From: PowerDNS Team
Date: Fri Jan 13 09:12:00 CET 2017
Subject: Address CVE-2016-7068

Origin: upstream, https://downloads.powerdns.com/patches/2016-02/pdns-3.3.3-spuriousrrs-167732.patch

Additionally to the upstream patch, qtypes OPT and SIG had to be backported.

---
 pdns/common_startup.cc     |    4 ++--
 pdns/dnsbulktest.cc        |    2 +-
 pdns/dnsdemog.cc           |    2 +-
 pdns/dnsgram.cc            |    2 +-
 pdns/dnspacket.cc          |   11 +++++++----
 pdns/dnspacket.hh          |    3 ++-
 pdns/dnsparser.cc          |   15 ++++++++++++---
 pdns/dnsparser.hh          |   10 +++++-----
 pdns/dnsproxy.cc           |    2 +-
 pdns/dnsreplay.cc          |    4 ++--
 pdns/dnsscan.cc            |    2 +-
 pdns/dnsscope.cc           |    2 +-
 pdns/lwres.cc              |    2 +-
 pdns/mastercommunicator.cc |    2 +-
 pdns/nameserver.hh         |    2 +-
 pdns/notify.cc             |    2 +-
 pdns/nproxy.cc             |    4 ++--
 pdns/pdns_recursor.cc      |    2 +-
 pdns/qtype.cc              |    1 +
 pdns/qtype.hh              |    2 +-
 pdns/resolver.cc           |    6 +++---
 pdns/sdig.cc               |    2 +-
 pdns/speedtest.cc          |    4 ++--
 pdns/tcpreceiver.cc        |    4 ++--
 pdns/toysdig.cc            |    2 +-
 pdns/tsig-tests.cc         |    2 +-
 26 files changed, 55 insertions(+), 41 deletions(-)

--- a/pdns/common_startup.cc
+++ b/pdns/common_startup.cc
@@ -224,8 +224,8 @@ void *qthread(void *number)
 {
   DNSPacket *P;
 
-  DNSPacket question;
-  DNSPacket cached;
+  DNSPacket question(true);
+  DNSPacket cached(false);
 
   unsigned int &numreceived=*S.getPointer("udp-queries");
   unsigned int &numanswered=*S.getPointer("udp-answers");
--- a/pdns/dnsbulktest.cc
+++ b/pdns/dnsbulktest.cc
@@ -113,7 +113,7 @@ struct SendReceive
       }
       // parse packet, set 'id', fill out 'ip' 
       
-      MOADNSParser mdp(string(buf, len));
+      MOADNSParser mdp(false, string(buf, len));
       if(!g_quiet) {
         cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
         cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
--- a/pdns/dnsdemog.cc
+++ b/pdns/dnsdemog.cc
@@ -47,7 +47,7 @@ try
           if(dh->rd || dh->qr)
             continue;
 
-          MOADNSParser mdp((const char*)pr.d_payload, pr.d_len);
+	  MOADNSParser mdp(false, (const char*)pr.d_payload, pr.d_len);
 
           memcpy(&entry.ip, &pr.d_ip->ip_src, 4);
           entry.port = pr.d_udp->uh_sport;
--- a/pdns/dnsgram.cc
+++ b/pdns/dnsgram.cc
@@ -111,7 +111,7 @@ try
           ntohs(pr.d_udp->uh_dport)==53   || ntohs(pr.d_udp->uh_sport)==53) &&
          pr.d_len > 12) {
         try {
-          MOADNSParser mdp((const char*)pr.d_payload, pr.d_len);
+          MOADNSParser mdp(false, (const char*)pr.d_payload, pr.d_len);
           if(mdp.d_header.id==htons(4575)) {
 //            cerr << ntohl(*(uint32_t*)&pr.d_ip->ip_src)<<endl;
             g_skipped++;
--- a/pdns/dnspacket.cc
+++ b/pdns/dnspacket.cc
@@ -46,7 +46,7 @@
 
 bool DNSPacket::s_doEDNSSubnetProcessing;
 
-DNSPacket::DNSPacket() 
+DNSPacket::DNSPacket(bool isQuery)
 {
   d_wrapped=false;
   d_compress=true;
@@ -54,6 +54,7 @@ DNSPacket::DNSPacket()
   d_wantsnsid=false;
   d_haveednssubnet = false;
   d_dnssecOk=false;
+  d_isQuery = isQuery;
 }
 
 const string& DNSPacket::getString()
@@ -107,6 +108,8 @@ DNSPacket::DNSPacket(const DNSPacket &or
 
   d_rawpacket=orig.d_rawpacket;
   d=orig.d;
+
+  d_isQuery = orig.d_isQuery;
 }
 
 void DNSPacket::setRcode(int v)
@@ -353,7 +356,7 @@ void DNSPacket::setQuestion(int op, cons
 /** convenience function for creating a reply packet from a question packet. Do not forget to delete it after use! */
 DNSPacket *DNSPacket::replyPacket() const
 {
-  DNSPacket *r=new DNSPacket;
+  DNSPacket *r=new DNSPacket(false);
   r->setSocket(d_socket);
 
   r->setRemote(&d_remote);
@@ -428,7 +431,7 @@ void DNSPacket::setTSIGDetails(const TSI
 
 bool DNSPacket::getTSIGDetails(TSIGRecordContent* trc, string* keyname, string* message) const
 {
-  MOADNSParser mdp(d_rawpacket);
+  MOADNSParser mdp(d_isQuery, d_rawpacket);
 
   if(!mdp.getTSIGPos()) 
     return false;
@@ -467,7 +470,7 @@ try
     return -1;
   }
 
-  MOADNSParser mdp(d_rawpacket);
+  MOADNSParser mdp(d_isQuery, d_rawpacket);
   EDNSOpts edo;
 
   // ANY OPTION WHICH *MIGHT* BE SET DOWN BELOW SHOULD BE CLEARED FIRST!
--- a/pdns/dnspacket.hh
+++ b/pdns/dnspacket.hh
@@ -73,7 +73,7 @@ class DNSSECKeeper;
 class DNSPacket
 {
 public:
-  DNSPacket();
+  DNSPacket(bool isQuery);
   DNSPacket(const DNSPacket &orig);
 
   int noparse(const char *mesg, int len); //!< just suck the data inward
@@ -174,6 +174,7 @@ private:
   string d_tsigkeyname;
   string d_tsigprevious;
   bool d_tsigtimersonly;
+  bool d_isQuery;
 
   vector<DNSResourceRecord> d_rrs; // 4
 };
--- a/pdns/dnsparser.cc
+++ b/pdns/dnsparser.cc
@@ -137,7 +137,7 @@ shared_ptr<DNSRecordContent> DNSRecordCo
   memcpy(&packet[pos], &drh, sizeof(drh)); pos+=sizeof(drh);
   memcpy(&packet[pos], serialized.c_str(), serialized.size()); pos+=(uint16_t)serialized.size();
 
-  MOADNSParser mdp((char*)&*packet.begin(), (unsigned int)packet.size());
+  MOADNSParser mdp(false, (char*)&*packet.begin(), (unsigned int)packet.size());
   shared_ptr<DNSRecordContent> ret= mdp.d_answers.begin()->first.d_content;
   ret->header.d_type=ret->d_qtype;
   ret->label=mdp.d_answers.begin()->first.d_label;
@@ -194,7 +194,7 @@ DNSRecordContent::zmakermap_t& DNSRecord
   return zmakermap;
 }
 
-void MOADNSParser::init(const char *packet, unsigned int len)
+void MOADNSParser::init(bool query, const char *packet, unsigned int len)
 {
   if(len < sizeof(dnsheader))
     throw MOADNSException("Packet shorter than minimal header");
@@ -208,6 +208,9 @@ void MOADNSParser::init(const char *pack
   d_header.ancount=ntohs(d_header.ancount);
   d_header.nscount=ntohs(d_header.nscount);
   d_header.arcount=ntohs(d_header.arcount);
+
+  if (query && (d_header.qdcount > 1))
+    throw MOADNSException("Query with QD > 1 ("+lexical_cast<string>(d_header.qdcount)+")");
   
   uint16_t contentlen=len-sizeof(dnsheader);
 
@@ -252,7 +255,13 @@ void MOADNSParser::init(const char *pack
       dr.d_label=label;
       dr.d_clen=ah.d_clen;
 
-      dr.d_content=boost::shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(dr, pr));
+      if (query && (dr.d_place == DNSRecord::Answer || dr.d_place == DNSRecord::Nameserver || (dr.d_type != QType::OPT && dr.d_type != QType::TSIG && dr.d_type != QType::SIG) || ((dr.d_type == QType::TSIG || dr.d_type == QType::SIG) && dr.d_class != 0xff))) {
+        dr.d_content=boost::shared_ptr<DNSRecordContent>(new UnknownRecordContent(dr, pr));
+      }
+      else {
+        dr.d_content=boost::shared_ptr<DNSRecordContent>(DNSRecordContent::mastermake(dr, pr));
+      }
+
       d_answers.push_back(make_pair(dr, pr.d_pos));
 
       if(dr.d_type == QType::TSIG && dr.d_class == 0xff) 
--- a/pdns/dnsparser.hh
+++ b/pdns/dnsparser.hh
@@ -295,15 +295,15 @@ class MOADNSParser : public boost::nonco
 {
 public:
   //! Parse from a string
-  MOADNSParser(const string& buffer)  : d_tsigPos(0)
+  MOADNSParser(bool query, const string& buffer)  : d_tsigPos(0)
   {
-    init(buffer.c_str(), (unsigned int)buffer.size());
+    init(query, buffer.c_str(), (unsigned int)buffer.size());
   }
 
   //! Parse from a pointer and length
-  MOADNSParser(const char *packet, unsigned int len) : d_tsigPos(0)
+  MOADNSParser(bool query, const char *packet, unsigned int len) : d_tsigPos(0)
   {
-    init(packet, len);
+    init(query, packet, len);
   }
 
   dnsheader d_header;
@@ -329,7 +329,7 @@ public:
   }
 private:
   void getDnsrecordheader(struct dnsrecordheader &ah);
-  void init(const char *packet, unsigned int len);
+  void init(bool query, const char *packet, unsigned int len);
   vector<uint8_t> d_content;
   uint16_t d_tsigPos;
 };
--- a/pdns/dnsproxy.cc
+++ b/pdns/dnsproxy.cc
@@ -181,7 +181,7 @@ void DNSProxy::mainloop(void)
         d.id=i->second.id;
         memcpy(buffer,&d,sizeof(d));  // commit spoofed id
 
-        DNSPacket p,q;
+        DNSPacket p(false),q(false);
         p.parse(buffer,len);
         q.parse(buffer,len);
 
--- a/pdns/dnsreplay.cc
+++ b/pdns/dnsreplay.cc
@@ -340,7 +340,7 @@ try
   while(s_socket->recvFromAsync(packet, remote)) {
     try {
       s_weanswers++;
-      MOADNSParser mdp(packet.c_str(), packet.length());
+      MOADNSParser mdp(false, packet.c_str(), packet.length());
       if(!mdp.d_header.qr) {
         cout<<"Received a question from our reference nameserver!"<<endl;
         continue;
@@ -498,7 +498,7 @@ bool sendPacketFromPR(PcapPacketReader&
       sent=true;
       dh->id=tmp;
     }
-    MOADNSParser mdp((const char*)pr.d_payload, pr.d_len);
+    MOADNSParser mdp(false, (const char*)pr.d_payload, pr.d_len);
     QuestionIdentifier qi=QuestionIdentifier::create(pr.d_ip, pr.d_udp, mdp);
     
     if(!mdp.d_header.qr) {
--- a/pdns/dnsscan.cc
+++ b/pdns/dnsscan.cc
@@ -47,7 +47,7 @@ try
     
     while(pr.getUDPPacket()) {
       try {
-        MOADNSParser mdp((const char*)pr.d_payload, pr.d_len);
+        MOADNSParser mdp(false, (const char*)pr.d_payload, pr.d_len);
         if(mdp.d_qtype < 256)
           counts[mdp.d_qtype]++;
 
--- a/pdns/dnsscope.cc
+++ b/pdns/dnsscope.cc
@@ -61,7 +61,7 @@ try
         ntohs(pr.d_udp->uh_dport)==53   || ntohs(pr.d_udp->uh_sport)==53) &&
         pr.d_len > 12) {
       try {
-        MOADNSParser mdp((const char*)pr.d_payload, pr.d_len);
+        MOADNSParser mdp(false, (const char*)pr.d_payload, pr.d_len);
 
         lowestTime=min((time_t)lowestTime,  (time_t)pr.d_pheader.ts.tv_sec);
         highestTime=max((time_t)highestTime, (time_t)pr.d_pheader.ts.tv_sec);
--- a/pdns/lwres.cc
+++ b/pdns/lwres.cc
@@ -165,7 +165,7 @@ int asyncresolve(const ComboAddress& ip,
   lwr->d_result.clear();
   try {
     lwr->d_tcbit=0;
-    MOADNSParser mdp((const char*)buf.get(), len);
+    MOADNSParser mdp(false, (const char*)buf.get(), len);
     lwr->d_aabit=mdp.d_header.aa;
     lwr->d_tcbit=mdp.d_header.tc;
     lwr->d_rcode=mdp.d_header.rcode;
--- a/pdns/mastercommunicator.cc
+++ b/pdns/mastercommunicator.cc
@@ -137,7 +137,7 @@ time_t CommunicatorClass::doNotification
     size=recvfrom(sock,buffer,sizeof(buffer),0,(struct sockaddr *)&from,&fromlen);
     if(size < 0)
       break;
-    DNSPacket p;
+    DNSPacket p(true);
 
     p.setRemote(&from);
 
--- a/pdns/notify.cc
+++ b/pdns/notify.cc
@@ -59,7 +59,7 @@ try
     throw runtime_error("Unable to receive notification response from PowerDNS: "+stringerror());
 
   string packet(buffer, len);
-  MOADNSParser mdp(packet);
+  MOADNSParser mdp(false, packet);
 
   cerr<<"Received notification response with code: "<<mdp.d_header.rcode<<endl;
   cerr<<"For: '"<<mdp.d_qname<<"'"<<endl;
--- a/pdns/nproxy.cc
+++ b/pdns/nproxy.cc
@@ -66,7 +66,7 @@ try
     throw runtime_error("reading packet from remote: "+stringerror());
     
   string packet(buffer, res);
-  MOADNSParser mdp(packet);
+  MOADNSParser mdp(true, packet);
   nif.domain = mdp.d_qname;
   nif.origID = mdp.d_header.id;
 
@@ -136,7 +136,7 @@ try
     throw runtime_error("reading packet from remote: "+stringerror());
     
   string packet(buffer, len);
-  MOADNSParser mdp(packet);
+  MOADNSParser mdp(false, packet);
 
   //  cerr<<"Inside notification response for: "<<mdp.d_qname<<endl;
 
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -124,7 +124,7 @@ unsigned int g_numThreads;
 
 //! used to send information to a newborn mthread
 struct DNSComboWriter {
-  DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(data, len), d_now(now), 
+  DNSComboWriter(const char* data, uint16_t len, const struct timeval& now) : d_mdp(true, data, len), d_now(now), 
         											        d_tcp(false), d_socket(-1)
   {}
   MOADNSParser d_mdp;
--- a/pdns/resolver.cc
+++ b/pdns/resolver.cc
@@ -222,7 +222,7 @@ bool Resolver::tryGetSOASerial(string* d
     throw ResolverException("recvfrom error waiting for answer: "+stringerror());
   }
   
-  MOADNSParser mdp((char*)buf, err);
+  MOADNSParser mdp(false, (char*)buf, err);
   *id=mdp.d_header.id;
   *domain = stripDot(mdp.d_qname);
   
@@ -276,7 +276,7 @@ int Resolver::resolve(const string &ippo
     if((len=recvfrom(sock, buffer, sizeof(buffer), 0,(struct sockaddr*)(&from), &addrlen)) < 0) 
       throw ResolverException("recvfrom error waiting for answer: "+stringerror());
   
-    MOADNSParser mdp(buffer, len);
+    MOADNSParser mdp(false, buffer, len);
     return parseResult(mdp, domain, type, id, res);
   }
   catch(ResolverException &re) {
@@ -390,7 +390,7 @@ int AXFRRetriever::getChunk(Resolver::re
 
   d_receivedBytes += (uint16_t) len;
 
-  MOADNSParser mdp(d_buf.get(), len);
+  MOADNSParser mdp(false, d_buf.get(), len);
 
   int err = parseResult(mdp, "", 0, 0, &res);
   if(err) 
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -60,7 +60,7 @@ try
   string reply;
   sock.recvFrom(reply, dest);
 
-  MOADNSParser mdp(reply);
+  MOADNSParser mdp(false, reply);
   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
   cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
   cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;
--- a/pdns/speedtest.cc
+++ b/pdns/speedtest.cc
@@ -485,7 +485,7 @@ struct ParsePacketTest
 
   void operator()() const
   {
-    MOADNSParser mdp((const char*)&*d_packet.begin(), d_packet.size());
+    MOADNSParser mdp(false, (const char*)&*d_packet.begin(), d_packet.size());
     typedef map<pair<string, QType>, set<DNSResourceRecord>, TCacheComp > tcache_t;
     tcache_t tcache;
     
@@ -651,7 +651,7 @@ struct ParsePacketBareTest
 
   void operator()() const
   {
-    MOADNSParser mdp((const char*)&*d_packet.begin(), d_packet.size());
+    MOADNSParser mdp(false, (const char*)&*d_packet.begin(), d_packet.size());
   }
   const vector<uint8_t>& d_packet;
   std::string d_name;
--- a/pdns/tcpreceiver.cc
+++ b/pdns/tcpreceiver.cc
@@ -268,7 +268,7 @@ void *TCPNameserver::doConnection(void *
       getQuestion(fd, mesg, pktlen, remote);
       S.inc("tcp-queries");      
 
-      packet=shared_ptr<DNSPacket>(new DNSPacket);
+      packet=shared_ptr<DNSPacket>(new DNSPacket(true));
       packet->setRemote(&remote);
       packet->d_tcp=true;
       packet->setSocket(fd);
@@ -282,7 +282,7 @@ void *TCPNameserver::doConnection(void *
       }
 
       shared_ptr<DNSPacket> reply; 
-      shared_ptr<DNSPacket> cached= shared_ptr<DNSPacket>(new DNSPacket);
+      shared_ptr<DNSPacket> cached= shared_ptr<DNSPacket>(new DNSPacket(false));
       if(logDNSQueries)  {
         string remote;
         if(packet->hasEDNSSubnet()) 
--- a/pdns/tsig-tests.cc
+++ b/pdns/tsig-tests.cc
@@ -62,7 +62,7 @@ try
   string reply;
   sock.recvFrom(reply, dest);
 
-  MOADNSParser mdp(reply);
+  MOADNSParser mdp(false, reply);
   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
   cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
   cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;
--- a/pdns/toysdig.cc
+++ b/pdns/toysdig.cc
@@ -42,7 +42,7 @@ try
   string reply;
   sock.recvFrom(reply, dest);
 
-  MOADNSParser mdp(reply);
+  MOADNSParser mdp(false, reply);
   cout<<"Reply to question for qname='"<<mdp.d_qname<<"', qtype="<<DNSRecordContent::NumberToType(mdp.d_qtype)<<endl;
   cout<<"Rcode: "<<mdp.d_header.rcode<<", RD: "<<mdp.d_header.rd<<", QR: "<<mdp.d_header.qr;
   cout<<", TC: "<<mdp.d_header.tc<<", AA: "<<mdp.d_header.aa<<", opcode: "<<mdp.d_header.opcode<<endl;
--- a/pdns/qtype.cc
+++ b/pdns/qtype.cc
@@ -63,6 +63,7 @@ QType::QType()
       insert("CERT", 37);
       insert("A6",38);
       insert("NAPTR",35);
+      insert("OPT", 41);
       insert("DS", 43);
       insert("SSHFP", 44);
       insert("RRSIG", 46);
--- a/pdns/qtype.hh
+++ b/pdns/qtype.hh
@@ -77,7 +77,7 @@ public:
   static int chartocode(const char *p); //!< convert a character string to a code
 // more solaris fun
 #undef DS   
-  enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18,KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, 
+  enum typeenum {A=1,NS=2,CNAME=5,SOA=6, MR=9, PTR=12,HINFO=13,MX=15,TXT=16,RP=17,AFSDB=18,SIG=24,KEY=25,AAAA=28,LOC=29,SRV=33,NAPTR=35, KX=36, 
 		 CERT=37,OPT=41, DS=43, SSHFP=44, IPSECKEY=45, RRSIG=46, NSEC=47, DNSKEY=48, DHCID=49, NSEC3=50, NSEC3PARAM=51,
 		 TLSA=52, SPF=99, TSIG=250, AXFR=252, IXFR=251, ANY=255, URL=256, MBOXFW=257, CURL=258, ADDR=259, DLV=32769} types;
   typedef pair<string,uint16_t> namenum; 
--- a/pdns/nameserver.hh
+++ b/pdns/nameserver.hh
@@ -137,7 +137,7 @@ inline DNSPacket *UDPNameserver::receive
   if(prefilled)  // they gave us a preallocated packet
     packet=prefilled;
   else
-    packet=new DNSPacket; // don't forget to free it!
+    packet=new DNSPacket(true); // don't forget to free it!
   packet->d_dt.set(); // timing
   packet->setSocket(sock);
   packet->setRemote(&remote);
