Fix a crash on unexpected incoming DNS message during XoT xfer

This commit fixes a peculiar corner case in the client-side DoT code because of which a crash could occur during a zone transfer. A junk DNS message should be sent at the end of a zone transfer via TLS to trigger the crash (abort). This commit, hopefully, fixes that. Also, this commit adds similar changes to the TCP DNS code, as it shares the same origin and most of the logic.
2021-11-11 16:17:02 +02:00
parent ce728098ab
commit 6c8a97c78f
2 changed files with 31 additions and 2 deletions
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -774,6 +774,23 @@ isc__nm_tcpdns_processbuffer(isc_nmsocket_t *sock) {
 		return (ISC_R_NOMORE);
 	}

+	if (sock->recv_cb == NULL) {
+		/*
+		 * recv_cb has been cleared - there is
+		 * nothing to do
+		 */
+		return (ISC_R_CANCELED);
+	} else if (sock->statichandle == NULL &&
+		   atomic_load(&sock->connected) &&
+		   !atomic_load(&sock->connecting))
+	{
+		/*
+		 * It seems that some unexpected data (a DNS message) has
+		 * arrived while we are wrapping up.
+		 */
+		return (ISC_R_CANCELED);
+	}
+
 	req = isc__nm_get_read_req(sock, NULL);
 	REQUIRE(VALID_UVREQ(req));

--- a/lib/isc/netmgr/tlsdns.c
+++ b/lib/isc/netmgr/tlsdns.c
@@ -937,8 +937,20 @@ isc__nm_tlsdns_processbuffer(isc_nmsocket_t *sock) {
 	}

 	if (sock->recv_cb == NULL) {
-		/* recv_cb has been cleared - there is
-		 * nothing to do */
+		/*
+		 * recv_cb has been cleared - there is
+		 * nothing to do
+		 */
+		return (ISC_R_CANCELED);
+	} else if (sock->statichandle == NULL &&
+		   sock->tls.state == TLS_STATE_IO &&
+		   atomic_load(&sock->connected) &&
+		   !atomic_load(&sock->connecting))
+	{
+		/*
+		 * It seems that some unexpected data (a DNS message) has
+		 * arrived while we are wrapping up.
+		 */
 		return (ISC_R_CANCELED);
 	}