From ff99987c9d79ca15c1502da6f74bd7ed70335267 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 28 Nov 2018 15:21:56 +0100
Subject: [PATCH] CVE-2018-14629 dns: fix CNAME loop prevention using counter
 regression

The loop prevention should only be done for CNAME records!

Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dns_server/dns_query.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 65faeac3b6a4..0e632b8db4e6 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -420,11 +420,6 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	state->answers = answers;
 	state->nsrecs = nsrecs;
 
-	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
-		tevent_req_done(req);
-		return tevent_req_post(req, ev);
-	}
-
 	resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
 			 ((question->question_type == DNS_QTYPE_A) ||
 			  (question->question_type == DNS_QTYPE_AAAA)));
@@ -446,6 +441,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
 		return tevent_req_post(req, ev);
 	}
 
+	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+		tevent_req_done(req);
+		return tevent_req_post(req, ev);
+	}
+
 	werr = add_response_rr(question->name, rec, state->answers);
 	if (tevent_req_werror(req, werr)) {
 		return tevent_req_post(req, ev);
-- 
2.17.1