If named attempts to respond over UDP with a response that is larger than the current effective interface maximum transmission unit (MTU), and if response-rate limiting (RRL) is active, an assertion failure is triggered (resulting in termination of the named server process). Reference: https://kb.isc.org/docs/cve-2021-25218
Created bind tracking bugs for this issue: Affects: fedora-all [bug 1995313]
oss-security email: https://seclists.org/oss-sec/2021/q3/112
Upstream patches: https://github.com/isc-projects/bind9/commit/513e58d53aff2ade611e56c9ce8c2664ad2488ac https://downloads.isc.org/isc/bind9/9.17.17/patches/CVE-2021-25218.patch https://downloads.isc.org/isc/bind9/9.16.20/patches/CVE-2021-25218.patch
Upstream issue: https://gitlab.isc.org/isc-projects/bind9/-/issues/2839
According to the upstream patch and the linked issue, the reachable assertion seems to be in lib/ns/client.c:ns_client_error() ``` void ns_client_error(ns_client_t *client, isc_result_t result) { [...] /* * Try to rate limit error responses. */ if (client->view != NULL && client->view->rrl != NULL) { bool wouldlog; char log_buf[DNS_RRL_LOG_BUF_LEN]; dns_rrl_result_t rrl_result; int loglevel; INSIST(rcode != dns_rcode_noerror && rcode != dns_rcode_nxdomain); // REACHABLE ASSERTION [...] } ```
libns was exported as a separate library from bin/named in https://gitlab.isc.org/bshastry/bind9/-/commit/8eb88aafee951859264e36c315b1289cd8c2088b . The same INSIST assertion can be found in previous versions in bin/named/client.c:ns_client_error(). The code in ns_client_error() function was first introduced with https://gitlab.isc.org/isc-projects/bind9/-/commit/55e5c51e661e23e24573db84114a3837817745c9 , which adds support for DNS Response Rate Limiting (DNS RRL).
FTR libns is meant only for BIND-internal use.
As explained in https://gitlab.isc.org/isc-projects/bind9/commit/15996f0cb15631b95a801e3e88928494a69ad6ee , ns_client_error() was supposed to be called with a failure rcode and never with dns_rcode_noerror (nor dns_rcode_nxdomain). However due to https://gitlab.isc.org/isc-projects/bind9/commit/82a81287f9d5845450d692398a6c24e0f9c0a19c#3601b983e9bdb916e8f6d2263823c5ea9826bc38_286_298 some code paths were overriding the rcode value to be dns_rcode_noerror. For this reason, versions of bind without commit 82a81287f9d5845450d692398a6c24e0f9c0a19c or `rcode_override` field cannot trigger the assertion in ns_client_error(), even if the function and the assertion are still in the code base.