fixed an exploitable hang bug

3383.	[security]	A certain combinations of records in the RBT could
                        cause named to hang while populating the additional
                        section of a response. [RT #31090]

diff --git a/CHANGES b/CHANGES
index 589422846cc8b67ef7eae8413164854395684c54..09e8f2eaaa45ab642bc361fbaf977916bc38e3fd 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
        --- 9.7.7 released ---
 
+3383.  [security]      A certain combination of records in the RBT could
+                        cause named to hang while populating the additional
+                        section of a response. [RT #31090]
+
 3373.  [bug]           win32: open raw files in binary mode. [RT #30944]
 
 3364.  [security]      Named could die on specially crafted record.

diff --git a/bin/named/query.c b/bin/named/query.c
index 2333bc0df2ef8fcda78fa373d0c45e235bfc6882..0b9bb3475237d45f709ef4fec5ae0c233eb46651 100644 (file)
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1026,13 +1026,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
                mname = NULL;
        }
 
-       /*
-        * If the dns_name_t we're looking up is already in the message,
-        * we don't want to trigger the caller's name replacement logic.
-        */
-       if (name == mname)
-               mname = NULL;
-
        if (mnamep != NULL)
                *mnamep = mname;
 
@@ -1231,6 +1224,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
        if (dns_rdataset_isassociated(rdataset) &&
            !query_isduplicate(client, fname, type, &mname)) {
                if (mname != NULL) {
+                       INSIST(mname != fname);
                        query_releasename(client, &fname);
                        fname = mname;
                } else
@@ -1300,11 +1294,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
                        if (!query_isduplicate(client, fname,
                                               dns_rdatatype_a, &mname)) {
-                               if (mname != NULL) {
-                                       query_releasename(client, &fname);
-                                       fname = mname;
-                               } else
-                                       need_addname = ISC_TRUE;
+                               if (mname != fname) {
+                                       if (mname != NULL) {
+                                               query_releasename(client, &fname);
+                                               fname = mname;
+                                       } else
+                                               need_addname = ISC_TRUE;
+                               }
                                ISC_LIST_APPEND(fname->list, rdataset, link);
                                added_something = ISC_TRUE;
                                if (sigrdataset != NULL &&
@@ -1357,11 +1353,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
                        if (!query_isduplicate(client, fname,
                                               dns_rdatatype_aaaa, &mname)) {
-                               if (mname != NULL) {
-                                       query_releasename(client, &fname);
-                                       fname = mname;
-                               } else
-                                       need_addname = ISC_TRUE;
+                               if (mname != fname) {
+                                       if (mname != NULL) {
+                                               query_releasename(client, &fname);
+                                               fname = mname;
+                                       } else
+                                               need_addname = ISC_TRUE;
+                               }
                                ISC_LIST_APPEND(fname->list, rdataset, link);
                                added_something = ISC_TRUE;
                                if (sigrdataset != NULL &&
@@ -1884,22 +1882,24 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
                    crdataset->type == dns_rdatatype_aaaa) {
                        if (!query_isduplicate(client, fname, crdataset->type,
                                               &mname)) {
-                               if (mname != NULL) {
-                                       /*
-                                        * A different type of this name is
-                                        * already stored in the additional
-                                        * section.  We'll reuse the name.
-                                        * Note that this should happen at most
-                                        * once.  Otherwise, fname->link could
-                                        * leak below.
-                                        */
-                                       INSIST(mname0 == NULL);
-
-                                       query_releasename(client, &fname);
-                                       fname = mname;
-                                       mname0 = mname;
-                               } else
-                                       need_addname = ISC_TRUE;
+                               if (mname != fname) {
+                                       if (mname != NULL) {
+                                               /*
+                                                * A different type of this name is
+                                                * already stored in the additional
+                                                * section.  We'll reuse the name.
+                                                * Note that this should happen at most
+                                                * once.  Otherwise, fname->link could
+                                                * leak below.
+                                                */
+                                               INSIST(mname0 == NULL);
+
+                                               query_releasename(client, &fname);
+                                               fname = mname;
+                                               mname0 = mname;
+                                       } else
+                                               need_addname = ISC_TRUE;
+                               }
                                ISC_LIST_UNLINK(cfname.list, crdataset, link);
                                ISC_LIST_APPEND(fname->list, crdataset, link);
                                added_something = ISC_TRUE;