[v9_6_ESV_R9_patch] [v9_6_ESV_R9_patch] [v9_6_ESV_R9_patch] assertion failure in...

3584.	[security]	Caching data from an incompletely signed zone could
			trigger an assertion failure in resolver.c [RT #33690]
(cherry picked from commit 276457f7a38f56a5f762238ab89bb45e27948af6)

diff --git a/CHANGES b/CHANGES
index 40f9500339f861d02084560986c57426c095c0f7..6edd4a9869547db96e00900681c38cfa37f5e9ad 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+       --- 9.6-ESV-R9-P1 released ---
+
+3584.  [security]      Caching data from an incompletely signed zone could
+                       trigger an assertion failure in resolver.c [RT #33690]
+
        --- 9.6-ESV-R9 released ---
 
 3568.  [cleanup]       Add a product description line to the version file,

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d46091189c8eb3e4b8d148276cf235b3871cd3a7..3d395f44eb203403658baebedfed81bd091b9ffa 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -4372,7 +4372,7 @@ fctx_log(void *arg, int level, const char *fmt, ...) {
 
 static inline isc_result_t
 findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
-           dns_name_t **noqname)
+           dns_name_t **noqnamep)
 {
        dns_rdataset_t *nrdataset, *next, *sigrdataset;
        dns_rdata_rrsig_t rrsig;
@@ -4385,10 +4385,12 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
        dns_fixedname_t fclosest;
        dns_name_t *nearest;
        dns_fixedname_t fnearest;
+       dns_rdatatype_t found = dns_rdatatype_none;
+       dns_name_t *noqname = NULL;
 
        FCTXTRACE("findnoqname");
 
-       REQUIRE(noqname != NULL && *noqname == NULL);
+       REQUIRE(noqnamep != NULL && *noqnamep == NULL);
 
        /*
         * Find the SIG for this rdataset, if we have it.
@@ -4457,8 +4459,10 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
                                                        &data, NULL, fctx_log,
                                                        fctx)))
                        {
-                               if (!exists)
-                                       *noqname = nsec;
+                               if (!exists) {
+                                       noqname = nsec;
+                                       found = dns_rdatatype_nsec;
+                               }
                        }
 
                        if (nrdataset->type == dns_rdatatype_nsec3 &&
@@ -4471,13 +4475,26 @@ findnoqname(fetchctx_t *fctx, dns_name_t *name, dns_rdatatype_t type,
                                                         closest, nearest,
                                                         fctx_log, fctx)))
                        {
-                               if (!exists && setnearest)
-                                       *noqname = nsec;
+                               if (!exists && setnearest) {
+                                       noqname = nsec;
+                                       found = dns_rdatatype_nsec3;
+                               }
                        }
                }
        }
        if (result == ISC_R_NOMORE)
                result = ISC_R_SUCCESS;
+       if (noqname != NULL) {
+               for (sigrdataset = ISC_LIST_HEAD(noqname->list);
+                    sigrdataset != NULL;
+                    sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+                       if (sigrdataset->type == dns_rdatatype_rrsig &&
+                           sigrdataset->covers == found)
+                               break;
+               }
+               if (sigrdataset != NULL)
+                       *noqnamep = noqname;
+       }
        return (result);
 }
 

diff --git a/version b/version
index c552aaffbc75eec4d7876beadb5a1f82ddb054e0..25e5b99d238f1731ff9829ef973f721d200b118b 100644 (file)
--- a/version
+++ b/version
@@ -9,4 +9,4 @@ MAJORVER=9
 MINORVER=6
 PATCHVER=
 RELEASETYPE=-ESV
-RELEASEVER=-R9
+RELEASEVER=-R9-P1