• Vladimír Čunát's avatar
    lib/cache: fix CVE-2019-10191 · bef03dcf
    Vladimír Čunát authored
    Don't stash a packet with mismatching QNAME+QTYPE.
    When receiving an NXDOMAIN or NODATA packet in an insecure zone,
    it would get cached with KR_RANK_INSECURE regardless of mismatch
    in QNAME.  If the 0x20 pattern was preserved in the fake QNAME,
    such packet would then be used to answer queries with matching QNAME,
    even if there's no proof that this QNAME is insecure.
rplan.h 8.81 KB