From: Evan Hunt <each@isc.org>
Date: Thu, 23 Feb 2017 23:28:52 +0000 (-0800)
Subject: [v9_11_0_patch] remove unnecessary INSIST and prep 9.11.1-P4
X-Git-Tag: v9.11.0-P5~10
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=667e214d9b53c17b2e2c372af3f1fdc0f0275d16;p=thirdparty%2Fbind9.git

[v9_11_0_patch] remove unnecessary INSIST and prep 9.11.1-P4

4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
			queries could trigger assertion failures.
			(CVE-2017-3137) [RT #44734]

(cherry picked from commit a1365a0042db8c1cd0ee4dbd0c91ce65ae09e098)
(cherry picked from commit 559cbe04e73cf601784a371e09554c20407a6c7b)
---

diff --git a/CHANGES b/CHANGES
index 9b8d7e9225d..ed04e8543a0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,5 +1,9 @@
 	--- 9.11.0-P4 released ---
 
+4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
+			queries could trigger assertion failures.
+			(CVE-2017-3137) [RT #44734]
+
 4575.	[security]	DNS64 with "break-dnssec yes;" can result in an
 			assertion failure. (CVE-2017-3136) [RT #44653]
 
diff --git a/README b/README
index f12f764611f..184ff02f9d5 100644
--- a/README
+++ b/README
@@ -53,8 +53,8 @@ BIND 9
 
 BIND 9.11.0-P4
 
-	This version contains a fix for CVE-2017-3136, and updates
-	the built in trusted keys for the root zone.
+	This version contains fixes for CVE-2017-3136 and CVE-2017-3137,
+	and updates the built in trusted keys for the root zone.
 
 BIND 9.11.0-P3
 
@@ -88,9 +88,9 @@ BIND 9.11.0
 	  from an external database, developed by Red Hat for the FreeIPA
 	  project.
 	- "fetchlimit" quotas are now compiled in by default.  These
-          are for the use of recursive resolvers that are are under
-          high query load for domains whose authoritative servers are
-          nonresponsive or are experiencing a denial of service attack:
+	  are for the use of recursive resolvers that are are under
+	  high query load for domains whose authoritative servers are
+	  nonresponsive or are experiencing a denial of service attack:
 	  + "fetches-per-server" limits the number of simultaneous queries
 	    that can be sent to any single authoritative server.  The
 	    configured value is a starting point; it is automatically
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index de74dc3eeb4..4bf082ce9e9 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -77,11 +77,18 @@
 
   <section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
     <itemizedlist>
+      <listitem>
+	<para>
+	  Some chaining (i.e., type CNAME or DNAME) responses to upstream
+	  queries could trigger assertion failures. This flaw is disclosed
+	  in CVE-2017-3137. [RT #44734]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  <command>dns64</command> with <command>break-dnssec yes;</command>
 	  can result in an assertion failure. This flaw is disclosed in
-	  CVE-2017-3136.[RT #44653]
+	  CVE-2017-3136. [RT #44653]
 	</para>
       </listitem>
       <listitem>
diff --git a/lib/dns/api b/lib/dns/api
index dbeb6d15879..1fd2092f0da 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -7,5 +7,5 @@
 # 9.10: 140-149
 # 9.11: 160-169
 LIBINTERFACE = 166
-LIBREVISION = 5
+LIBREVISION = 6
 LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 80cf5a7c76f..dc751e4f7b9 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7000,15 +7000,15 @@ answer_response(fetchctx_t *fctx) {
 					rdataset->attributes |=
 						DNS_RDATASETATTR_CACHE;
 					rdataset->trust = dns_trust_answer;
-					if (chaining == 0) {
+					if (external) {
 						/*
-						 * This data is "the" answer
-						 * to our question only if
-						 * we're not chaining (i.e.
-						 * if we haven't followed
-						 * a CNAME or DNAME).
+						 * This data is outside of
+						 * our query domain, and
+						 * may not be cached.
 						 */
-						INSIST(!external);
+						rdataset->attributes |=
+						    DNS_RDATASETATTR_EXTERNAL;
+					} else if (chaining == 0) {
 						/*
 						 * Don't use found_cname here
 						 * as we have just set it
@@ -7030,14 +7030,6 @@ answer_response(fetchctx_t *fctx) {
 						if (aa)
 							rdataset->trust =
 							  dns_trust_authanswer;
-					} else if (external) {
-						/*
-						 * This data is outside of
-						 * our query domain, and
-						 * may not be cached.
-						 */
-						rdataset->attributes |=
-						    DNS_RDATASETATTR_EXTERNAL;
 					}
 
 					/*
@@ -7212,15 +7204,12 @@ answer_response(fetchctx_t *fctx) {
 				 * If we are not chaining or the first CNAME
 				 * is a synthesised CNAME before the DNAME.
 				 */
-				if ((chaining == 0) ||
-				    (chaining == 1U && synthcname))
+				if (external) {
+					rdataset->attributes |=
+					    DNS_RDATASETATTR_EXTERNAL;
+				} else if ((chaining == 0) ||
+					   (chaining == 1U && synthcname))
 				{
-					/*
-					 * This data is "the" answer to
-					 * our question only if we're
-					 * not chaining.
-					 */
-					INSIST(!external);
 					if (aflag == DNS_RDATASETATTR_ANSWER) {
 						have_answer = ISC_TRUE;
 						found_dname = ISC_TRUE;
@@ -7237,9 +7226,6 @@ answer_response(fetchctx_t *fctx) {
 					if (aa)
 						rdataset->trust =
 						  dns_trust_authanswer;
-				} else if (external) {
-					rdataset->attributes |=
-					    DNS_RDATASETATTR_EXTERNAL;
 				}
 			}