File bind-CVE-2019-6465.patch of Package bind.11363

Overview Repositories Revisions Requests Users Attributes Meta

File bind-CVE-2019-6465.patch of Package bind.11363

--- bin/named/xfrout.c.orig
+++ bin/named/xfrout.c
@@ -798,12 +798,12 @@ ns_xfr_start(ns_client_t *client, dns_rd
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
 
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
 		/*
-		 * Normal zone table does not have a match.
-		 * Try the DLZ database
+		 * The normal zone table does not have a match, or this is
+		 * marked in the zone table as a DLZ zone. Check the DLZ
+		 * databases for a match.
 		 */
-		// Temporary: only searching the first DLZ database
 		if (! ISC_LIST_EMPTY(client->view->dlz_searched)) {
 			result = dns_dlzallowzonexfr(client->view,
 						     question_name,
--- bin/tests/system/dlzexternal/driver.c.orig
+++ bin/tests/system/dlzexternal/driver.c
@@ -528,10 +528,22 @@ dlz_lookup(const char *zone, const char
  */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
-	UNUSED(client);
+	isc_result_t result;
 
-	/* Just say yes for all our zones */
-	return (dlz_findzonedb(dbdata, name, NULL, NULL));
+	result = dlz_findzonedb(dbdata, name, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Exception for 10.53.0.5 so we can test that allow-transfer
+	 * is effective.
+	 */
+	if (strcmp(client, "10.53.0.5") == 0) {
+		return (ISC_R_NOPERM);
+	}
+
+	return (ISC_R_SUCCESS);
 }
 
 /*

Places

File bind-CVE-2019-6465.patch of Package bind.11363

Places