From c82f06a42e49e5d2f131baeb68b4fd5c3a201ead Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 28 Nov 2018 15:21:56 +0100
Subject: [PATCH] CVE-2018-14629 dns: fix CNAME loop prevention using counter
 regression

The loop prevention should only be done for CNAME records!

Otherwise we truncate the answer records for A, AAAA or
SRV queries, which is a bad idea if you have more than 20 DCs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dns_server/dns_query.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 07cde80a258b..76136333e052 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -420,11 +420,6 @@ static struct tevent_req *handle_dnsrpcrec_send(
 	state->answers = answers;
 	state->nsrecs = nsrecs;
 
-	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
-		tevent_req_done(req);
-		return tevent_req_post(req, ev);
-	}
-
 	resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
 			 ((question->question_type == DNS_QTYPE_A) ||
 			  (question->question_type == DNS_QTYPE_AAAA)));
@@ -446,6 +441,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
 		return tevent_req_post(req, ev);
 	}
 
+	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+		tevent_req_done(req);
+		return tevent_req_post(req, ev);
+	}
+
 	werr = add_response_rr(question->name, rec, state->answers);
 	if (tevent_req_werror(req, werr)) {
 		return tevent_req_post(req, ev);
-- 
2.17.1