+4508. [security] Named incorrectly tried to cache TKEY records which
+ could trigger a assertion failure when there was
+ a class mismatch. (CVE-2016-9131) [RT #43522]
+
--- 9.10.4-P4 released ---
4489. [security] It was possible to trigger assertions when processing
log_formerr(fctx, "NSEC3 in answer");
return (DNS_R_FORMERR);
}
+ if (rdataset->type == dns_rdatatype_tkey) {
+ /*
+ * TKEY is not a valid record in a
+ * response to any query we can make.
+ */
+ log_formerr(fctx, "TKEY in answer");
+ return (DNS_R_FORMERR);
+ }
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
/*
* Apply filters, if given, on answers to reject
rdataset != NULL;
rdataset = ISC_LIST_NEXT(rdataset, link))
{
+ if (rdataset->rdclass != fctx->res->rdclass) {
+ log_formerr(fctx, "Mismatched class "
+ "in answer");
+ return (DNS_R_FORMERR);
+ }
+
/*
* Only pass DNAME or RRSIG(DNAME).
*/
projects / thirdparty / bind9.git / commitdiff
