From: Mark Andrews <marka@isc.org>
Date: Tue, 14 Mar 2017 04:07:00 +0000 (+1100)
Subject: 4580.   [bug]           4578 introduced a regression when handling CNAME to
X-Git-Tag: v9.10.4-P8~4
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=7849594a6fe3a2f5bec642d1f4930726db84ebca;p=thirdparty%2Fbind9.git

4580.   [bug]           4578 introduced a regression when handling CNAME to
                        referral below the current domain. [RT #44850]

(cherry picked from commit 638c7c635ddab0b717a675f49b1180dbf8ef803e)
---

diff --git a/CHANGES b/CHANGES
index 5a18254593b..fd13d9e84b0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+	--- 9.10.4-P8 released ---
+
+4580.	[bug]		4578 introduced a regression when handling CNAME to
+			referral below the current domain. [RT #44850]
+
 	--- 9.10.4-P7 released ---
 
 4578.	[security]	Some chaining (CNAME or DNAME) responses to upstream
diff --git a/lib/dns/api b/lib/dns/api
index 8fa2c191077..263a3eceec1 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -6,5 +6,5 @@
 # 9.9-sub: 130-139, 150-159
 # 9.10: 140-149, 160-169
 LIBINTERFACE = 165
-LIBREVISION = 6
+LIBREVISION = 7
 LIBAGE = 0
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 4704ef0c553..1ba7aae1dd6 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6156,7 +6156,7 @@ is_answeraddress_allowed(dns_view_t *view, dns_name_t *name,
 
 static isc_boolean_t
 is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
-			dns_rdataset_t *rdataset)
+			dns_rdataset_t *rdataset, isc_boolean_t *chainingp)
 {
 	isc_result_t result;
 	dns_rbtnode_t *node = NULL;
@@ -6177,8 +6177,11 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
 		rdataset->type == dns_rdatatype_dname);
 
-	/* By default, we allow any target name. */
-	if (view->denyanswernames == NULL)
+	/*
+	 * By default, we allow any target name.
+	 * If newqname != NULL we also need to extract the newqname.
+	 */
+	if (chainingp == NULL && view->denyanswernames == NULL)
 		return (ISC_TRUE);
 
 	result = dns_rdataset_first(rdataset);
@@ -6201,7 +6204,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 		dns_name_split(qname, nlabels, &prefix, NULL);
 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
 					      NULL);
-		if (result == ISC_R_NOSPACE)
+		if (result == DNS_R_NAMETOOLONG)
 			return (ISC_TRUE);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		break;
@@ -6209,6 +6212,12 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 		INSIST(0);
 	}
 
+	if (chainingp != NULL)
+		*chainingp = ISC_TRUE;
+
+	if (view->denyanswernames == NULL)
+		return (ISC_TRUE);
+
 	/*
 	 * If the owner name matches one in the exclusion list, either exactly
 	 * or partially, allow it.
@@ -6902,7 +6911,7 @@ answer_response(fetchctx_t *fctx) {
 			if ((rdataset->type == dns_rdatatype_cname ||
 			     rdataset->type == dns_rdatatype_dname) &&
 			     !is_answertarget_allowed(fctx, qname, aname,
-						      rdataset))
+						      rdataset, NULL))
 			{
 				return (DNS_R_SERVFAIL);
 			}
@@ -6925,7 +6934,9 @@ answer_response(fetchctx_t *fctx) {
 		}
 		if ((ardataset->type == dns_rdatatype_cname ||
 		     ardataset->type == dns_rdatatype_dname) &&
-		     !is_answertarget_allowed(fctx, qname, aname, ardataset)) {
+		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
+					      NULL))
+		{
 			return (DNS_R_SERVFAIL);
 		}
 		aname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6960,7 +6971,9 @@ answer_response(fetchctx_t *fctx) {
 			log_formerr(fctx, "CNAME response for %s RR", buf);
 			return (DNS_R_FORMERR);
 		}
-		if (!is_answertarget_allowed(fctx, qname, cname, crdataset)) {
+		if (!is_answertarget_allowed(fctx, qname, cname, crdataset,
+					     NULL))
+		{
 			return (DNS_R_SERVFAIL);
 		}
 		cname->attributes |= DNS_NAMEATTR_CACHE;
@@ -6992,7 +7005,8 @@ answer_response(fetchctx_t *fctx) {
 		if (!validinanswer(drdataset, fctx)) {
 			return (DNS_R_FORMERR);
 		}
-		if (!is_answertarget_allowed(fctx, qname, dname, drdataset)) {
+		if (!is_answertarget_allowed(fctx, qname, dname, drdataset,
+					     &chaining)) {
 			return (DNS_R_SERVFAIL);
 		}
 		dname->attributes |= DNS_NAMEATTR_CACHE;
@@ -7019,7 +7033,6 @@ answer_response(fetchctx_t *fctx) {
 			sigrdataset->trust = trust;
 			break;
 		}
-		chaining = ISC_TRUE;
 	} else {
 		log_formerr(fctx, "reply has no answer");
 		return (DNS_R_FORMERR);
@@ -7034,13 +7047,7 @@ answer_response(fetchctx_t *fctx) {
 	 * Did chaining end before we got the final answer?
 	 */
 	if (chaining) {
-		/*
-		 * Yes.  This may be a negative reply, so hand off
-		 * authority section processing to the noanswer code.
-		 * If it isn't a noanswer response, no harm will be
-		 * done.
-		 */
-		return (noanswer_response(fctx, qname, 0));
+		return (ISC_R_SUCCESS);
 	}
 
 	/*
diff --git a/version b/version
index e394b22aed0..1964d308efd 100644
--- a/version
+++ b/version
@@ -7,5 +7,5 @@ MAJORVER=9
 MINORVER=10
 PATCHVER=4
 RELEASETYPE=-P
-RELEASEVER=7
+RELEASEVER=8
 EXTENSIONS=