From: Evan Hunt <each@isc.org>
Date: Wed, 17 Jan 2024 00:03:15 +0000 (-0800)
Subject: fix a message parsing regression
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=98ab8c81cc7739dc220aa3f50efa3061774de8ba;p=thirdparty%2Fbind9.git

fix a message parsing regression

the fix for CVE-2023-4408 introduced a regression in the message
parser, which could cause a crash if duplicate rdatasets were found
in the question section. this commit ensures that rdatasets are
correctly disassociated and freed when this occurs.

(cherry picked from commit 4c19d35614f8cd80d8748156a5bad361e19abc28)
---

diff --git a/lib/dns/message.c b/lib/dns/message.c
index 258e83a29a4..e5ad60bc558 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1206,8 +1206,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 		rdatalist->rdclass = rdclass;
 
 		result = dns_rdatalist_tordataset(rdatalist, rdataset);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup;
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 		rdataset->attributes |= DNS_RDATASETATTR_QUESTION;
 
@@ -1254,6 +1253,9 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 
  cleanup:
 	if (rdataset != NULL) {
+		if (dns_rdataset_isassociated(rdataset)) {
+			dns_rdataset_disassociate(rdataset);
+		}
 		dns_message_puttemprdataset(msg, &rdataset);
 	}
 #if 0