- Fix that dns64 cleans up the allocated message if the adjust

  routines fail, and checks if there is a reply before cache
  store, also unbound checks if A and AAAA are malformed
  for auth-zones. Thanks to Qifan Zhang, Palo Alto Networks,
  for the report.

diff --git a/dns64/dns64.c b/dns64/dns64.c
index fdcc1b41d0aba09f54c205566228cd2621ed6b26..4b1c20270c0f1525806ef456528e0dc10a905009 100644 (file)
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -832,6 +832,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
        size_t i, s;
        struct packed_rrset_data* fd, *dd;
        struct ub_packed_rrset_key* fk, *dk;
        size_t i, s;
        struct packed_rrset_data* fd, *dd;
        struct ub_packed_rrset_key* fk, *dk;

+       int allocated_return_msg = 0;

 
        verbose(VERB_ALGO, "converting A answers to AAAA answers");
 
 
        verbose(VERB_ALGO, "converting A answers to AAAA answers");
 


@@ -847,6 +848,7 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
                        return;
                memset(super->return_msg, 0, sizeof(*super->return_msg));
                super->return_msg->qinfo = super->qinfo;
                        return;
                memset(super->return_msg, 0, sizeof(*super->return_msg));
                super->return_msg->qinfo = super->qinfo;

+               allocated_return_msg = 1;

        }
 
        rep = qstate->return_msg->rep;
        }
 
        rep = qstate->return_msg->rep;


@@ -859,11 +861,14 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
                rep->serve_expired_norec_ttl,
                rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
                rep->rrset_count, rep->security, LDNS_EDE_NONE);
                rep->serve_expired_norec_ttl,
                rep->an_numrrsets, rep->ns_numrrsets, rep->ar_numrrsets,
                rep->rrset_count, rep->security, LDNS_EDE_NONE);

-       if(!cp)
+       if(!cp) {
+               if(allocated_return_msg) super->return_msg = NULL;

                return;
                return;

+       }

 
        /* allocate ub_key structures special or not */
        if(!reply_info_alloc_rrset_keys(cp, NULL, super->region)) {
 
        /* allocate ub_key structures special or not */
        if(!reply_info_alloc_rrset_keys(cp, NULL, super->region)) {

+               if(allocated_return_msg) super->return_msg = NULL;

                return;
        }
 
                return;
        }
 


@@ -878,8 +883,10 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
                if(i<rep->an_numrrsets && fk->rk.type == htons(LDNS_RR_TYPE_A)) {
                        /* also sets dk->entry.hash */
                        dns64_synth_aaaa_data(fk, fd, dk, &dd, super->region, dns64_env);
                if(i<rep->an_numrrsets && fk->rk.type == htons(LDNS_RR_TYPE_A)) {
                        /* also sets dk->entry.hash */
                        dns64_synth_aaaa_data(fk, fd, dk, &dd, super->region, dns64_env);

-                       if(!dd)
+                       if(!dd) {
+                               if(allocated_return_msg) super->return_msg = NULL;

                                return;
                                return;

+                       }

                        /* Delete negative AAAA record from cache stored by
                         * the iterator module */
                        rrset_cache_remove(super->env->rrset_cache, dk->rk.dname, 
                        /* Delete negative AAAA record from cache stored by
                         * the iterator module */
                        rrset_cache_remove(super->env->rrset_cache, dk->rk.dname, 


@@ -896,15 +903,19 @@ dns64_adjust_a(int id, struct module_qstate* super, struct module_qstate* qstate
                        dk->rk.dname = (uint8_t*)regional_alloc_init(super->region,
                                fk->rk.dname, fk->rk.dname_len);
 
                        dk->rk.dname = (uint8_t*)regional_alloc_init(super->region,
                                fk->rk.dname, fk->rk.dname_len);
 

-                       if(!dk->rk.dname)
+                       if(!dk->rk.dname) {
+                               if(allocated_return_msg) super->return_msg = NULL;

                                return;
                                return;

+                       }

 
                        s = packed_rrset_sizeof(fd);
                        dd = (struct packed_rrset_data*)regional_alloc_init(
                                super->region, fd, s);
 
 
                        s = packed_rrset_sizeof(fd);
                        dd = (struct packed_rrset_data*)regional_alloc_init(
                                super->region, fd, s);
 

-                       if(!dd)
+                       if(!dd) {
+                               if(allocated_return_msg) super->return_msg = NULL;

                                return;
                                return;

+                       }

                }
 
                packed_rrset_ptr_fixup(dd);
                }
 
                packed_rrset_ptr_fixup(dd);


@@ -1015,7 +1026,8 @@ dns64_inform_super(struct module_qstate* qstate, int id,
        }
 
        /* Store the generated response in cache. */
        }
 
        /* Store the generated response in cache. */

-       if ( (!super_dq || !super_dq->started_no_cache_store) &&
+       if ( super->return_msg && super->return_msg->rep &&
+               (!super_dq || !super_dq->started_no_cache_store) &&

                !super->is_subnet_answer &&
                !dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
                0, super->prefetch_leeway, 0, NULL, super->query_flags,
                !super->is_subnet_answer &&
                !dns_cache_store(super->env, &super->qinfo, super->return_msg->rep,
                0, super->prefetch_leeway, 0, NULL, super->query_flags,

diff --git a/doc/Changelog b/doc/Changelog
index d706448aeb618cfa95bb89560ef14c78a2e5cf96..7c62f538a42076580c2a32ef9a77f9d7319a4f53 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -33,6 +33,11 @@
          on the input, and changes verbosity on the log of failure in
          rrset to string.  Thanks to Qifan Zhang, Palo Alto Networks,
          for the report.
          on the input, and changes verbosity on the log of failure in
          rrset to string.  Thanks to Qifan Zhang, Palo Alto Networks,
          for the report.

+       - Fix that dns64 cleans up the allocated message if the adjust
+         routines fail, and checks if there is a reply before cache
+         store, also unbound checks if A and AAAA are malformed
+         for auth-zones. Thanks to Qifan Zhang, Palo Alto Networks,
+         for the report.

 
 3 June 2026: Yorgos
        - Fix const as reported by newest compiler warnings.
 
 3 June 2026: Yorgos
        - Fix const as reported by newest compiler warnings.

diff --git a/services/authzone.c b/services/authzone.c
index 1d4765841674c208ce60eaf1f6067dabb304ee39..998d422d4b29b49f471e336e814e57f149ecda33 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -1175,6 +1175,13 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
                log_err("wrong class for RR");
                return 0;
        }
                log_err("wrong class for RR");
                return 0;
        }

+       if(rr_type == LDNS_RR_TYPE_A && rdatalen != 6 /* 2 + 4 */) {
+               log_err("malformed A record");
+               return 0;
+       } else if(rr_type == LDNS_RR_TYPE_AAAA && rdatalen != 18 /* 2 + 16 */) {
+               log_err("malformed AAAA record");
+               return 0;
+       }

        if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
                log_err("cannot create domain");
                return 0;
        if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
                log_err("cannot create domain");
                return 0;