From 701aa95d9605fd6ad25b60dfd38d05a1942ee147 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 29 Dec 2016 11:47:19 +1100
Subject: [PATCH] 4510.   [security]      Named mishandled some responses where
 covering RRSIG                         records are returned without the
 requested data                         resulting in a assertion failure.
 (CVE-2016-9147)                         [RT #43548]

(cherry picked from commit 6adf421e7eb7cac80bc91e1e600346517e980850)
---
 CHANGES            |  5 +++++
 lib/dns/resolver.c | 18 +++++++++++-------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 99da558010..2e136761a7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -97,6 +97,11 @@
 
 4511.	[bug]		win32: mdig.exe-BNFT was missing Configure. [RT #43554]
 
+4510.	[security]	Named mishandled some responses where covering RRSIG
+			records are returned without the requested data
+			resulting in a assertion failure. (CVE-2016-9147)
+			[RT #43548]
+
 4509.	[test]		Make the rrl system test more reliable on slower
 			machines by using mdig instead of dig. [RT #43280]
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 83da471833..699c805d0f 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -6984,15 +6984,19 @@ answer_response(fetchctx_t *fctx) {
 						 * a CNAME or DNAME).
 						 */
 						INSIST(!external);
-						if ((rdataset->type !=
-						     dns_rdatatype_cname) ||
-						    !found_dname ||
-						    (aflag ==
-						     DNS_RDATASETATTR_ANSWER))
+						/*
+						 * Don't use found_cname here
+						 * as we have just set it
+						 * above.
+						 */
+						if (cname == NULL &&
+						    !found_dname &&
+						    aflag ==
+						     DNS_RDATASETATTR_ANSWER)
 						{
 							have_answer = ISC_TRUE;
-							if (rdataset->type ==
-							    dns_rdatatype_cname)
+							if (found_cname &&
+							    cname == NULL)
 								cname = name;
 							name->attributes |=
 							    DNS_NAMEATTR_ANSWER;