From fa7a6ef7ced01ce7d1050cc70824f2672e25fe02 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Tue, 10 Jun 2025 18:52:35 +0200
Subject: [PATCH] Add extra protections to places needing absolute names

Insert just potential protection in case Patch32 does not cover all
possible cases.

Resolves: RHEL-92084
---
 bind-9.18-query-fname-relative.patch | 90 ++++++++++++++++++++++++++++
 bind.spec                            |  3 +
 2 files changed, 93 insertions(+)
 create mode 100644 bind-9.18-query-fname-relative.patch

diff --git a/bind-9.18-query-fname-relative.patch b/bind-9.18-query-fname-relative.patch
new file mode 100644
index 0000000..219721a
--- /dev/null
+++ b/bind-9.18-query-fname-relative.patch
@@ -0,0 +1,90 @@
+From 5bc7cd7a7b9c37e5c70ccf74c5485a02411aaef5 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Fri, 25 Apr 2025 02:00:00 +0200
+Subject: [PATCH] Insert additional checks ensuring name is not relative
+
+Mitigation for crashes put in various places, where obviously relative
+uninitialized name must not appear. This seems unnecessary once true
+cause were identified, but may prevent similar places.
+---
+ lib/ns/query.c | 35 +++++++++++++++++++++++++++++++++++
+ 1 file changed, 35 insertions(+)
+
+diff --git a/lib/ns/query.c b/lib/ns/query.c
+index 11d2520..7e8a4d2 100644
+--- a/lib/ns/query.c
++++ b/lib/ns/query.c
+@@ -2203,6 +2203,20 @@ regular:
+ 	CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
+ }
+ 
++static void
++log_query_relative(query_ctx_t *qctx, const char *func, const dns_name_t *name) {
++	if (isc_log_wouldlog(ns_lctx, ISC_LOG_DEBUG(1))) {
++		char namebuf[DNS_NAME_FORMATSIZE] = "!";
++		dns_name_format(name, namebuf, sizeof(namebuf));
++		ns_client_log(
++			qctx->client, NS_LOGCATEGORY_CLIENT, NS_LOGMODULE_QUERY,
++			ISC_LOG_DEBUG(1),
++			"%s: fname=%s leading to relative name, aborting query.",
++			func, namebuf
++		);
++	}
++}
++
+ static void
+ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 	       dns_rdataset_t **rdatasetp, dns_rdataset_t **sigrdatasetp,
+@@ -2275,6 +2289,11 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
+ 		client->query.attributes &= ~NS_QUERYATTR_SECURE;
+ 	}
+ 
++	if (!qctx->is_zone && mname && !dns_name_isabsolute(mname)) {
++		log_query_relative(qctx, "query_addrrset", mname);
++		QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++		return;
++	}
+ 	/*
+ 	 * Update message name, set rdataset order, and do additional
+ 	 * section processing if needed.
+@@ -8074,6 +8093,11 @@ query_respond_any(query_ctx_t *qctx) {
+ 							     : qctx->tname;
+ 				query_prefetch(qctx->client, name,
+ 					       qctx->rdataset);
++				if (name && !dns_name_isabsolute(name)) {
++					log_query_relative(qctx, "query_respond_any", name);
++					result = DNS_R_DROP;
++					break;
++				}
+ 			}
+ 
+ 			/*
+@@ -10696,6 +10720,11 @@ query_cname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
++		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
++			log_query_relative(qctx, "query_cname", qctx->fname);
++			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++			return (ns_query_done(qctx));
++		}
+ 	}
+ 
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+@@ -10801,7 +10830,13 @@ query_dname(query_ctx_t *qctx) {
+ 
+ 	if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
+ 		query_prefetch(qctx->client, qctx->fname, qctx->rdataset);
++		if (qctx->fname && !dns_name_isabsolute(qctx->fname)) {
++			log_query_relative(qctx, "query_dname", qctx->fname);
++			QUERY_ERROR(qctx, DNS_R_SERVFAIL);
++			return (ns_query_done(qctx));
++		}
+ 	}
++
+ 	query_addrrset(qctx, &qctx->fname, &qctx->rdataset, sigrdatasetp,
+ 		       qctx->dbuf, DNS_SECTION_ANSWER);
+ 
+-- 
+2.49.0
+
diff --git a/bind.spec b/bind.spec
index 1e328ed..98bd9f7 100644
--- a/bind.spec
+++ b/bind.spec
@@ -131,6 +131,8 @@ Patch30: bind-9.20-nsupdate-tls-test.patch
 # https://gitlab.isc.org/isc-projects/bind9/-/issues/5357
 # downstream patch fixing bind-dyndb-ldap causing issue
 Patch32: bind-9.21-resume-qmin-cname.patch
+# downstream only, extra check for above change, RHEL-30407
+Patch33: bind-9.18-query-fname-relative.patch
 
 %{?systemd_ordering}
 # https://fedoraproject.org/wiki/Changes/RPMSuportForSystemdSysusers
@@ -918,6 +920,7 @@ fi;
 %changelog
 * Tue Jun 10 2025 Petr Mensik <pemensik@redhat.com> - 32:9.18.33-4
 - Prevent name.c:670 attributes assertion failed (RHEL-30407)
+- Add extra checks for relative names
 
 * Thu Feb 13 2025 Thomas Woerner <twoerner@redhat.com> - 32:9.18.33-3
 - Fix upgrade of doc sub package to remove links replaced by directories