From 77409aab0be43071b365760213894d6388c3df30 Mon Sep 17 00:00:00 2001
From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 12 Oct 2020 10:08:08 +0200
Subject: [PATCH] Backport of CVE-2020-25829 (any-cache-update) to 4.1.x

---
 pdns/recursor_cache.cc | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/pdns/recursor_cache.cc b/pdns/recursor_cache.cc
index 9ccecf8c59..216245ca43 100644
--- a/pdns/recursor_cache.cc
+++ b/pdns/recursor_cache.cc
@@ -413,9 +413,14 @@ bool MemRecursorCache::doAgeCache(time_t now, const DNSName& name, uint16_t qtyp
 
 bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname, const QType& qt, const ComboAddress& who, bool requireAuth, vState newState)
 {
+  if (qt == QType::ANY || qt == QType::ADDR) {
+    // not doing that
+    return false;
+  }
+
   bool updated = false;
   uint16_t qtype = qt.getCode();
-  if (qtype != QType::ANY && qtype != QType::ADDR && !d_ecsIndex.empty()) {
+  if (!d_ecsIndex.empty()) {
     auto entry = getEntryUsingECSIndex(now, qname, qtype, requireAuth, who);
     if (entry == d_cache.end()) {
       return false;
@@ -434,8 +439,7 @@ bool MemRecursorCache::updateValidationStatus(time_t now, const DNSName &qname,
     i->d_state = newState;
     updated = true;
 
-    if(qtype != QType::ANY && qtype != QType::ADDR) // normally if we have a hit, we are done
-      break;
+    break;
   }
 
   return updated;
-- 
2.47.2