e51b6b2b70
Enabling both DNS64 and serve-stale may cause an assertion failure during recursive resolution. 6317. [security] Restore DNS64 state when handling a serve-stale timeout. (CVE-2023-5679) [GL #4334] Resolves: RHEL-25364 ; Resolves: CVE-2023-5679
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From 61112d1ce39848e08ec133f280cf8f729cb70d16 Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Mon, 12 Feb 2024 20:41:43 +0100
|
|
Subject: [PATCH] Prevent assertion failure if DNS64 and serve-stale is used
|
|
|
|
Enabling both DNS64 and serve-stale may cause an assertion failure
|
|
during recursive resolution.
|
|
|
|
6317. [security] Restore DNS64 state when handling a serve-stale timeout.
|
|
(CVE-2023-5679) [GL #4334]
|
|
|
|
Resolves: CVE-2023-5679
|
|
---
|
|
lib/ns/query.c | 7 +++++++
|
|
1 file changed, 7 insertions(+)
|
|
|
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
|
index cc1d179..1993800 100644
|
|
--- a/lib/ns/query.c
|
|
+++ b/lib/ns/query.c
|
|
@@ -5983,6 +5983,13 @@ query_lookup_stale(ns_client_t *client) {
|
|
query_ctx_t qctx;
|
|
|
|
qctx_init(client, NULL, client->query.qtype, &qctx);
|
|
+ if (DNS64(client)) {
|
|
+ qctx.qtype = qctx.type = dns_rdatatype_a;
|
|
+ qctx.dns64 = true;
|
|
+ }
|
|
+ if (DNS64EXCLUDE(client)) {
|
|
+ qctx.dns64_exclude = true;
|
|
+ }
|
|
dns_db_attach(client->view->cachedb, &qctx.db);
|
|
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
|
|
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
|
|
--
|
|
2.43.0
|
|
|