From: Mark Andrews <marka@isc.org>
Date: Fri, 5 Sep 2014 02:10:55 +0000 (+1000)
Subject: 3945.   [bug]           Invalid wildcard expansions could be incorrectly
X-Git-Tag: v9.9.6rc2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0ef83e5b5d25b0dd03002734ef214f1d70c3278f;p=thirdparty%2Fbind9.git

3945.   [bug]           Invalid wildcard expansions could be incorrectly
                        accepted by the validator. [RT #37093]

(cherry picked from commit 2fa1fc53324c0fca978c902e883c7cc011210536)
---

diff --git a/CHANGES b/CHANGES
index 214c4d9323c..e3714b8ada1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3945.	[bug]		Invalid wildcard expansions could be incorrectly
+			accepted by the validator. [RT #37093]
+
 3942.	[bug]		Wildcard responses from a optout range should be
 			marked as insecure. [RT #37072]
 
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index 5d1197d093b..6183ef281c0 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -436,7 +436,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
 						  nlabels, &common);
 		}
 		result = dns_name_concatenate(dns_wildcardname, &common,
-					       wild, NULL);
+					      wild, NULL);
 		if (result != ISC_R_SUCCESS) {
 			dns_rdata_freestruct(&nsec);
 			(*logit)(arg, ISC_LOG_DEBUG(3),
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ee9db11fb70..0f4ef6f4ccd 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4922,10 +4922,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		}
 	}
 
-	if (valrdataset != NULL)
-		result = valcreate(fctx, addrinfo, name, fctx->type,
-				   valrdataset, valsigrdataset, valoptions,
-				   task);
+	if (valrdataset != NULL) {
+		dns_rdatatype_t vtype = fctx->type;
+		if (CHAINING(valrdataset)) {
+			if (valrdataset->type == dns_rdatatype_cname)
+				vtype = dns_rdatatype_cname;
+			else
+				vtype = dns_rdatatype_dname;
+		}
+		result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+				   valsigrdataset, valoptions, task);
+	}
 
 	if (result == ISC_R_SUCCESS && have_answer) {
 		fctx->attributes |= FCTX_ATTR_HAVEANSWER;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 5b74e6e55e7..0b203d88292 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -918,12 +918,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 						devent->name;
 			}
 			if (!exists) {
+				dns_name_t *closest;
+				unsigned int clabels;
+
 				val->attributes |= VALATTR_FOUNDNOQNAME;
-				val->attributes |= VALATTR_FOUNDCLOSEST;
+
+				closest = dns_fixedname_name(&val->closest);
+				clabels = dns_name_countlabels(closest);
+				/*
+				 * If we are validating a wildcard response
+				 * clabels will not be zero.  We then need
+				 * to check if the generated wilcard from
+				 * dns_nsec_noexistnodata is consistent with
+				 * the wildcard used to generate the response.
+				 */
+				if (clabels == 0 ||
+				    dns_name_countlabels(wild) == clabels + 1)
+					val->attributes |= VALATTR_FOUNDCLOSEST;
 				/*
 				 * The NSEC noqname proof also contains
 				 * the closest encloser.
-
 				 */
 				if (NEEDNOQNAME(val))
 					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
@@ -2803,7 +2817,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
 		if (!FOUNDNOQNAME(val))
 			findnsec3proofs(val);
-		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
+		if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+		    !FOUNDOPTOUT(val)) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "marking as secure, noqname proof found");
 			marksecure(val->event);