]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
3945. [bug] Invalid wildcard expansions could be incorrectly
authorMark Andrews <marka@isc.org>
Fri, 5 Sep 2014 02:10:55 +0000 (12:10 +1000)
committerMark Andrews <marka@isc.org>
Fri, 5 Sep 2014 02:10:55 +0000 (12:10 +1000)
                        accepted by the validator. [RT #37093]

CHANGES
lib/dns/nsec.c
lib/dns/resolver.c
lib/dns/validator.c

diff --git a/CHANGES b/CHANGES
index 5b39789c15dd912f0a45b2cf58a644cefb5139b9..45e15e9f920de529e652ffecb77685a3e51ba22a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3945.  [bug]           Invalid wildcard expansions could be incorrectly
+                       accepted by the validator. [RT #37093]
+
 3944.  [test]          Added a regression test for "server-id". [RT #37057]
 
 3943.  [func]          SERVFAIL responses can now be cached for a
index 5d1197d093b09b4584aff14b9b37794dcb85cc12..6183ef281c02ef938530d43166d3a3792ac27928 100644 (file)
@@ -436,7 +436,7 @@ dns_nsec_noexistnodata(dns_rdatatype_t type, dns_name_t *name,
                                                  nlabels, &common);
                }
                result = dns_name_concatenate(dns_wildcardname, &common,
-                                              wild, NULL);
+                                             wild, NULL);
                if (result != ISC_R_SUCCESS) {
                        dns_rdata_freestruct(&nsec);
                        (*logit)(arg, ISC_LOG_DEBUG(3),
index ed8ba80652c3914acbb8147715619c8fda7161c1..96f758696aa5832ee698a1a4c62511139283b21b 100644 (file)
@@ -5271,10 +5271,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                }
        }
 
-       if (valrdataset != NULL)
-               result = valcreate(fctx, addrinfo, name, fctx->type,
-                                  valrdataset, valsigrdataset, valoptions,
-                                  task);
+       if (valrdataset != NULL) {
+               dns_rdatatype_t vtype = fctx->type;
+               if (CHAINING(valrdataset)) {
+                       if (valrdataset->type == dns_rdatatype_cname)
+                               vtype = dns_rdatatype_cname;
+                       else
+                               vtype = dns_rdatatype_dname;
+               }
+               result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
+                                  valsigrdataset, valoptions, task);
+       }
 
        if (result == ISC_R_SUCCESS && have_answer) {
                fctx->attributes |= FCTX_ATTR_HAVEANSWER;
index 11e1197bdbb0a38a5cfe7cf559e423d85f88eead..8b93e49babdd9b50062505eab9737fb93d0500d6 100644 (file)
@@ -909,12 +909,26 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
                                                devent->name;
                        }
                        if (!exists) {
+                               dns_name_t *closest;
+                               unsigned int clabels;
+
                                val->attributes |= VALATTR_FOUNDNOQNAME;
-                               val->attributes |= VALATTR_FOUNDCLOSEST;
+
+                               closest = dns_fixedname_name(&val->closest);
+                               clabels = dns_name_countlabels(closest);
+                               /*
+                                * If we are validating a wildcard response
+                                * clabels will not be zero.  We then need
+                                * to check if the generated wilcard from
+                                * dns_nsec_noexistnodata is consistent with
+                                * the wildcard used to generate the response.
+                                */
+                               if (clabels == 0 ||
+                                   dns_name_countlabels(wild) == clabels + 1)
+                                       val->attributes |= VALATTR_FOUNDCLOSEST;
                                /*
                                 * The NSEC noqname proof also contains
                                 * the closest encloser.
-
                                 */
                                if (NEEDNOQNAME(val))
                                        proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
@@ -2805,7 +2819,8 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
        if (!NEEDNODATA(val) && !NEEDNOWILDCARD(val) && NEEDNOQNAME(val)) {
                if (!FOUNDNOQNAME(val))
                        findnsec3proofs(val);
-               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) && !FOUNDOPTOUT(val)) {
+               if (FOUNDNOQNAME(val) && FOUNDCLOSEST(val) &&
+                   !FOUNDOPTOUT(val)) {
                        validator_log(val, ISC_LOG_DEBUG(3),
                                      "marking as secure, noqname proof found");
                        marksecure(val->event);