File bind-CVE-2019-6465.patch of Package bind.20673

Overview Repositories Revisions Requests Users Attributes Meta

File bind-CVE-2019-6465.patch of Package bind.20673

--- bin/named/xfrout.c.orig
+++ bin/named/xfrout.c
@@ -805,10 +805,11 @@ ns_xfr_start(ns_client_t *client, dns_rd
 	result = dns_zt_find(client->view->zonetable, question_name, 0, NULL,
 			     &zone);
 
-	if (result != ISC_R_SUCCESS) {
+	if (result != ISC_R_SUCCESS || dns_zone_gettype(zone) == dns_zone_dlz) {
 		/*
-		 * Normal zone table does not have a match.
-		 * Try the DLZ database
+		 * The normal zone table does not have a match, or this is
+		 * marked in the zone table as a DLZ zone. Check the DLZ
+		 * databases for a match.
 		 */
 		if (client->view->dlzdatabase != NULL) {
 			result = dns_dlzallowzonexfr(client->view,
--- bin/tests/system/dlzexternal/driver.c.orig
+++ bin/tests/system/dlzexternal/driver.c
@@ -403,10 +403,23 @@ dlz_lookup(const char *zone, const char
  */
 isc_result_t
 dlz_allowzonexfr(void *dbdata, const char *name, const char *client) {
-	UNUSED(client);
+	isc_result_t result;
 
 	/* Just say yes for all our zones */
-	return (dlz_findzonedb(dbdata, name));
+	result - dlz_findzonedb(dbdata, name);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	/*
+	 * Exception for 10.53.0.5 so we can test that allow-transfer
+	 * is effective.
+	 */
+	if (strcmp(client, "10.53.0.5") == 0) {
+		return (ISC_R_NOPERM);
+	}
+	
+	return (ISC_R_SUCCESS);
 }
 
 /*

Places

File bind-CVE-2019-6465.patch of Package bind.20673

Places