From a85805c74c35c9146e6235946095c651a196435b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 28 Nov 2018 15:21:56 +0100
Subject: [PATCH] CVE-2018-14629 dns: fix CNAME loop prevention using counter
 regression

The loop prevention should only be done for CNAME records!

Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dns_server/dns_query.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index fafadb6ac6f2..0f2aa5c69f2b 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -471,11 +471,6 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	state->answers = answers;
 	state->nsrecs = nsrecs;
 
-	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
-		tevent_req_done(req);
-		return tevent_req_post(req, ev);
-	}
-
 	resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
 			 ((question->question_type == DNS_QTYPE_A) ||
 			  (question->question_type == DNS_QTYPE_AAAA)));
@@ -497,6 +492,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
 		return tevent_req_post(req, ev);
 	}
 
+	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+		tevent_req_done(req);
+		return tevent_req_post(req, ev);
+	}
+
 	werr = add_response_rr(question->name, rec, state->answers);
 	if (tevent_req_werror(req, werr)) {
 		return tevent_req_post(req, ev);
-- 
2.17.1