fix a message parsing regression

the fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if duplicate rdatasets were found
in the question section. this commit ensures that rdatasets are
correctly disassociated and freed when this occurs.

(cherry picked from commit 4c19d35614f8cd80d8748156a5bad361e19abc28)

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 258e83a29a48b7aadbaaccd2d9a28f6e8ff2ce43..e5ad60bc5585a66a42e400e115d4f4ba232c7d8e 100644 (file)
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1206,8 +1206,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
                rdatalist->rdclass = rdclass;
 
                result = dns_rdatalist_tordataset(rdatalist, rdataset);
-               if (result != ISC_R_SUCCESS)
-                       goto cleanup;
+               RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
                rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
 
@@ -1254,6 +1253,9 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 
  cleanup:
        if (rdataset != NULL) {
+               if (dns_rdataset_isassociated(rdataset)) {
+                       dns_rdataset_disassociate(rdataset);
+               }
                dns_message_puttemprdataset(msg, &rdataset);
        }
 #if 0