Upgrade to 9.8.3-P4:

Prevents a lockup when queried a deliberately constructed combination
of records. [CVE-2012-5166]

For more information: https://kb.isc.org/article/AA-00801

contrib/bind9/CHANGES

@@ -1,3 +1,9 @@
+	--- 9.8.3-P4 released ---
+
+3383.	[security]	A certain combination of records in the RBT could
+                        cause named to hang while populating the additional
+                        section of a response. [RT #31090]
+
 	--- 9.8.3-P3 released ---
 
 3364.	[security]	Named could die on specially crafted record.

contrib/bind9/bin/named/query.c

@@ -1119,13 +1119,6 @@ query_isduplicate(ns_client_t *client, dns_name_t *name,
 		mname = NULL;
 	}
 
-	/*
-	 * If the dns_name_t we're looking up is already in the message,
-	 * we don't want to trigger the caller's name replacement logic.
-	 */
-	if (name == mname)
-		mname = NULL;
-
 	if (mnamep != NULL)
 		*mnamep = mname;
 
@@ -1324,6 +1317,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	if (dns_rdataset_isassociated(rdataset) &&
 	    !query_isduplicate(client, fname, type, &mname)) {
 		if (mname != NULL) {
+			INSIST(mname != fname);
 			query_releasename(client, &fname);
 			fname = mname;
 		} else
@@ -1393,11 +1387,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_a, &mname)) {
-				if (mname != NULL) {
+				if (mname != fname) {
-					query_releasename(client, &fname);
+					if (mname != NULL) {
-					fname = mname;
+						query_releasename(client, &fname);
-				} else
+						fname = mname;
-					need_addname = ISC_TRUE;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1450,11 +1446,13 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 #endif
 			if (!query_isduplicate(client, fname,
 					       dns_rdatatype_aaaa, &mname)) {
-				if (mname != NULL) {
+				if (mname != fname) {
-					query_releasename(client, &fname);
+					if (mname != NULL) {
-					fname = mname;
+						query_releasename(client, &fname);
-				} else
+						fname = mname;
-					need_addname = ISC_TRUE;
+					} else
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_APPEND(fname->list, rdataset, link);
 				added_something = ISC_TRUE;
 				if (sigrdataset != NULL &&
@@ -1977,22 +1975,24 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		    crdataset->type == dns_rdatatype_aaaa) {
 			if (!query_isduplicate(client, fname, crdataset->type,
 					       &mname)) {
-				if (mname != NULL) {
+				if (mname != fname) {
-					/*
+					if (mname != NULL) {
-					 * A different type of this name is
+						/*
-					 * already stored in the additional
+						 * A different type of this name is
-					 * section.  We'll reuse the name.
+						 * already stored in the additional
-					 * Note that this should happen at most
+						 * section.  We'll reuse the name.
-					 * once.  Otherwise, fname->link could
+						 * Note that this should happen at most
-					 * leak below.
+						 * once.  Otherwise, fname->link could
-					 */
+						 * leak below.
-					INSIST(mname0 == NULL);
+						 */
+						INSIST(mname0 == NULL);
 
-					query_releasename(client, &fname);
+						query_releasename(client, &fname);
-					fname = mname;
+						fname = mname;
-					mname0 = mname;
+						mname0 = mname;
-				} else
+					} else
-					need_addname = ISC_TRUE;
+						need_addname = ISC_TRUE;
+				}
 				ISC_LIST_UNLINK(cfname.list, crdataset, link);
 				ISC_LIST_APPEND(fname->list, crdataset, link);
 				added_something = ISC_TRUE;

contrib/bind9/version

@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=8
 PATCHVER=3
 RELEASETYPE=-P
-RELEASEVER=3
+RELEASEVER=4