This file contains the source code patch to BIND v8.1.1 for the problem described in CA-98.05, "Multiple Vulnerabilities in BIND", Topic 3. *** ns_req.c 1997/06/09 17:46:59 8.39 --- ns_req.c 1998/03/25 03:02:08 *************** *** 607,619 **** if (query_acl != NULL && !ip_address_allowed(query_acl, from.sin_addr)) { ns_notice(ns_log_security, ! "unapproved query from %s for %s", sin_ntoa(from), *dname ? dname : "."); return (Refuse); } } else { ip_match_list transfer_acl; if (zp->z_transfer_acl != NULL) transfer_acl = zp->z_transfer_acl; else --- 607,621 ---- if (query_acl != NULL && !ip_address_allowed(query_acl, from.sin_addr)) { ns_notice(ns_log_security, ! "unapproved query from %s for \"%s\"", sin_ntoa(from), *dname ? dname : "."); return (Refuse); } } else { ip_match_list transfer_acl; + /* Do they have permission to do a zone transfer? */ + if (zp->z_transfer_acl != NULL) transfer_acl = zp->z_transfer_acl; else *************** *** 622,631 **** if (transfer_acl != NULL && !ip_address_allowed(transfer_acl, from.sin_addr)) { ns_notice(ns_log_security, ! "unapproved AXFR from %s for %s", sin_ntoa(from), *dname ? dname : "."); return (Refuse); } ns_info(ns_log_security, "approved AXFR from %s for \"%s\"", sin_ntoa(from), *dname ? dname : "."); } --- 624,652 ---- if (transfer_acl != NULL && !ip_address_allowed(transfer_acl, from.sin_addr)) { ns_notice(ns_log_security, ! "unapproved AXFR from %s for \"%s\" (acl)", ! sin_ntoa(from), *dname ? dname : "."); ! return (Refuse); ! } ! ! /* Are we authoritative? */ ! ! if ((zp->z_flags & Z_AUTH) == 0) { ! ns_notice(ns_log_security, ! "unapproved AXFR from %s for \"%s\" (not auth)", sin_ntoa(from), *dname ? dname : "."); return (Refuse); } + + /* Is the name at a zone cut? */ + + if (strcasecmp(zp->z_origin, dname) != 0) { + ns_notice(ns_log_security, + "unapproved AXFR from %s for \"%s\" (not zone top)", + sin_ntoa(from), *dname ? dname : "."); + return (Refuse); + } + ns_info(ns_log_security, "approved AXFR from %s for \"%s\"", sin_ntoa(from), *dname ? dname : "."); }