From: Mark Andrews <marka@isc.org>
Date: Wed, 15 Feb 2017 01:18:51 +0000 (+1100)
Subject: 4575.   [security]      Dns64 with break-dnssec yes; can result in a
X-Git-Tag: v9.11.1rc2~20
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b81977ae70138c9befd8fa4bb66b6145e1986561;p=thirdparty%2Fbind9.git

4575.   [security]      Dns64 with break-dnssec yes; can result in a
                        assertion failure. (CVE-2017-3136) [RT #44653]

(cherry picked from commit 3bce12e4b6d37f570ffc7747b499f8b90e8521ac)
---

diff --git a/CHANGES b/CHANGES
index 454b3041d68..d2d63c5940b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4575.	[security]	Dns64 with break-dnssec yes; can result in a
+			assertion failure. (CVE-2017-3136) [RT #44653]
+
 	--- 9.11.1rc1 released ---
 
 4571.	[bug]		Out-of-tree builds of backtrace_test failed.
diff --git a/bin/named/query.c b/bin/named/query.c
index dd46d50ee59..3b71df55d1e 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -8740,6 +8740,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			result = query_dns64(client, &fname, rdataset,
 					     sigrdataset, dbuf,
 					     DNS_SECTION_ANSWER);
+			noqname = NULL;
 			dns_rdataset_disassociate(rdataset);
 			dns_message_puttemprdataset(client->message, &rdataset);
 			if (result == ISC_R_NOMORE) {