From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 7 Jul 2016 12:52:47 +1000
Subject: [PATCH] 4406.   [bug]           getrrsetbyname with a non absolute
 name could                         trigger a infinite recursion bug in lwresd
                         and named with lwres configured if when combined     
                    with a search list entry the resulting name is            
             too long. [RT #42694]

(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)

Upstream-Status: Backport
CVE: CVE-2016-2775

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 CHANGES                          |  6 ++++++
 bin/named/lwdgrbn.c              | 16 ++++++++++------
 bin/tests/system/lwresd/lwtest.c |  8 ++++++++
 3 files changed, 24 insertions(+), 6 deletions(-)

Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
===================================================================
--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
+++ bind-9.10.2-P4/bin/named/lwdgrbn.c
@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
 	INSIST(client->lookup == NULL);
 
 	dns_fixedname_init(&absname);
-	result = ns_lwsearchctx_current(&client->searchctx,
-					dns_fixedname_name(&absname));
+
 	/*
-	 * This will return failure if relative name + suffix is too long.
-	 * In this case, just go on to the next entry in the search path.
+	 * Perform search across all search domains until success
+	 * is returned. Return in case of failure.
 	 */
-	if (result != ISC_R_SUCCESS)
-		start_lookup(client);
+	while (ns_lwsearchctx_current(&client->searchctx,
+			dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
+		if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
+			ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
+			return;
+		}
+	}
 
 	result = dns_lookup_create(cm->mctx,
 				   dns_fixedname_name(&absname),
Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
===================================================================
--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
+++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
@@ -768,6 +768,14 @@ main(void) {
 	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
 
+	test_getrrsetbyname("123456789.123456789.123456789.123456789."
+			    "123456789.123456789.123456789.123456789."
+			    "123456789.123456789.123456789.123456789."
+			    "123456789.123456789.123456789.123456789."
+			    "123456789.123456789.123456789.123456789."
+			    "123456789.123456789.123456789.123456789."
+			    "123456789", 1, 1, 0, 0, 0);
+
 	if (fails == 0)
 		printf("I:ok\n");
 	return (fails);
Index: bind-9.10.2-P4/CHANGES
===================================================================
--- bind-9.10.2-P4.orig/CHANGES
+++ bind-9.10.2-P4/CHANGES
@@ -1,3 +1,9 @@
+4406.  [bug]           getrrsetbyname with a non absolute name could
+                       trigger a infinite recursion bug in lwresd
+                       and named with lwres configured if when combined
+                       with a search list entry the resulting name is
+                       too long. [RT #42694]
+
 4322.  [security]      Duplicate EDNS COOKIE options in a response could
                        trigger an assertion failure. (CVE-2016-2088)
                        [RT #41809]