From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 12 Feb 2024 20:41:43 +0100
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used

Enabling both DNS64 and serve-stale may cause an assertion failure
during recursive resolution.

6317.	[security]	Restore DNS64 state when handling a serve-stale timeout.
			(CVE-2023-5679) [GL #4334]

Resolves: CVE-2023-5679
---
 lib/ns/query.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/ns/query.c b/lib/ns/query.c
index cc1d179..1993800 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
 	query_ctx_t qctx;
 
 	qctx_init(client, NULL, client->query.qtype, &qctx);
+	if (DNS64(client)) {
+		qctx.qtype = qctx.type = dns_rdatatype_a;
+		qctx.dns64 = true;
+	}
+	if (DNS64EXCLUDE(client)) {
+		qctx.dns64_exclude = true;
+	}
 	dns_db_attach(client->view->cachedb, &qctx.db);
 	client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
 	client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
-- 
2.43.0