From: Artem Boldariev <artem@boldariev.com>
Date: Thu, 11 Nov 2021 14:17:02 +0000 (+0200)
Subject: Fix a crash on unexpected incoming DNS message during XoT xfer
X-Git-Tag: v9.17.21~21^2~1
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=6c8a97c78f2e602bfda0f224f3dce685e2300001;p=thirdparty%2Fbind9.git

Fix a crash on unexpected incoming DNS message during XoT xfer

This commit fixes a peculiar corner case in the client-side DoT code
because of which a crash could occur during a zone transfer. A junk
DNS message should be sent at the end of a zone transfer via TLS to
trigger the crash (abort).

This commit, hopefully, fixes that.

Also, this commit adds similar changes to the TCP DNS code, as it
shares the same origin and most of the logic.
---

diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index fb8308d6db4..5fed46018f1 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -774,6 +774,23 @@ isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) {
 		return (ISC_R_NOMORE);
 	}
 
+	if (sock->recv_cb == NULL) {
+		/*
+		 * recv_cb has been cleared - there is
+		 * nothing to do
+		 */
+		return (ISC_R_CANCELED);
+	} else if (sock->statichandle == NULL &&
+		   atomic_load(&sock->connected) &&
+		   !atomic_load(&sock->connecting))
+	{
+		/*
+		 * It seems that some unexpected data (a DNS message) has
+		 * arrived while we are wrapping up.
+		 */
+		return (ISC_R_CANCELED);
+	}
+
 	req = isc__nm_get_read_req(sock, NULL);
 	REQUIRE(VALID_UVREQ(req));
 
diff --git a/lib/isc/netmgr/tlsdns.c b/lib/isc/netmgr/tlsdns.c
index 27895aa7164..700874d28e9 100644
--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -937,8 +937,20 @@ isc__nm_tlsdns_processbuffer(isc_nmsocket_t *sock) {
 	}
 
 	if (sock->recv_cb == NULL) {
-		/* recv_cb has been cleared - there is
-		 * nothing to do */
+		/*
+		 * recv_cb has been cleared - there is
+		 * nothing to do
+		 */
+		return (ISC_R_CANCELED);
+	} else if (sock->statichandle == NULL &&
+		   sock->tls.state == TLS_STATE_IO &&
+		   atomic_load(&sock->connected) &&
+		   !atomic_load(&sock->connecting))
+	{
+		/*
+		 * It seems that some unexpected data (a DNS message) has
+		 * arrived while we are wrapping up.
+		 */
 		return (ISC_R_CANCELED);
 	}