--- /dev/null
+From 390c5183af79861fcf07a44014912788744e85de Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Thu, 7 Jul 2016 12:52:47 +1000
+Subject: [PATCH] 4406. [bug] getrrsetbyname with a non absolute
+ name could trigger a infinite recursion bug in lwresd
+ and named with lwres configured if when combined
+ with a search list entry the resulting name is
+ too long. [RT #42694]
+
+(cherry picked from commit 38cc2d14e218e536e0102fa70deef99461354232)
+
+Upstream-Status: Backport
+CVE: CVE-2016-2775
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ CHANGES | 6 ++++++
+ bin/named/lwdgrbn.c | 16 ++++++++++------
+ bin/tests/system/lwresd/lwtest.c | 8 ++++++++
+ 3 files changed, 24 insertions(+), 6 deletions(-)
+
+Index: bind-9.10.2-P4/bin/named/lwdgrbn.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/named/lwdgrbn.c
++++ bind-9.10.2-P4/bin/named/lwdgrbn.c
+@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
+ INSIST(client->lookup == NULL);
+
+ dns_fixedname_init(&absname);
+- result = ns_lwsearchctx_current(&client->searchctx,
+- dns_fixedname_name(&absname));
++
+ /*
+- * This will return failure if relative name + suffix is too long.
+- * In this case, just go on to the next entry in the search path.
++ * Perform search across all search domains until success
++ * is returned. Return in case of failure.
+ */
+- if (result != ISC_R_SUCCESS)
+- start_lookup(client);
++ while (ns_lwsearchctx_current(&client->searchctx,
++ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
++ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
++ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
++ return;
++ }
++ }
+
+ result = dns_lookup_create(cm->mctx,
+ dns_fixedname_name(&absname),
+Index: bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+===================================================================
+--- bind-9.10.2-P4.orig/bin/tests/system/lwresd/lwtest.c
++++ bind-9.10.2-P4/bin/tests/system/lwresd/lwtest.c
+@@ -768,6 +768,14 @@ main(void) {
+ test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
+ test_getrrsetbyname("", 1, 1, 0, 0, 0);
+
++ test_getrrsetbyname("123456789.123456789.123456789.123456789."
++ "123456789.123456789.123456789.123456789."
++ "123456789.123456789.123456789.123456789."
++ "123456789.123456789.123456789.123456789."
++ "123456789.123456789.123456789.123456789."
++ "123456789.123456789.123456789.123456789."
++ "123456789", 1, 1, 0, 0, 0);
++
+ if (fails == 0)
+ printf("I:ok\n");
+ return (fails);
+Index: bind-9.10.2-P4/CHANGES
+===================================================================
+--- bind-9.10.2-P4.orig/CHANGES
++++ bind-9.10.2-P4/CHANGES
+@@ -1,3 +1,9 @@
++4406. [bug] getrrsetbyname with a non absolute name could
++ trigger a infinite recursion bug in lwresd
++ and named with lwres configured if when combined
++ with a search list entry the resulting name is
++ too long. [RT #42694]
++
+ 4322. [security] Duplicate EDNS COOKIE options in a response could
+ trigger an assertion failure. (CVE-2016-2088)
+ [RT #41809]
