
        return;
 }