packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:f9f8cfd23be486d934b24a088a0a89c6d3af62c8
Branches Tags
packages:main
...
compare: packages:8093df8993f6180c5c83e0083ef33d45cc216634
Branches Tags
packages:main

10 Commits
f9f8cfd23b ... 8093df8993

Author SHA1 Message Date
openeuler-ci-bot
8093df8993
!240 fix CVE-2024-1737 
From: @chengyechun 
Reviewed-by: @robertxw 
Signed-off-by: @robertxw
 2025-04-24 01:32:48 +00:00
chengyechun
7b2c3e6851 fix CVE-2024-1737 2025-04-23 15:37:46 +08:00
openeuler-ci-bot
cd3e0d6cba
!236 fix CVE-2024-11187 
From: @chengyechun 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2025-02-19 09:31:21 +00:00
pojunxing
1a0f154983 fix CVE-2024-11187 2025-02-19 16:41:23 +08:00
openeuler-ci-bot
9c3b1c9994
!225 [sync] PR-222: fix some CVEs 
From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12
 2024-08-05 02:15:11 +00:00
chengyechun
168c39f12d fix CVE 
(cherry picked from commit d58175a4f1b6a4f42572a4b485c203c0c1bdcb62)
 2024-08-03 16:57:16 +08:00
openeuler-ci-bot
1e01fbe31e
!213 [sync] PR-211: update release version 
From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-03-21 08:42:49 +00:00
chengyechun
0f536f4f51 update release version 
(cherry picked from commit 2793b74a660a74e667063c5efbabd5256ec17c17)
 2024-03-21 15:45:31 +08:00
openeuler-ci-bot
9fdfa669b1
!206 [sync] PR-203: fix CVE and sync some patches from upstream 
From: @openeuler-sync-bot 
Reviewed-by: @sunsuwan 
Signed-off-by: @sunsuwan
 2024-03-19 02:55:31 +00:00
chengyechun
2da48fade6 fix CVE and sync some patches from upstream 
(cherry picked from commit 024c1c3a13843410cfc171309152f326fed846cf)
 2024-03-15 17:30:36 +08:00
40 changed files with 17623 additions and 55 deletions
Show Stats Expand all files Collapse all files

94
backport-0001-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,94 @@
From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
-DDNS_RDATASET_MAX_RECORDS=<limit>
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
---
configure | 2 +-
configure.ac | 2 +-
lib/dns/rdataslab.c | 12 ++++++++++++
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index ed2d486..bdfd59f 100755
--- a/configure
+++ b/configure
@@ -12295,7 +12295,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index cb8e841..5be8c76 100644
--- a/configure.ac
+++ b/configure.ac
@@ -94,7 +94,7 @@ AC_ARG_ENABLE([developer],
XTARGETS=
AS_IF([test "$enable_developer" = "yes"],
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 1d5e88f..dda9038 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -110,6 +110,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
}
#endif /* if DNS_RDATASET_FIXED */
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen) {
@@ -154,6 +158,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
+ if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
if (nitems > 0xffff) {
return (ISC_R_NOSPACE);
}
@@ -520,6 +528,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif /* if DNS_RDATASET_FIXED */
INSIST(ocount > 0 && ncount > 0);
+ if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ return (DNS_R_TOOMANYRECORDS);
+ }
+
#if DNS_RDATASET_FIXED
oncount = ncount;
#endif /* if DNS_RDATASET_FIXED */
--
2.33.0

123
backport-0002-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,123 @@
From dfcadc2085c8844b5836aff2b5ea51fb60c34868 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 29 May 2024 08:43:39 +0200
Subject: [PATCH 2/3] Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a hard-coded limit (100) to cap the number of the RR types for a single
owner. The limit can be changed at the compile time by adding following
define to CFLAGS:
-DDNS_RBTDB_MAX_RTYPES=<limit>
Conflict:Context Adaptation
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
---
configure | 2 +-
configure.ac | 2 +-
lib/dns/rbtdb.c | 17 +++++++++++++++++
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/configure b/configure
index bdfd59f..be0f60e 100755
--- a/configure
+++ b/configure
@@ -12295,7 +12295,7 @@ fi
XTARGETS=
if test "$enable_developer" = "yes"; then :
- STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index 5be8c76..92b0234 100644
--- a/configure.ac
+++ b/configure.ac
@@ -94,7 +94,7 @@ AC_ARG_ENABLE([developer],
XTARGETS=
AS_IF([test "$enable_developer" = "yes"],
- [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
+ [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000 -DDNS_RBTDB_MAX_RTYPES=5000"
test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
test "${enable_querytrace+set}" = set || enable_querytrace=yes
test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index d86ed64..be77250 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6196,6 +6196,10 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
+#ifndef DNS_RBTDB_MAX_RTYPES
+#define DNS_RBTDB_MAX_RTYPES 100
+#endif /* DNS_RBTDB_MAX_RTYPES */
+
/*
* write lock on rbtnode must be held.
*/
@@ -6217,6 +6221,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
+ uint32_t ntypes;
/*
* Add an rdatasetheader_t to a node.
@@ -6280,6 +6285,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
set_ttl(rbtdb, topheader, 0);
mark_header_ancient(rbtdb, topheader);
}
+ ntypes = 0;
goto find_header;
}
/*
@@ -6302,8 +6308,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
* check for an extant non-ancient NODATA ncache
* entry which covers the same type as the RRSIG.
*/
+ ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6347,8 +6355,10 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
}
}
+ ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
+ ntypes++;
if (prio_type(topheader->type)) {
prioheader = topheader;
}
@@ -6733,6 +6743,13 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
+
+ if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ free_rdataset(rbtdb, rbtdb->common.mctx,
+ newheader);
+ return (ISC_R_QUOTA);
+ }
+
newheader->down = NULL;
if (prio_type(newheader->type)) {
--
2.33.0

56
backport-0003-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,56 @@
From b27c6bcce894786a8e082eafd59eccbf6f2731cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: [PATCH] Expand the list of the priority types and move it to db_p.h
Add HTTPS, SVCB, SRV, PTR, NAPTR, DNSKEY and TXT records to the list of
the priority types that are put at the beginning of the slabheader list
for faster access and to avoid eviction when there are more types than
the max-types-per-name limit.
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/b27c6bcce894786a8e082eafd59eccbf6f2731cb
---
lib/dns/rbtdb.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index be77250..ca654e6 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -974,6 +974,8 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
case dns_rdatatype_a:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_mx:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_mx):
case dns_rdatatype_aaaa:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
case dns_rdatatype_nsec:
@@ -986,6 +988,22 @@ prio_type(rbtdb_rdatatype_t type) {
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
case dns_rdatatype_cname:
case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ case dns_rdatatype_dname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dname):
+ case dns_rdatatype_svcb:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_svcb):
+ case dns_rdatatype_https:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_https):
+ case dns_rdatatype_dnskey:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_dnskey):
+ case dns_rdatatype_srv:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_srv):
+ case dns_rdatatype_txt:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_txt):
+ case dns_rdatatype_ptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ptr):
+ case dns_rdatatype_naptr:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_naptr):
return (true);
}
return (false);
--
2.33.0

179
backport-0004-CVE-2024-1737.patch Normal file
View File

@ -0,0 +1,179 @@
From 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120 Mon Sep 17 00:00:00 2001
From: =?utf-8?b?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
Date: Mon, 17 Jun 2024 11:40:40 +0200
Subject: Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/57cd34441a1b4ecc9874a4a106c2c95b8d7a3120
---
lib/dns/rbtdb.c | 68 +++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 57 insertions(+), 11 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index ca654e6..a6da874 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6218,6 +6218,26 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static bool
+overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
+ UNUSED(rbtdb);
+
+ if (DNS_RBTDB_MAX_RTYPES == 0) {
+ return (false);
+ }
+
+ return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+}
+
+static bool
+prio_header(rdatasetheader_t *header) {
+ if (NEGATIVE(header) && prio_type(RBTDB_RDATATYPE_EXT(header->type))) {
+ return (true);
+ }
+
+ return (prio_type(header->type));
+}
+
/*
* write lock on rbtnode must be held.
*/
@@ -6229,7 +6249,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
rdatasetheader_t *header = NULL, *sigheader = NULL;
- rdatasetheader_t *prioheader = NULL;
+ rdatasetheader_t *prioheader = NULL, *expireheader = NULL;
unsigned char *merged = NULL;
isc_result_t result;
bool header_nx;
@@ -6239,7 +6259,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_rdatatype_t negtype, sigtype;
dns_trust_t trust;
int idx;
- uint32_t ntypes;
+ uint32_t ntypes = 0;
/*
* Add an rdatasetheader_t to a node.
@@ -6303,7 +6323,6 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
set_ttl(rbtdb, topheader, 0);
mark_header_ancient(rbtdb, topheader);
}
- ntypes = 0;
goto find_header;
}
/*
@@ -6314,6 +6333,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
topheader = topheader->next) {
if (topheader->type == sigtype) {
sigheader = topheader;
+ break;
}
}
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
@@ -6326,10 +6346,8 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
* check for an extant non-ancient NODATA ncache
* entry which covers the same type as the RRSIG.
*/
- ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
- ntypes++;
if ((topheader->type ==
RBTDB_RDATATYPE_NCACHEANY) ||
(newheader->type == sigtype &&
@@ -6373,11 +6391,15 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
}
}
- ntypes = 0;
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
- ntypes++;
- if (prio_type(topheader->type)) {
+ if (IS_CACHE(rbtdb) && ACTIVE(topheader, now)) {
+ ++ntypes;
+ expireheader = topheader;
+ } else if (!IS_CACHE(rbtdb)) {
+ ++ntypes;
+ }
+ if (prio_header(topheader)) {
prioheader = topheader;
}
if (topheader->type == newheader->type ||
@@ -6761,8 +6783,7 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
-
- if (ntypes > DNS_RBTDB_MAX_RTYPES) {
+ if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
return (ISC_R_QUOTA);
@@ -6770,7 +6791,7 @@ find_header:
newheader->down = NULL;
- if (prio_type(newheader->type)) {
+ if (prio_header(newheader)) {
/* This is a priority type, prepend it */
newheader->next = rbtnode->data;
rbtnode->data = newheader;
@@ -6783,6 +6804,31 @@ find_header:
newheader->next = rbtnode->data;
rbtnode->data = newheader;
}
+
+ if (IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
+ if (expireheader == NULL) {
+ expireheader = newheader;
+ }
+ if (NEGATIVE(newheader) &&
+ !prio_header(newheader))
+ {
+ /*
+ * Add the new non-priority negative
+ * header to the database only
+ * temporarily.
+ */
+ expireheader = newheader;
+ }
+
+ set_ttl(rbtdb, expireheader, 0);
+ mark_header_ancient(rbtdb, expireheader);
+ /*
+ * FIXME: In theory, we should mark the RRSIG
+ * and the header at the same time, but there is
+ * no direct link between those two header, so
+ * we would have to check the whole list again.
+ */
+ }
}
}
--
2.33.0

41
backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch Normal file
View File

@ -0,0 +1,41 @@
yum 32779aba8a0a5f852c611f44ecbeab5aab633e34 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 31 Aug 2022 12:30:38 +0000
Subject: [PATCH] Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
Conflict: Context adaptation in the original patch+ mpctx->lock = NULL;
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
(cherry picked from commit e97c3eea954e055634b72c21325d2611e960ee94)
---
lib/isc/mem.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index f84d300..33ece7a 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1656,7 +1656,8 @@ isc_mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
mpctx->common.impmagic = MEMPOOL_MAGIC;
mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
mpctx->lock = NULL;
- mpctx->mctx = mctx;
+ mpctx->mctx = NULL;
+ isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx);
/*
* Mempools are stored as a linked list of element.
*/
@@ -1765,7 +1766,8 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
mpctx->common.impmagic = 0;
mpctx->common.magic = 0;
- isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
+ isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx,
+ sizeof(isc__mempool_t));
if (lock != NULL) {
UNLOCK(lock);
--
2.33.0

17
backport-CVE-2022-3094-add-an-update-quota.patch
View File

@ -150,7 +150,7 @@ index a970a28..540bc2e 100644
isc_quota_destroy(&sctx->tcpquota);
isc_quota_destroy(&sctx->xfroutquota);
diff --git a/lib/ns/update.c b/lib/ns/update.c
index 582d4ff..a1650de 100644
index ddda25a..a69b6e5 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
@ -173,7 +173,7 @@ index 582d4ff..a1650de 100644
event = (update_event_t *)isc_event_allocate(
client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
sizeof(*event));
@@ -1685,12 +1698,19 @@ failure:
@@ -1682,12 +1695,19 @@ failure:
dns_zone_gettype(zone) == dns_zone_mirror);
inc_stats(client, zone, ns_statscounter_updaterej);
}
@ -194,7 +194,7 @@ index 582d4ff..a1650de 100644
if (zone != NULL) {
dns_zone_detach(&zone);
}
@@ -3498,6 +3518,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
@@ -3494,6 +3514,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
respond(client, uev->result);
@ -202,7 +202,7 @@ index 582d4ff..a1650de 100644
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3514,6 +3535,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
@@ -3510,6 +3531,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
INSIST(client->nupdates > 0);
client->nupdates--;
respond(client, DNS_R_SERVFAIL);
@ -211,16 +211,16 @@ index 582d4ff..a1650de 100644
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3551,6 +3574,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
@@ -3547,6 +3570,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
client->nupdates--;
ns_client_sendraw(client, uev->answer);
dns_message_detach(&uev->answer);
+
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
isc_event_free(&event);
isc_nmhandle_detach(&client->reqhandle);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3585,6 +3610,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
@@ -3582,6 +3607,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
@ -239,4 +239,5 @@ index 582d4ff..a1650de 100644
client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
sizeof(*event));
--
GitLab
2.33.0

1645
backport-CVE-2023-4408.patch Normal file
View File

File diff suppressed because it is too large Load Diff

498
backport-CVE-2023-50387-CVE-2023-50868.patch Normal file
View File

@ -0,0 +1,498 @@
From c12608ca934c0433d280e65fe6c631013e200cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 11 Jan 2024 12:03:24 +0100
Subject: [PATCH] Split fast and slow task queues
Change the taskmgr (and thus netmgr) in a way that it supports fast and
slow task queues. The fast queue is used for incoming DNS traffic and
it will pass the processing to the slow queue for sending outgoing DNS
messages and processing resolver messages.
In the future, more tasks might get moved to the slow queues, so the
cached and authoritative DNS traffic can be handled without being slowed
down by operations that take longer time to process.
Conflict:Since the optimization patch 32a3970b has not been incorporated, the patch test modification part needs to be incorporated.
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch
(cherry picked from commit 1b3b0cef224e7a9e8279c5cfe2f7e188e3777cc7)
---
lib/dns/dst_api.c | 27 +++++++++----
lib/dns/include/dns/validator.h | 1 +
lib/dns/include/dst/dst.h | 4 ++
lib/dns/resolver.c | 4 +-
lib/dns/validator.c | 67 +++++++++++++++------------------
lib/isc/include/isc/netmgr.h | 3 ++
lib/isc/netmgr/netmgr-int.h | 1 +
lib/isc/netmgr/netmgr.c | 36 +++++++++++-------
lib/isc/netmgr/tcp.c | 6 +--
lib/isc/netmgr/tcpdns.c | 4 +-
lib/isc/netmgr/udp.c | 6 +--
lib/isc/tests/netmgr_test.c | 2 -
12 files changed, 91 insertions(+), 70 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index c2977e0..0bf84b9 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -160,7 +160,8 @@ computeid(dst_key_t *key);
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
static isc_result_t
algorithm_status(unsigned int alg);
@@ -776,6 +777,13 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
+}
+
+isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
uint8_t alg, proto;
uint32_t flags, extflags;
dst_key_t *key = NULL;
@@ -806,7 +814,7 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
}
result = frombuffer(name, alg, flags, proto, rdclass, source, mctx,
- &key);
+ no_rdata, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -827,7 +835,7 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
REQUIRE(dst_initialized);
result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx,
- &key);
+ false, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -2331,7 +2339,8 @@ computeid(dst_key_t *key) {
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
dst_key_t *key;
isc_result_t ret;
@@ -2356,10 +2365,12 @@ frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
return (DST_R_UNSUPPORTEDALG);
}
- ret = key->func->fromdns(key, source);
- if (ret != ISC_R_SUCCESS) {
- dst_key_free(&key);
- return (ret);
+ if (!no_rdata) {
+ ret = key->func->fromdns(key, source);
+ if (ret != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ return (ret);
+ }
}
}
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 4744014..73ac1cd 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -147,6 +147,7 @@ struct dns_validator {
unsigned int depth;
unsigned int authcount;
unsigned int authfail;
+ bool failed;
isc_stdtime_t start;
};
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index df48d8e..46fb193 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -469,6 +469,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
*/
isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
+isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
/*%<
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 5f31d5b..cc8c9ab 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -10559,8 +10559,8 @@ dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
* Since we have a pool of tasks we bind them to task queues
* to spread the load evenly
*/
- result = isc_task_create_bound(taskmgr, 0,
- &res->buckets[i].task, i);
+ result = isc_task_create_bound(
+ taskmgr, 0, &res->buckets[i].task, ISC_NM_TASK_SLOW(i));
if (result != ISC_R_SUCCESS) {
isc_mutex_destroy(&res->buckets[i].lock);
goto cleanup_buckets;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index e54fc70..e416cc9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1098,8 +1098,8 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
* 'rdataset'. If found, build a dst_key_t for it and point val->key at
* it.
*
- * If val->key is already non-NULL, locate it in the rdataset and then
- * search past it for the *next* key that could have signed 'siginfo', then
+ * If val->key is already non-NULL, start searching from the next position in
+ * 'rdataset' to find the *next* key that could have signed 'siginfo', then
* set val->key to that.
*
* Returns ISC_R_SUCCESS if a possible matching key has been found,
@@ -1112,59 +1112,59 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
isc_buffer_t b;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *oldkey = val->key;
- bool foundold;
+ bool no_rdata = false;
if (oldkey == NULL) {
- foundold = true;
+ result = dns_rdataset_first(rdataset);
} else {
- foundold = false;
+ dst_key_free(&oldkey);
val->key = NULL;
+ result = dns_rdataset_next(rdataset);
}
-
- result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS) {
- goto failure;
+ goto done;
}
+
do {
dns_rdataset_current(rdataset, &rdata);
isc_buffer_init(&b, rdata.data, rdata.length);
isc_buffer_add(&b, rdata.length);
INSIST(val->key == NULL);
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
- val->view->mctx, &val->key);
+ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
+ val->view->mctx, no_rdata,
+ &val->key);
if (result == ISC_R_SUCCESS) {
if (siginfo->algorithm ==
(dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid ==
(dns_keytag_t)dst_key_id(val->key) &&
+ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+ 0 &&
dst_key_iszonekey(val->key))
{
- if (foundold) {
- /*
- * This is the key we're looking for.
- */
- return (ISC_R_SUCCESS);
- } else if (dst_key_compare(oldkey, val->key)) {
- foundold = true;
- dst_key_free(&oldkey);
+ if (no_rdata) {
+ /* Retry with full key */
+ dns_rdata_reset(&rdata);
+ dst_key_free(&val->key);
+ no_rdata = false;
+ continue;
}
+ /* This is the key we're looking for. */
+ goto done;
}
dst_key_free(&val->key);
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
+ no_rdata = true;
} while (result == ISC_R_SUCCESS);
+done:
if (result == ISC_R_NOMORE) {
result = ISC_R_NOTFOUND;
}
-failure:
- if (oldkey != NULL) {
- dst_key_free(&oldkey);
- }
-
return (result);
}
@@ -1557,20 +1557,9 @@ validate_answer(dns_validator_t *val, bool resume) {
continue;
}
- do {
- isc_result_t tresult;
- vresult = verify(val, val->key, &rdata,
- val->siginfo->keyid);
- if (vresult == ISC_R_SUCCESS) {
- break;
- }
-
- tresult = select_signing_key(val, val->keyset);
- if (tresult != ISC_R_SUCCESS) {
- break;
- }
- } while (1);
+ vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
if (vresult != ISC_R_SUCCESS) {
+ val->failed = true;
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
} else {
@@ -1607,9 +1596,13 @@ validate_answer(dns_validator_t *val, bool resume) {
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"verify failure: %s",
- isc_result_totext(result));
+ isc_result_totext(vresult));
resume = false;
}
+ if (val->failed) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
validator_log(val, ISC_LOG_DEBUG(3),
diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
index dc44ef2..1b88832 100644
--- a/lib/isc/include/isc/netmgr.h
+++ b/lib/isc/include/isc/netmgr.h
@@ -455,6 +455,9 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
* 'cb'.
*/
+#define ISC_NM_TASK_SLOW_OFFSET -2
+#define ISC_NM_TASK_SLOW(i) (ISC_NM_TASK_SLOW_OFFSET - 1 - i)
+
void
isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid);
/*%<
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 23bc2a2..80de758 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -630,6 +630,7 @@ struct isc_nm {
isc_refcount_t references;
isc_mem_t *mctx;
int nworkers;
+ int nlisteners;
isc_mutex_t lock;
isc_condition_t wkstatecond;
isc_condition_t wkpausecond;
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 71c6d62..1aa249e 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -272,31 +272,34 @@ isc__nm_winsock_destroy(void) {
#endif /* WIN32 */
static void
-isc__nm_threadpool_initialize(uint32_t workers) {
+isc__nm_threadpool_initialize(uint32_t nworkers) {
char buf[11];
int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf,
&(size_t){ sizeof(buf) });
if (r == UV_ENOENT) {
- snprintf(buf, sizeof(buf), "%" PRIu32, workers);
+ snprintf(buf, sizeof(buf), "%" PRIu32, nworkers);
uv_os_setenv("UV_THREADPOOL_SIZE", buf);
}
}
void
-isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
+isc__netmgr_create(isc_mem_t *mctx, uint32_t nworkers, isc_nm_t **netmgrp) {
isc_nm_t *mgr = NULL;
char name[32];
- REQUIRE(workers > 0);
+ REQUIRE(nworkers > 0);
#ifdef WIN32
isc__nm_winsock_initialize();
#endif /* WIN32 */
- isc__nm_threadpool_initialize(workers);
+ isc__nm_threadpool_initialize(nworkers);
mgr = isc_mem_get(mctx, sizeof(*mgr));
- *mgr = (isc_nm_t){ .nworkers = workers };
+ *mgr = (isc_nm_t){
+ .nworkers = nworkers * 2,
+ .nlisteners = nworkers,
+ };
isc_mem_attach(mctx, &mgr->mctx);
isc_mutex_init(&mgr->lock);
@@ -337,11 +340,12 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
isc_mempool_associatelock(mgr->evpool, &mgr->evlock);
isc_mempool_setfillcount(mgr->evpool, 32);
- isc_barrier_init(&mgr->pausing, workers);
- isc_barrier_init(&mgr->resuming, workers);
+ isc_barrier_init(&mgr->pausing, mgr->nworkers);
+ isc_barrier_init(&mgr->resuming, mgr->nworkers);
- mgr->workers = isc_mem_get(mctx, workers * sizeof(isc__networker_t));
- for (size_t i = 0; i < workers; i++) {
+ mgr->workers = isc_mem_get(mctx,
+ mgr->nworkers * sizeof(isc__networker_t));
+ for (int i = 0; i < mgr->nworkers; i++) {
int r;
isc__networker_t *worker = &mgr->workers[i];
*worker = (isc__networker_t){
@@ -376,7 +380,7 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
mgr->workers_running++;
isc_thread_create(nm_thread, &mgr->workers[i], &worker->thread);
- snprintf(name, sizeof(name), "isc-net-%04zu", i);
+ snprintf(name, sizeof(name), "isc-net-%04d", i);
isc_thread_setname(worker->thread, name);
}
@@ -860,9 +864,15 @@ isc_nm_task_enqueue(isc_nm_t *nm, isc_task_t *task, int threadid) {
isc__networker_t *worker = NULL;
if (threadid == -1) {
- tid = (int)isc_random_uniform(nm->nworkers);
+ tid = (int)isc_random_uniform(nm->nlisteners);
+ } else if (threadid == ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners +
+ (int)isc_random_uniform(nm->nworkers - nm->nlisteners);
+ } else if (threadid < ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners + (ISC_NM_TASK_SLOW(threadid) %
+ (nm->nworkers - nm->nlisteners));
} else {
- tid = threadid % nm->nworkers;
+ tid = threadid % nm->nlisteners;
}
worker = &nm->workers[tid];
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index dde592d..c2e059a 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -321,7 +321,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_connectcb(sock, req, result, false);
} else {
isc__nmsocket_clearcb(sock);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_connectcb(sock, req, result, true);
}
atomic_store(&sock->closed, true);
@@ -339,7 +339,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -435,7 +435,7 @@ isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index f66944e..8f79a7f 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -301,7 +301,7 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpdnsconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -400,7 +400,7 @@ isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
index 1af63af..668edca 100644
--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@@ -126,7 +126,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
uv_os_sock_t fd = -1;
/*
- * We are creating mgr->nworkers duplicated sockets, one
+ * We are creating mgr->nlisteners duplicated sockets, one
* socket for each worker thread.
*/
sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t));
@@ -136,7 +136,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
@@ -795,7 +795,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_udpconnect(mgr, event);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)event);
}
diff --git a/lib/isc/tests/netmgr_test.c b/lib/isc/tests/netmgr_test.c
index e44909e..d2c19e8 100644
--- a/lib/isc/tests/netmgr_test.c
+++ b/lib/isc/tests/netmgr_test.c
@@ -204,8 +204,6 @@ _setup(void **state __attribute__((unused))) {
return (-1);
}
- isc_hp_init(4 * workers);
-
signal(SIGPIPE, SIG_IGN);
if (getenv("CI") == NULL || getenv("CI_ENABLE_ALL_TESTS") != NULL) {
--
2.33.0

117
backport-CVE-2023-5517.patch Normal file
View File

@ -0,0 +1,117 @@
From c73262493658cb8623927ef6cc2f023501f7e809 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 10 Oct 2023 10:58:18 +1100
Subject: [PATCH] Save the correct result value to resume with
nxdomain-redirect
The wrong result value was being saved for resumption with
nxdomain-redirect when performing the fetch. This lead to an assert
when checking that RFC 1918 reverse queries where not leaking to
the global internet.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0002-CVE-2023-5517.patch
(cherry picked from commit 9d0fa07c5e7a39db89862a4f843d2190059afb4b)
---
lib/ns/query.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 62b5ea8463..55d815e6c0 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -455,10 +455,10 @@ static void
query_addnxrrsetnsec(query_ctx_t *qctx);
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7345,8 +7345,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
* result from the search.
*/
static isc_result_t
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
- isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
char errmsg[256];
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7416,16 +7415,16 @@ query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
return (query_nodata(qctx, DNS_R_NXRRSET));
case DNS_R_EMPTYWILD:
- return (query_nxdomain(qctx, true));
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
case DNS_R_NXDOMAIN:
- return (query_nxdomain(qctx, false));
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
case DNS_R_COVERINGNSEC:
return (query_coveringnsec(qctx));
case DNS_R_NCACHENXDOMAIN:
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9243,10 +9242,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
* Handle NXDOMAIN and empty wildcard responses.
*/
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
dns_section_t section;
uint32_t ttl;
- isc_result_t result;
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
@@ -9255,7 +9254,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
INSIST(qctx->is_zone || REDIRECT(qctx->client));
if (!empty_wild) {
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9343,7 +9342,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
* redirecting, so query processing should continue past it.
*/
static isc_result_t
-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
isc_result_t result;
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9384,7 +9383,7 @@ query_redirect(query_ctx_t *qctx) {
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
SAVE(qctx->client->query.redirect.sigrdataset,
qctx->sigrdataset);
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+ qctx->client->query.redirect.result = saved_result;
dns_name_copynf(qctx->fname,
qctx->client->query.redirect.fname);
qctx->client->query.redirect.authoritative =
@@ -10005,7 +10004,7 @@ query_coveringnsec(query_ctx_t *qctx) {
* We now have the proof that we have an NXDOMAIN. Apply
* NXDOMAIN redirection if configured.
*/
- result = query_redirect(qctx);
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
if (result != ISC_R_COMPLETE) {
redirected = true;
goto cleanup;
--
GitLab

38
backport-CVE-2023-5679.patch Normal file
View File

@ -0,0 +1,38 @@
From 7db2796507127b40e2f091dafb842c6a7e86b9a8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 12 Oct 2023 12:01:46 +1100
Subject: [PATCH] Restore dns64 state during serve-stale processing
If we are in the process of looking for the A records as part of
dns64 processing and the server-stale timeout triggers, redo the
dns64 changes that had been made to the orignal qctx.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0003-CVE-2023-5679.patch
(cherry picked from commit 1fcc483df13e049b96f620e515f0d4d45f3680b7)
---
lib/ns/query.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 55d815e6c0..1290c308af 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -6095,6 +6095,13 @@ query_lookup_stale(ns_client_t *client) {
query_ctx_t qctx;
qctx_init(client, NULL, client->query.qtype, &qctx);
+ if (DNS64(client)) {
+ qctx.qtype = qctx.type = dns_rdatatype_a;
+ qctx.dns64 = true;
+ }
+ if (DNS64EXCLUDE(client)) {
+ qctx.dns64_exclude = true;
+ }
dns_db_attach(client->view->cachedb, &qctx.db);
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
--
GitLab

294
backport-CVE-2023-6516.patch Normal file
View File

@ -0,0 +1,294 @@
From c3377cbfaa44dcb033f5abfb2db031612c8f47d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 4 Jan 2024 13:39:27 +0100
Subject: [PATCH] Limit isc_task_send() overhead for tree pruning
Instead of issuing a separate isc_task_send() call for every RBTDB node
that triggers tree pruning, maintain a list of nodes from which tree
pruning can be started from and only issue an isc_task_send() call if
pruning has not yet been triggered by another RBTDB node.
The extra queuing overhead eliminated by this change could be remotely
exploited to cause excessive memory use.
As this change modifies struct dns_rbtnode by adding a new 'prunelink'
member to it, bump MAPAPI to prevent any attempts of loading map-format
zone files created using older BIND 9 versions.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0004-CVE-2023-6516.patch
(cherry picked from commit 24381cc36d8528f5a4046fb2614451aeac4cdfc1)
---
lib/dns/include/dns/rbt.h | 6 ++
lib/dns/mapapi | 2 +-
lib/dns/rbt.c | 1 +
lib/dns/rbtdb.c | 150 +++++++++++++++++++++++++-------------
4 files changed, 108 insertions(+), 51 deletions(-)
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index b67e602..0e48e1d 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -138,6 +138,12 @@ struct dns_rbtnode {
*/
ISC_LINK(dns_rbtnode_t) deadlink;
+ /*%
+ * This linked list is used to store nodes from which tree pruning can
+ * be started.
+ */
+ ISC_LINK(dns_rbtnode_t) prunelink;
+
/*@{*/
/*!
* These values are used in the RBT DB implementation. The appropriate
diff --git a/lib/dns/mapapi b/lib/dns/mapapi
index 1b502d3..a46e190 100644
--- a/lib/dns/mapapi
+++ b/lib/dns/mapapi
@@ -13,4 +13,4 @@
# Whenever releasing a new major release of BIND9, set this value
# back to 1.0 when releasing the first alpha. Map files are *never*
# compatible across major releases.
-MAPAPI=3.0
+MAPAPI=4.0
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 3fa2999..d453622 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -2292,6 +2292,7 @@ create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep) {
HASHVAL(node) = 0;
ISC_LINK_INIT(node, deadlink);
+ ISC_LINK_INIT(node, prunelink);
LOCKNUM(node) = 0;
WILD(node) = 0;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index c25023c..ab4caae 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -515,6 +515,10 @@ struct dns_rbtdb {
*/
rbtnodelist_t *deadnodes;
+ /* List of nodes from which recursive tree pruning can be started from.
+ * Locked by tree_lock. */
+ rbtnodelist_t prunenodes;
+
/*
* Heaps. These are used for TTL based expiry in a cache,
* or for zone resigning in a zone DB. hmctx is the memory
@@ -1060,6 +1064,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
unsigned int i;
isc_result_t result;
char buf[DNS_NAME_FORMATSIZE];
+ dns_rbtnode_t *node = NULL;
dns_rbt_t **treep;
isc_time_t start;
@@ -1085,8 +1090,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
* the overhead of unlinking all nodes here should be negligible.
*/
for (i = 0; i < rbtdb->node_lock_count; i++) {
- dns_rbtnode_t *node;
-
node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
while (node != NULL) {
ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
@@ -1094,6 +1097,12 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
}
}
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ while (node != NULL) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node, prunelink);
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ }
+
if (event == NULL) {
rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
}
@@ -1926,19 +1935,33 @@ is_leaf(dns_rbtnode_t *node) {
node->left == NULL && node->right == NULL);
}
+/*%
+ * The tree lock must be held when this function is called as it reads and
+ * updates rbtdb->prunenodes.
+ */
static inline void
send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
isc_rwlocktype_t locktype) {
- isc_event_t *ev;
- dns_db_t *db;
+ bool pruning_queued = (ISC_LIST_HEAD(rbtdb->prunenodes) != NULL);
+
+ INSIST(locktype == isc_rwlocktype_write);
- ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
- prune_tree, node, sizeof(isc_event_t));
new_reference(rbtdb, node, locktype);
- db = NULL;
- attach((dns_db_t *)rbtdb, &db);
- ev->ev_sender = db;
- isc_task_send(rbtdb->task, &ev);
+ INSIST(!ISC_LINK_LINKED(node, prunelink));
+ ISC_LIST_APPEND(rbtdb->prunenodes, node, prunelink);
+
+ if (!pruning_queued) {
+ isc_event_t *ev = NULL;
+ dns_db_t *db = NULL;
+
+ attach((dns_db_t *)rbtdb, &db);
+
+ ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+ DNS_EVENT_RBTPRUNE, prune_tree, db,
+ sizeof(isc_event_t));
+ isc_task_send(rbtdb->task, &ev);
+ }
+
}
/*%
@@ -2212,17 +2235,26 @@ restore_locks:
}
/*
- * Prune the tree by recursively cleaning-up single leaves. In the worst
- * case, the number of iteration is the number of tree levels, which is at
- * most the maximum number of domain name labels, i.e, 127. In practice, this
- * should be much smaller (only a few times), and even the worst case would be
- * acceptable for a single event.
+ * Prune the tree by recursively cleaning up single leaves. Go through all
+ * nodes stored in the rbtdb->prunenodes list; for each of them, in the worst
+ * case, it will be necessary to traverse a number of tree levels equal to the
+ * maximum legal number of domain name labels (127); in practice, the number of
+ * tree levels to traverse will virtually always be much smaller (a few levels
+ * at most). While holding the tree lock throughout this entire operation is
+ * less than ideal, so is splitting the latter up by queueing a separate
+ * prune_tree() run for each node to start pruning from (as queueing requires
+ * allocating memory and can therefore potentially be exploited to exhaust
+ * available memory). Also note that actually freeing up the memory used by
+ * RBTDB nodes (which is what this function does) is essential to keeping cache
+ * memory use in check, so since the tree lock needs to be acquired anyway,
+ * freeing as many nodes as possible before the tree lock gets released is
+ * prudent.
*/
static void
prune_tree(isc_task_t *task, isc_event_t *event) {
- dns_rbtdb_t *rbtdb = event->ev_sender;
- dns_rbtnode_t *node = event->ev_arg;
- dns_rbtnode_t *parent;
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)event->ev_arg;
+ dns_rbtnode_t *node = NULL;
+ dns_rbtnode_t *parent = NULL;
unsigned int locknum;
UNUSED(task);
@@ -2230,44 +2262,60 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
isc_event_free(&event);
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
- locknum = node->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
- do {
- parent = node->parent;
- decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
- isc_rwlocktype_write, true);
- if (parent != NULL && parent->down == NULL) {
- /*
- * node was the only down child of the parent and has
- * just been removed. We'll then need to examine the
- * parent. Keep the lock if possible; otherwise,
- * release the old lock and acquire one for the parent.
- */
- if (parent->locknum != locknum) {
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
- locknum = parent->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
+ while ((node = ISC_LIST_HEAD(rbtdb->prunenodes)) != NULL) {
+ locknum = node->locknum;
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ do {
+ if (ISC_LINK_LINKED(node, prunelink)) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node,
+ prunelink);
}
- /*
- * We need to gain a reference to the node before
- * decrementing it in the next iteration.
- */
- if (ISC_LINK_LINKED(parent, deadlink)) {
- ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+ parent = node->parent;
+ decrement_reference(rbtdb, node, 0,
+ isc_rwlocktype_write,
+ isc_rwlocktype_write, true);
+
+ if (parent != NULL && parent->down == NULL) {
+ /*
+ * node was the only down child of the parent
+ * and has just been removed. We'll then need
+ * to examine the parent. Keep the lock if
+ * possible; otherwise, release the old lock and
+ * acquire one for the parent.
+ */
+ if (parent->locknum != locknum) {
+ NODE_UNLOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ locknum = parent->locknum;
+ NODE_LOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
+
+ /*
+ * We need to gain a reference to the node
+ * before decrementing it in the next iteration.
+ */
+ if (ISC_LINK_LINKED(parent, deadlink)) {
+ ISC_LIST_UNLINK(
+ rbtdb->deadnodes[locknum],
parent, deadlink);
+ }
+ new_reference(rbtdb, parent,
+ isc_rwlocktype_write);
+ } else {
+ parent = NULL;
}
- new_reference(rbtdb, parent, isc_rwlocktype_write);
- } else {
- parent = NULL;
- }
- node = parent;
- } while (node != NULL);
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+ node = parent;
+ } while (node != NULL);
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
detach((dns_db_t **)&rbtdb);
@@ -8718,6 +8766,8 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
ISC_LIST_INIT(rbtdb->deadnodes[i]);
}
+ ISC_LIST_INIT(rbtdb->prunenodes);
+
rbtdb->active = rbtdb->node_lock_count;
for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
--
2.33.0

310
backport-CVE-2024-11187.patch Normal file
View File

@ -0,0 +1,310 @@
From fa7b7973e36056440dd688c7f312c89600d4f8cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 14 Nov 2024 10:37:29 +0100
Subject: [PATCH] Limit the additional processing for large RDATA sets
When answering queries, don't add data to the additional section if
the answer has more than 13 names in the RDATA. This limits the
number of lookups into the database(s) during a single client query,
reducing query processing load.
Also, don't append any additional data to type=ANY queries. The
answer to ANY is already big enough.
(cherry picked from commit a1982cf1bb95c818aa7b58988b5611dec80f2408)
Conflict:Context adaptation
Reference:https://downloads.isc.org/isc/bind9/9.18.33/patches/0001-CVE-2024-11187.patch
---
bin/tests/system/additional/tests.sh | 2 +-
bin/tests/system/resolver/ns4/named.noaa | 5 -----
bin/tests/system/resolver/tests.sh | 8 ++++++++
lib/dns/include/dns/rdataset.h | 10 +++++++++-
lib/dns/rbtdb.c | 2 +-
lib/dns/rdataset.c | 7 ++++++-
lib/dns/resolver.c | 16 ++++++++++------
lib/isc/include/isc/result.h | 3 ++-
lib/isc/result.c | 6 ++++--
lib/ns/query.c | 13 +++++++++----
10 files changed, 50 insertions(+), 22 deletions(-)
delete mode 100644 bin/tests/system/resolver/ns4/named.noaa
diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh
index 025f11f..539484c 100644
--- a/bin/tests/system/additional/tests.sh
+++ b/bin/tests/system/additional/tests.sh
@@ -260,7 +260,7 @@ n=`expr $n + 1`
echo_i "testing with 'minimal-any no;' ($n)"
ret=0
$DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 > dig.out.$n || ret=1
-grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n > /dev/null || ret=1
+grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1
if [ $ret -eq 1 ] ; then
echo_i "failed"; status=$((status+1))
fi
diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa
deleted file mode 100644
index 3b121ad..0000000
--- a/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
@@ -1,5 +0,0 @@
-Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-
-See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
-
-Add -T noaa.
diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh
index 6c69c11..87b444d 100755
--- a/bin/tests/system/resolver/tests.sh
+++ b/bin/tests/system/resolver/tests.sh
@@ -289,6 +289,10 @@ done
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+touch ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "RT21594 regression test check setup ($n)"
ret=0
@@ -316,6 +320,10 @@ grep "status: NOERROR" dig.ns5.out.${n} > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
+stop_server ns4
+rm ns4/named.noaa
+start_server --noclean --restart --port ${PORT} ns4 || ret=1
+
n=`expr $n + 1`
echo_i "RT21594 regression test NXDOMAIN answers ($n)"
ret=0
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index f2585ef..cba2234 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -53,6 +53,8 @@
#include <dns/rdatastruct.h>
#include <dns/types.h>
+#define DNS_RDATASET_MAXADDITIONAL 13
+
ISC_LANG_BEGINDECLS
typedef enum {
@@ -439,7 +441,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg);
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit);
/*%<
* For each rdata in rdataset, call 'add' for each name and type in the
* rdata which is subject to additional section processing.
@@ -458,10 +461,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
*\li If a call to dns_rdata_additionaldata() is not successful, the
* result returned will be the result of dns_rdataset_additionaldata().
*
+ *\li If 'limit' is non-zero and the number of the rdatasets is larger
+ * than 'limit', no additional data will be processed.
+ *
* Returns:
*
*\li #ISC_R_SUCCESS
*
+ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
*\li Any error that dns_rdata_additionaldata() can return.
*/
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index a6da874..e20aef7 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -10568,7 +10568,7 @@ no_glue:
maybe_rehash_gluetable(rbtversion);
idx = hash_32(hash, rbtversion->glue_table_bits);
- (void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx);
+ (void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx, 0);
cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur));
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index bf9e7af..19a0051 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -576,7 +576,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
isc_result_t
dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
- dns_additionaldatafunc_t add, void *arg) {
+ dns_additionaldatafunc_t add, void *arg,
+ size_t limit) {
dns_rdata_t rdata = DNS_RDATA_INIT;
isc_result_t result;
@@ -588,6 +589,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
REQUIRE(DNS_RDATASET_VALID(rdataset));
REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
+ if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+ return DNS_R_TOOMANYRECORDS;
+ }
+
result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS) {
return (result);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index cc8c9ab..2f932be 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -8944,7 +8944,7 @@ rctx_answer_any(respctx_t *rctx) {
rdataset->trust = rctx->trust;
(void)dns_rdataset_additionaldata(rdataset, check_related,
- rctx);
+ rctx, 0);
}
return (ISC_R_SUCCESS);
@@ -8991,7 +8991,7 @@ rctx_answer_match(respctx_t *rctx) {
rctx->ardataset->attributes |= DNS_RDATASETATTR_ANSWER;
rctx->ardataset->attributes |= DNS_RDATASETATTR_CACHE;
rctx->ardataset->trust = rctx->trust;
- (void)dns_rdataset_additionaldata(rctx->ardataset, check_related, rctx);
+ (void)dns_rdataset_additionaldata(rctx->ardataset, check_related, rctx, 0);
for (sigrdataset = ISC_LIST_HEAD(rctx->aname->list);
sigrdataset != NULL;
@@ -9197,7 +9197,7 @@ rctx_authority_positive(respctx_t *rctx) {
* to this rdataset.
*/
(void)dns_rdataset_additionaldata(
- rdataset, check_related, rctx);
+ rdataset, check_related, rctx, 0);
done = true;
}
}
@@ -9701,8 +9701,12 @@ rctx_referral(respctx_t *rctx) {
*/
INSIST(rctx->ns_rdataset != NULL);
FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING);
+
+ /*
+ * Mark the glue records in the additional section to be cached.
+ */
(void)dns_rdataset_additionaldata(rctx->ns_rdataset, check_related,
- rctx);
+ rctx, 0);
#if CHECK_FOR_GLUE_IN_ANSWER
/*
* Look in the answer section for "glue" that is incorrectly
@@ -9715,7 +9719,7 @@ rctx_referral(respctx_t *rctx) {
(fctx->type == dns_rdatatype_aaaa || fctx->type == dns_rdatatype_a))
{
(void)dns_rdataset_additionaldata(rctx->ns_rdataset,
- check_answer, fctx);
+ check_answer, fctx, 0);
}
#endif /* if CHECK_FOR_GLUE_IN_ANSWER */
FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING);
@@ -9825,7 +9829,7 @@ again:
if (CHASE(rdataset)) {
rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
(void)dns_rdataset_additionaldata(
- rdataset, check_related, rctx);
+ rdataset, check_related, rctx, 0);
rescan = true;
}
}
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 21071c7..2b14d66 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -90,9 +90,10 @@
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
#define ISC_R_TLSERROR 70 /*%< TLS error */
#define ISC_R_HTTP2ALPNERROR 71 /*%< ALPN for HTTP/2 failed */
+#define DNS_R_TOOMANYRECORDS 72 /*%< too many records */
/*% Not a result code: the number of results. */
-#define ISC_R_NRESULTS 72
+#define ISC_R_NRESULTS 73
ISC_LANG_BEGINDECLS
diff --git a/lib/isc/result.c b/lib/isc/result.c
index 72e7a3c..a038b6e 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -102,7 +102,8 @@ static const char *description[ISC_R_NRESULTS] = {
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
"TLS error", /*%< 70 */
- "ALPN for HTTP/2 failed" /*%< 71 */
+ "ALPN for HTTP/2 failed", /*%< 71 */
+ "too many records" /*%< 72 */
};
static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_SUCCESS",
@@ -176,7 +177,8 @@ static const char *identifier[ISC_R_NRESULTS] = { "ISC_R_SUCCESS",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
"ISC_R_TLSERROR",
- "ISC_R_HTTP2ALPNERROR" };
+ "ISC_R_HTTP2ALPNERROR",
+ "DNS_R_TOOMANYRECODES" };
#define ISC_RESULT_RESULTSET 2
#define ISC_RESULT_UNAVAILABLESET 3
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 520203f..15e321f 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -2031,7 +2031,8 @@ addname:
*/
if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
eresult = dns_rdataset_additionaldata(
- trdataset, query_additional_cb, qctx);
+ trdataset, query_additional_cb, qctx,
+ DNS_RDATASET_MAXADDITIONAL);
}
cleanup:
@@ -2122,7 +2123,8 @@ regular:
* Add other additional data if needed.
* We don't care if dns_rdataset_additionaldata() fails.
*/
- (void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx);
+ (void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx,
+ DNS_RDATASET_MAXADDITIONAL);
CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
}
@@ -2148,7 +2150,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
* To the current response for 'client', add the answer RRset
* '*rdatasetp' and an optional signature set '*sigrdatasetp', with
* owner name '*namep', to section 'section', unless they are
- * already there. Also add any pertinent additional data.
+ * already there. Also add any pertinent additional data, unless
+ * the query was for type ANY.
*
* If 'dbuf' is not NULL, then '*namep' is the name whose data is
* stored in 'dbuf'. In this case, query_addrrset() guarantees that
@@ -2203,7 +2206,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep,
*/
query_addtoname(mname, rdataset);
query_setorder(qctx, mname, rdataset);
- query_additional(qctx, rdataset);
+ if (qctx->qtype != dns_rdatatype_any) {
+ query_additional(qctx, rdataset);
+ }
/*
* Note: we only add SIGs if we've added the type they cover, so
--
2.33.0

2936
backport-CVE-2024-1737-records-test.patch Normal file
View File

File diff suppressed because it is too large Load Diff

27
backport-CVE-2024-1737-records-test2.patch Normal file
View File

@ -0,0 +1,27 @@
From 7bc5e5abf5a3cd66f11cc649b6ecf4c39c92bd9e Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Fri, 9 Aug 2024 12:32:20 +0200
Subject: [PATCH] fixup! Add test for not-loading and not-transfering huge
RRSets
---
bin/tests/system/conf.sh.common | 3 +++
1 file changed, 3 insertions(+)
diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
index 9fab00f..e617595 100644
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -301,6 +301,9 @@ DISABLED_ALGORITHM=ECDSAP384SHA384
DISABLED_ALGORITHM_NUMBER=14
DISABLED_BITS=384
+# Default HMAC algorithm.
+export DEFAULT_HMAC=hmac-sha256
+
#
# Useful functions in test scripts
#
--
2.45.2

1157
backport-CVE-2024-1737-records.patch Normal file
View File

File diff suppressed because it is too large Load Diff

6323
backport-CVE-2024-1737-types-test.patch Normal file
View File

File diff suppressed because it is too large Load Diff

587
backport-CVE-2024-1737-types.patch Normal file
View File

@ -0,0 +1,587 @@
From a1c95d5fa479ac722f0cf758c494a37ffe1508c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sat, 25 May 2024 11:46:56 +0200
Subject: [PATCH] Add a limit to the number of RR types for single name
Previously, the number of RR types for a single owner name was limited
only by the maximum number of the types (64k). As the data structure
that holds the RR types for the database node is just a linked list, and
there are places where we just walk through the whole list (again and
again), adding a large number of RR types for a single owner named with
would slow down processing of such name (database node).
Add a configurable limit to cap the number of the RR types for a single
owner. This is enforced at the database (rbtdb, qpzone, qpcache) level
and configured with new max-types-per-name configuration option that
can be configured globally, per-view and per-zone.
(cherry picked from commit 00d16211d6368b99f070c1182d8c76b3798ca1db)
(cherry picked from commit 89f1779bc28b27adbd00325b974ede7a683f8632)
fix a memory leak that could occur when signing
when signatures were not added because of too many types already
existing at a node, the diff was not being cleaned up; this led to
a memory leak being reported at shutdown.
(cherry picked from commit 2825bdb1ae5be801e7ed603ba2455ed9a308f1f7)
(cherry picked from commit a080317de0efb7f6ffa12415a863729d416007d5)
Be smarter about refusing to add many RR types to the database
Instead of outright refusing to add new RR types to the cache, be a bit
smarter:
1. If the new header type is in our priority list, we always add either
positive or negative entry at the beginning of the list.
2. If the new header type is negative entry, and we are over the limit,
we mark it as ancient immediately, so it gets evicted from the cache
as soon as possible.
3. Otherwise add the new header after the priority headers (or at the
head of the list).
4. If we are over the limit, evict the last entry on the normal header
list.
(cherry picked from commit 57cd34441a1b4ecc9874a4a106c2c95b8d7a3120)
(cherry picked from commit 92a680a3ef708281267e4fd7b1e62b57c929447b)
Log error when update fails
The new "too many records" error can make an update fail without the
error being logged. This commit fixes that.
(cherry picked from commit 558923e5405894cf976d102f0d246a28bdbb400c)
(cherry picked from commit d72adf4b927d83a2a0ff8e431b911ec1df7aeb88)
Conflict:The default value of max-types-per-name is 100, which adapted
to 5000
Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0002-CVE-2024-1737.patch
---
bin/named/config.c | 1 +
bin/named/server.c | 9 +++++++++
bin/named/zoneconf.c | 8 ++++++++
bin/tests/system/dyndb/driver/db.c | 3 ++-
doc/arm/reference.rst | 12 ++++++++++++
lib/dns/cache.c | 12 ++++++++++++
lib/dns/db.c | 9 +++++++++
lib/dns/dnsrps.c | 3 ++-
lib/dns/ecdb.c | 3 ++-
lib/dns/include/dns/cache.h | 6 ++++++
lib/dns/include/dns/db.h | 11 +++++++++++
lib/dns/include/dns/view.h | 7 +++++++
lib/dns/include/dns/zone.h | 13 +++++++++++++
lib/dns/rbtdb.c | 28 +++++++++++++++++-----------
lib/dns/sdb.c | 3 ++-
lib/dns/sdlz.c | 3 ++-
lib/dns/view.c | 10 ++++++++++
lib/dns/zone.c | 16 ++++++++++++++++
lib/isccfg/namedconf.c | 3 +++
lib/ns/update.c | 15 ++++++++++++---
20 files changed, 156 insertions(+), 19 deletions(-)
diff --git a/bin/named/config.c b/bin/named/config.c
index a749995..b0373b4 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -218,6 +218,7 @@ options {\n\
max-records-per-type 5000;\n\
max-refresh-time 2419200; /* 4 weeks */\n\
max-retry-time 1209600; /* 2 weeks */\n\
+ max-types-per-name 5000;\n\
max-transfer-idle-in 60;\n\
max-transfer-idle-out 60;\n\
max-transfer-time-in 120;\n\
diff --git a/bin/named/server.c b/bin/named/server.c
index e65dab9..fdb94f5 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -5445,6 +5445,15 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
INSIST(result == ISC_R_SUCCESS);
dns_view_setmaxrrperset(view, cfg_obj_asuint32(obj));
+ /*
+ * This is used for the cache and also as a default value
+ * for zone databases.
+ */
+ obj = NULL;
+ result = named_config_get(maps, "max-types-per-name", &obj);
+ INSIST(result == ISC_R_SUCCESS);
+ dns_view_setmaxtypepername(view, cfg_obj_asuint32(obj));
+
obj = NULL;
result = named_config_get(maps, "max-recursion-depth", &obj);
INSIST(result == ISC_R_SUCCESS);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index f4ac298..b8edc24 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1080,6 +1080,14 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
dns_zone_setmaxrrperset(zone, 0);
}
+ obj = NULL;
+ result = named_config_get(maps, "max-types-per-name", &obj);
+ INSIST(result == ISC_R_SUCCESS && obj != NULL);
+ dns_zone_setmaxtypepername(mayberaw, cfg_obj_asuint32(obj));
+ if (zone != mayberaw) {
+ dns_zone_setmaxtypepername(zone, 0);
+ }
+
if (raw != NULL && filename != NULL) {
#define SIGNED ".signed"
size_t signedlen = strlen(filename) + sizeof(SIGNED);
diff --git a/bin/tests/system/dyndb/driver/db.c b/bin/tests/system/dyndb/driver/db.c
index 6725a3b..c95fc82 100644
--- a/bin/tests/system/dyndb/driver/db.c
+++ b/bin/tests/system/dyndb/driver/db.c
@@ -593,7 +593,8 @@ static dns_dbmethods_t sampledb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
/* Auxiliary driver functions. */
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index bf2fea7..b284350 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -2902,6 +2902,18 @@ system.
a failure. If set to 0, there is no cap on RRset size. The default is
100.
+``max-types-per-name``
+ This sets the maximum number of resource record types that can be stored
+ for a single owner name in a database. When configured in ``options``
+ or ``view``, it controls the cache database, and also sets
+ the default value for zone databases, which can be overridden by setting
+ it at the ``zone`` level
+
+ If set to a positive value, any attempt to cache or to add to a zone an owner
+ name with more than the specified number of resource record types will result
+ in a failure. If set to 0, there is no cap on RR types number. The default is
+ 100.
+
``recursive-clients``
This sets the maximum number (a "hard quota") of simultaneous recursive lookups
the server performs on behalf of clients. The default is
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index 9f0412d..0b474fc 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -150,6 +150,7 @@ struct dns_cache {
/* Access to the on-disk cache file is also locked by 'filelock'. */
uint32_t maxrrperset;
+ uint32_t maxtypepername;
};
/***
@@ -178,6 +179,7 @@ cache_create_db(dns_cache_t *cache, dns_db_t **db) {
if (result == ISC_R_SUCCESS) {
dns_db_setservestalettl(*db, cache->serve_stale_ttl);
dns_db_setmaxrrperset(*db, cache->maxrrperset);
+ dns_db_setmaxtypepername(*db, cache->maxtypepername);
}
return (result);
}
@@ -1290,6 +1292,16 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value) {
}
}
+void
+dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value) {
+ REQUIRE(VALID_CACHE(cache));
+
+ cache->maxtypepername = value;
+ if (cache->db != NULL) {
+ dns_db_setmaxtypepername(cache->db, value);
+ }
+}
+
/*
* XXX: Much of the following code has been copied in from statschannel.c.
* We should refactor this into a generic function in stats.c that can be
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 0b3503a..a4f63a1 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1141,3 +1141,12 @@ dns_db_setmaxrrperset(dns_db_t *db, uint32_t value) {
(db->methods->setmaxrrperset)(db, value);
}
}
+
+void
+dns_db_setmaxtypepername(dns_db_t *db, uint32_t value) {
+ REQUIRE(DNS_DB_VALID(db));
+
+ if (db->methods->setmaxtypepername != NULL) {
+ (db->methods->setmaxtypepername)(db, value);
+ }
+}
diff --git a/lib/dns/dnsrps.c b/lib/dns/dnsrps.c
index 539090d..e1a1b21 100644
--- a/lib/dns/dnsrps.c
+++ b/lib/dns/dnsrps.c
@@ -971,7 +971,8 @@ static dns_dbmethods_t rpsdb_db_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static dns_rdatasetmethods_t rpsdb_rdataset_methods = {
diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
index bab5da5..27d03b4 100644
--- a/lib/dns/ecdb.c
+++ b/lib/dns/ecdb.c
@@ -560,7 +560,8 @@ static dns_dbmethods_t ecdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static isc_result_t
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index 3fa2a89..72de216 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -343,6 +343,12 @@ dns_cache_setmaxrrperset(dns_cache_t *cache, uint32_t value);
* Set the maximum resource records per RRSet that can be cached.
*/
+void
+dns_cache_setmaxtypepername(dns_cache_t *cache, uint32_t value);
+/*%<
+ * Set the maximum resource record types per owner name that can be cached.
+ */
+
#ifdef HAVE_LIBXML2
int
dns_cache_renderxml(dns_cache_t *cache, void *writer0);
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index 881d4cf..8695c16 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -183,6 +183,7 @@ typedef struct dns_dbmethods {
isc_result_t (*setgluecachestats)(dns_db_t *db, isc_stats_t *stats);
isc_result_t (*adjusthashsize)(dns_db_t *db, size_t size);
void (*setmaxrrperset)(dns_db_t *db, uint32_t value);
+ void (*setmaxtypepername)(dns_db_t *db, uint32_t value);
} dns_dbmethods_t;
typedef isc_result_t (*dns_dbcreatefunc_t)(isc_mem_t *mctx,
@@ -1791,6 +1792,16 @@ dns_db_setmaxrrperset(dns_db_t *db, uint32_t value);
* is nonzero, then any subsequent attempt to add an rdataset with
* more than 'value' RRs will return ISC_R_NOSPACE.
*/
+
+void
+dns_db_setmaxtypepername(dns_db_t *db, uint32_t value);
+/*%<
+ * Set the maximum permissible number of RR types per owner name.
+ *
+ * If 'value' is nonzero, then any subsequent attempt to add an rdataset with a
+ * RR type that would exceed the number of already stored RR types will return
+ * ISC_R_NOSPACE.
+ */
ISC_LANG_ENDDECLS
#endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index 0d502f4..0a72f58 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -187,6 +187,7 @@ struct dns_view {
uint32_t fail_ttl;
dns_badcache_t *failcache;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
/*
* Configurable data for server use only,
@@ -1346,6 +1347,12 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value);
* Set the maximum resource records per RRSet that can be cached.
*/
+void
+dns_view_setmaxtypepername(dns_view_t *view, uint32_t value);
+/*%<
+ * Set the maximum resource record types per owner name that can be cached.
+ */
+
ISC_LANG_ENDDECLS
#endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index c4b7577..db5a002 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -356,6 +356,19 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t maxrrperset);
*\li void
*/
+void
+dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t maxtypepername);
+/*%<
+ * Sets the maximum number of resource record types per owner name
+ * permitted in a zone. 0 implies unlimited.
+ *
+ * Requires:
+ *\li 'zone' to be valid initialised zone.
+ *
+ * Returns:
+ *\li void
+ */
+
void
dns_zone_setmaxttl(dns_zone_t *zone, uint32_t maxttl);
/*%<
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index f27f970..5f6e7a0 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -483,6 +483,7 @@ struct dns_rbtdb {
rbtdb_serial_t least_serial;
rbtdb_serial_t next_serial;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
rbtdb_version_t *current_version;
rbtdb_version_t *future_version;
rbtdb_versionlist_t open_versions;
@@ -6215,19 +6216,13 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
}
-#ifndef DNS_RBTDB_MAX_RTYPES
-#define DNS_RBTDB_MAX_RTYPES 100
-#endif /* DNS_RBTDB_MAX_RTYPES */
-
static bool
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
- UNUSED(rbtdb);
-
- if (DNS_RBTDB_MAX_RTYPES == 0) {
+ if (rbtdb->maxtypepername == 0) {
return (false);
}
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+ return (ntypes >= rbtdb->maxtypepername);
}
static bool
@@ -6787,7 +6782,7 @@ find_header:
if (!IS_CACHE(rbtdb) && overmaxtype(rbtdb, ntypes)) {
free_rdataset(rbtdb, rbtdb->common.mctx,
newheader);
- return (ISC_R_QUOTA);
+ return (DNS_R_TOOMANYRECORDS);
}
newheader->down = NULL;
@@ -8616,6 +8611,15 @@ setmaxrrperset(dns_db_t *db, uint32_t maxrrperset) {
rbtdb->maxrrperset = maxrrperset;
}
+static void
+setmaxtypepername(dns_db_t *db, uint32_t maxtypepername) {
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+ REQUIRE(VALID_RBTDB(rbtdb));
+
+ rbtdb->maxtypepername = maxtypepername;
+}
+
static dns_stats_t *
getrrsetstats(dns_db_t *db) {
dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
@@ -8740,7 +8744,8 @@ static dns_dbmethods_t zone_methods = { attach,
NULL, /* getservestalerefresh */
setgluecachestats,
adjusthashsize,
- setmaxrrperset };
+ setmaxrrperset,
+ setmaxtypepername };
static dns_dbmethods_t cache_methods = { attach,
detach,
@@ -8793,7 +8798,8 @@ static dns_dbmethods_t cache_methods = { attach,
getservestalerefresh,
NULL,
adjusthashsize,
- setmaxrrperset };
+ setmaxrrperset,
+ setmaxtypepername };
isc_result_t
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index 84cd324..77a5834 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1313,7 +1313,8 @@ static dns_dbmethods_t sdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
static isc_result_t
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index f478913..736224c 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -1285,7 +1285,8 @@ static dns_dbmethods_t sdlzdb_methods = {
NULL, /* getservestalerefresh */
NULL, /* setgluecachestats */
NULL, /* adjusthashsize */
- NULL /* setmaxrrperset */
+ NULL, /* setmaxrrperset */
+ NULL /* setmaxtypepername */
};
/*
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 90c2ac7..53829ec 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -870,6 +870,7 @@ dns_view_setcache(dns_view_t *view, dns_cache_t *cache, bool shared) {
INSIST(DNS_DB_VALID(view->cachedb));
dns_cache_setmaxrrperset(view->cache, view->maxrrperset);
+ dns_cache_setmaxtypepername(view->cache, view->maxtypepername);
}
bool
@@ -2554,3 +2555,12 @@ dns_view_setmaxrrperset(dns_view_t *view, uint32_t value) {
dns_cache_setmaxrrperset(view->cache, value);
}
}
+
+void
+dns_view_setmaxtypepername(dns_view_t *view, uint32_t value) {
+ REQUIRE(DNS_VIEW_VALID(view));
+ view->maxtypepername = value;
+ if (view->cache != NULL) {
+ dns_cache_setmaxtypepername(view->cache, value);
+ }
+}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 350f80f..19d7a72 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -277,6 +277,7 @@ struct dns_zone {
uint32_t maxrecords;
uint32_t maxrrperset;
+ uint32_t maxtypepername;
isc_sockaddr_t *masters;
isc_dscp_t *masterdscps;
@@ -9995,6 +9996,7 @@ cleanup:
}
dns_diff_clear(&_sig_diff);
+ dns_diff_clear(&post_diff);
for (i = 0; i < nkeys; i++) {
dst_key_free(&zone_keys[i]);
@@ -12204,6 +12206,16 @@ dns_zone_setmaxrrperset(dns_zone_t *zone, uint32_t val) {
}
}
+void
+dns_zone_setmaxtypepername(dns_zone_t *zone, uint32_t val) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+
+ zone->maxtypepername = val;
+ if (zone->db != NULL) {
+ dns_db_setmaxtypepername(zone->db, val);
+ }
+}
+
static bool
notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
isc_sockaddr_t *addr, dns_tsigkey_t *key) {
@@ -14609,6 +14621,8 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
}
dns_db_settask(stub->db, zone->task);
dns_db_setmaxrrperset(stub->db, zone->maxrrperset);
+ dns_db_setmaxtypepername(stub->db,
+ zone->maxtypepername);
}
result = dns_db_newversion(stub->db, &stub->version);
@@ -17346,6 +17360,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, bool dump) {
zone_attachdb(zone, db);
dns_db_settask(zone->db, zone->task);
dns_db_setmaxrrperset(zone->db, zone->maxrrperset);
+ dns_db_setmaxtypepername(zone->db, zone->maxtypepername);
DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADED | DNS_ZONEFLG_NEEDNOTIFY);
return (ISC_R_SUCCESS);
@@ -23544,6 +23559,7 @@ dns_zone_makedb(dns_zone_t *zone, dns_db_t **dbp) {
dns_db_settask(db, zone->task);
dns_db_setmaxrrperset(db, zone->maxrrperset);
+ dns_db_setmaxtypepername(db, zone->maxtypepername);
*dbp = db;
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index dce3053..ac9fc2a 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2239,6 +2239,9 @@ static cfg_clausedef_t zone_clauses[] = {
{ "max-records-per-type", &cfg_type_uint32,
CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
+ { "max-types-per-name", &cfg_type_uint32,
+ CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR |
+ CFG_ZONE_STUB | CFG_ZONE_STATICSTUB | CFG_ZONE_REDIRECT },
{ "max-refresh-time", &cfg_type_uint32,
CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB },
{ "max-retry-time", &cfg_type_uint32,
diff --git a/lib/ns/update.c b/lib/ns/update.c
index 071de25..c926e6f 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -3119,9 +3119,18 @@ update_action(isc_task_t *task, isc_event_t *event) {
dns_diff_clear(&ctx.add_diff);
goto failure;
}
- CHECK(update_one_rr(db, ver, &diff,
- DNS_DIFFOP_ADD,
- name, ttl, &rdata));
+ result = update_one_rr(
+ db, ver, &diff, DNS_DIFFOP_ADD,
+ name, ttl, &rdata);
+ if (result != ISC_R_SUCCESS) {
+ update_log(client, zone,
+ LOGLEVEL_PROTOCOL,
+ "adding an RR "
+ "failed: %s",
+ isc_result_totext(
+ result));
+ goto failure;
+ }
}
}
} else if (update_class == dns_rdataclass_any) {
--
2.43.0

268
backport-CVE-2024-1975.patch Normal file
View File

@ -0,0 +1,268 @@
From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:10:41 +0200
Subject: [PATCH] Remove support for SIG(0) message verification
Conflict:Case adaptation and some documents are not incorporated.
Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0003-CVE-2024-1975.patch
---
bin/tests/system/tsiggss/authsock.pl | 5 ++
bin/tests/system/tsiggss/tests.sh | 12 ++--
bin/tests/system/upforwd/tests.sh | 9 ++-
doc/arm/general.rst | 6 +-
lib/dns/message.c | 99 ++--------------------------
lib/ns/client.c | 7 ++
6 files changed, 33 insertions(+), 105 deletions(-)
diff --git a/bin/tests/system/tsiggss/authsock.pl b/bin/tests/system/tsiggss/authsock.pl
index ab3833d..0b231ee 100644
--- a/bin/tests/system/tsiggss/authsock.pl
+++ b/bin/tests/system/tsiggss/authsock.pl
@@ -31,6 +31,10 @@ if (!defined($path)) {
exit(1);
}
+# Enable output autoflush so that it's not lost when the parent sends TERM.
+select STDOUT;
+$| = 1;
+
unlink($path);
my $server = IO::Socket::UNIX->new(Local => $path, Type => SOCK_STREAM, Listen => 8) or
die "unable to create socket $path";
@@ -53,6 +57,7 @@ if ($timeout != 0) {
}
while (my $client = $server->accept()) {
+ printf("accept()\n");
$client->recv(my $buf, 8, 0);
my ($version, $req_len) = unpack('N N', $buf);
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index 632bb87..4b8a903 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -116,7 +116,7 @@ status=$((status+ret))
echo_i "testing external update policy (CNAME) with auth sock ($n)"
ret=0
-$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > /dev/null 2>&1 &
+$PERL ./authsock.pl --type=CNAME --path=ns1/auth.sock --pidfile=authsock.pid --timeout=120 > authsock.log 2>&1 &
sleep 1
test_update $n testcname.example.nil. CNAME "86400 CNAME testdenied.example.nil" "testdenied" || ret=1
n=$((n+1))
@@ -130,17 +130,19 @@ n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
-echo_i "testing external policy with SIG(0) key ($n)"
+echo_i "testing external policy with unsupported SIG(0) key ($n)"
ret=0
-$NSUPDATE -k ns1/Kkey.example.nil.*.private <<END > /dev/null 2>&1 || ret=1
+$NSUPDATE -d -k ns1/Kkey.example.nil.*.private <<END >nsupdate.out${n} 2>&1 || true
+debug
server 10.53.0.1 ${PORT}
zone example.nil
update add fred.example.nil 120 cname foo.bar.
send
END
output=`$DIG $DIGOPTS +short cname fred.example.nil.`
-[ -n "$output" ] || ret=1
-[ $ret -eq 0 ] || echo_i "failed"
+# update must have failed - SIG(0) signer is not supported
+[ -n "$output" ] && ret=1
+grep -F "signer=key.example.nil" authsock.log >/dev/null && ret=1
n=$((n+1))
if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
status=$((status+ret))
diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 8062d68..fa64d22 100644
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -221,18 +221,21 @@ fi
if test -f keyname
then
- echo_i "checking update forwarding to with sig0 ($n)"
+ echo_i "checking update forwarding to with sig0 (expected to fail) ($n)"
ret=0
keyname=`cat keyname`
- $NSUPDATE -k $keyname.private -- - <<EOF
+ # SIG(0) is removed, update is expected to fail.
+ {
+ $NSUPDATE -k $keyname.private -- - <<EOF
server 10.53.0.3 ${PORT}
zone example2
update add unsigned.example2. 600 A 10.10.10.1
update add unsigned.example2. 600 TXT Foo
send
EOF
+ } >nsupdate.out.$n 2>&1 && ret=1
$DIG -p ${PORT} unsigned.example2 A @10.53.0.1 > dig.out.ns1.test$n
- grep "status: NOERROR" dig.out.ns1.test$n > /dev/null || ret=1
+ grep "status: NOERROR" dig.out.ns1.test$n > /dev/null && ret=1
if [ $ret != 0 ] ; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
diff --git a/doc/arm/general.rst b/doc/arm/general.rst
index 225576b..794767d 100644
--- a/doc/arm/general.rst
+++ b/doc/arm/general.rst
@@ -534,10 +534,8 @@ than a non-authoritative response. This is considered a feature.
[2] CLASS ANY queries are not supported. This is considered a
feature.
-[3] When receiving a query signed with a SIG(0), the server is
-only able to verify the signature if it has the key in its local
-authoritative data; it cannot do recursion or validation to
-retrieve unknown keys.
+[3] [#rfc2931] Support for SIG(0) message verification was removed
+ as part of the mitigation of CVE-2024-1975.
[4] Compliance is with loading and serving of A6 records only. A6 records were moved
to the experimental category by :rfc:`3363`.
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 500705e..339574a 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3331,113 +3331,26 @@ dns_message_dumpsig(dns_message_t *msg, char *txt1) {
isc_result_t
dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
- isc_buffer_t b, msgb;
+ isc_buffer_t msgb;
REQUIRE(DNS_MESSAGE_VALID(msg));
- if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL) {
+ if (msg->tsigkey == NULL && msg->tsig == NULL) {
return (ISC_R_SUCCESS);
}
INSIST(msg->saved.base != NULL);
isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
isc_buffer_add(&msgb, msg->saved.length);
- if (msg->tsigkey != NULL || msg->tsig != NULL) {
#ifdef SKAN_MSG_DEBUG
- dns_message_dumpsig(msg, "dns_message_checksig#1");
+ dns_message_dumpsig(msg, "dns_message_checksig#1");
#endif /* ifdef SKAN_MSG_DEBUG */
- if (view != NULL) {
- return (dns_view_checksig(view, &msgb, msg));
- } else {
- return (dns_tsig_verify(&msgb, msg, NULL, NULL));
- }
+ if (view != NULL) {
+ return (dns_view_checksig(view, &msgb, msg));
} else {
- dns_rdata_t rdata = DNS_RDATA_INIT;
- dns_rdata_sig_t sig;
- dns_rdataset_t keyset;
- isc_result_t result;
-
- result = dns_rdataset_first(msg->sig0);
- INSIST(result == ISC_R_SUCCESS);
- dns_rdataset_current(msg->sig0, &rdata);
-
- /*
- * This can occur when the message is a dynamic update, since
- * the rdata length checking is relaxed. This should not
- * happen in a well-formed message, since the SIG(0) is only
- * looked for in the additional section, and the dynamic update
- * meta-records are in the prerequisite and update sections.
- */
- if (rdata.length == 0) {
- return (ISC_R_UNEXPECTEDEND);
- }
-
- result = dns_rdata_tostruct(&rdata, &sig, msg->mctx);
- if (result != ISC_R_SUCCESS) {
- return (result);
- }
-
- dns_rdataset_init(&keyset);
- if (view == NULL) {
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_view_simplefind(view, &sig.signer,
- dns_rdatatype_key /* SIG(0) */, 0,
- 0, false, &keyset, NULL);
-
- if (result != ISC_R_SUCCESS) {
- /* XXXBEW Should possibly create a fetch here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- } else if (keyset.trust < dns_trust_secure) {
- /* XXXBEW Should call a validator here */
- result = DNS_R_KEYUNAUTHORIZED;
- goto freesig;
- }
- result = dns_rdataset_first(&keyset);
- INSIST(result == ISC_R_SUCCESS);
- for (; result == ISC_R_SUCCESS;
- result = dns_rdataset_next(&keyset)) {
- dst_key_t *key = NULL;
-
- dns_rdata_reset(&rdata);
- dns_rdataset_current(&keyset, &rdata);
- isc_buffer_init(&b, rdata.data, rdata.length);
- isc_buffer_add(&b, rdata.length);
-
- result = dst_key_fromdns(&sig.signer, rdata.rdclass, &b,
- view->mctx, &key);
- if (result != ISC_R_SUCCESS) {
- continue;
- }
- if (dst_key_alg(key) != sig.algorithm ||
- dst_key_id(key) != sig.keyid ||
- !(dst_key_proto(key) == DNS_KEYPROTO_DNSSEC ||
- dst_key_proto(key) == DNS_KEYPROTO_ANY))
- {
- dst_key_free(&key);
- continue;
- }
- result = dns_dnssec_verifymessage(&msgb, msg, key);
- dst_key_free(&key);
- if (result == ISC_R_SUCCESS) {
- break;
- }
- }
- if (result == ISC_R_NOMORE) {
- result = DNS_R_KEYUNAUTHORIZED;
- }
-
- freesig:
- if (dns_rdataset_isassociated(&keyset)) {
- dns_rdataset_disassociate(&keyset);
- }
- dns_rdata_freestruct(&sig);
- return (result);
+ return (dns_tsig_verify(&msgb, msg, NULL, NULL));
}
}
-
#define INDENT(sp) \
do { \
unsigned int __i; \
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 264d11d..0f8eb94 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2063,6 +2063,13 @@ ns__client_request(isc_nmhandle_t *handle, isc_result_t eresult,
ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
"request is signed by a nonauthoritative key");
+ } else if (result == DNS_R_NOTVERIFIEDYET &&
+ client->message->sig0 != NULL)
+ {
+ ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+ NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+ "request has a SIG(0) signature but its support "
+ "was removed (CVE-2024-1975)");
} else {
char tsigrcode[64];
isc_buffer_t b;
--
2.33.0

27
backport-CVE-2024-4076.patch Normal file
View File

@ -0,0 +1,27 @@
From bef3d2cca3552100bbe44790c8c1a4f5bef06798 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 16 May 2024 12:10:41 +0200
Subject: [PATCH] Remove support for SIG(0) message verification
Conflict:NA
Reference:https://downloads.isc.org/isc/bind9/9.18.28/patches/0004-CVE-2024-4076.patch
---
lib/ns/query.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 6f41178..520203f 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5237,6 +5237,7 @@ qctx_freedata(query_ctx_t *qctx) {
ns_client_releasename(qctx->client, &qctx->zfname);
dns_db_detachnode(qctx->zdb, &qctx->znode);
dns_db_detach(&qctx->zdb);
+ qctx->zversion = NULL;
}
if (qctx->event != NULL && !qctx->client->nodetach) {
--
2.33.0

41
backport-Check-BN_dup-results-in-rsa_check.patch Normal file
View File

@ -0,0 +1,41 @@
From 12f902796d4adde1dfdbda9b23578049a2e530ee Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 12:06:44 +1000
Subject: [PATCH] Check BN_dup results in rsa_check
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/12f902796d4adde1dfdbda9b23578049a2e530ee
(cherry picked from commit a47235f4f5af0286aadd43eeccf946a8f35a5dc8)
---
lib/dns/opensslrsa_link.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 9bee2f0449..45570dac98 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -849,6 +849,9 @@ rsa_check(RSA *rsa, RSA *pub) {
}
} else {
n = BN_dup(n2);
+ if (n == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
}
if (e1 != NULL) {
if (BN_cmp(e1, e2) != 0) {
@@ -859,6 +862,12 @@ rsa_check(RSA *rsa, RSA *pub) {
}
} else {
e = BN_dup(e2);
+ if (e == NULL) {
+ if (n != NULL) {
+ BN_free(n);
+ }
+ return (ISC_R_NOMEMORY);
+ }
}
if (RSA_set0_key(rsa, n, e, NULL) == 0) {
if (n != NULL) {
--
2.23.0

30
backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch Normal file
View File

@ -0,0 +1,30 @@
From 03c5db001e79e40011c3478e14593cdad72c5c1d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:57:17 +1000
Subject: [PATCH] Check that 'e' and 'n' are allocated in opensslrsa_fromdns
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/03c5db001e79e40011c3478e14593cdad72c5c1d
(cherry picked from commit db70c302138f02b6e1fca6e89cf2da35b2ca0ae4)
---
lib/dns/opensslrsa_link.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b23b6323fa..b744a62df9 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -671,6 +671,11 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
e = BN_bin2bn(r.base, e_bytes, NULL);
isc_region_consume(&r, e_bytes);
n = BN_bin2bn(r.base, r.length, NULL);
+ if (e == NULL || n == NULL) {
+ RSA_free(rsa);
+ return (ISC_R_NOMEMORY);
+ }
+
if (RSA_set0_key(rsa, n, e, NULL) == 0) {
if (n != NULL) {
BN_free(n);
--
2.23.0

37
backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch Normal file
View File

@ -0,0 +1,37 @@
From 0b0718fba3fb81507b7e82e6bca38007a94c475a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:52:55 +1000
Subject: [PATCH] Check that 'e' and 'n' are non-NULL in opensslrsa_todns
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0b0718fba3fb81507b7e82e6bca38007a94c475a
(cherry picked from commit 5603cd69d170f49916bec3ca78ab3e4830170950)
---
lib/dns/opensslrsa_link.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 7aa743394b..b23b6323fa 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -585,13 +585,15 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
if (rsa == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
-
- isc_buffer_availableregion(data, &r);
-
RSA_get0_key(rsa, &n, &e, NULL);
+ if (e == NULL || n == NULL) {
+ DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ }
mod_bytes = BN_num_bytes(n);
e_bytes = BN_num_bytes(e);
+ isc_buffer_availableregion(data, &r);
+
if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
if (r.length < 1) {
DST_RET(ISC_R_NOSPACE);
--
2.23.0

52
backport-Check-that-primary-key-names-have-not-changed.patch Normal file
View File

@ -0,0 +1,52 @@
From 9524c493c9534654adb5c363972adcc521c1907b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Sep 2022 16:52:44 +1000
Subject: [PATCH] Check that primary key names have not changed
When looking for changes in a catalog zone member zone we need to
also check if the TSIG key name associated with a primary server
has be added, removed or changed.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/9524c493c9534654adb5c363972adcc521c1907b
(cherry picked from commit 9172bd9b5a0b039cea187b6c7cc2c1314210c5d6)
---
lib/dns/catz.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index e46549be5e..702b081940 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -322,6 +322,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
return (false);
}
+ for (size_t i = 0; i < eb->opts.masters.count; i++) {
+ if ((ea->opts.masters.keys[i] == NULL) !=
+ (eb->opts.masters.keys[i] == NULL)) {
+ return (false);
+ }
+ if (ea->opts.masters.keys[i] == NULL) {
+ continue;
+ }
+ if (!dns_name_equal(ea->opts.masters.keys[i],
+ eb->opts.masters.keys[i])) {
+ return (false);
+ }
+ }
+
/* If one is NULL and the other isn't, the entries don't match */
if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
return (false);
@@ -350,7 +364,7 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
}
}
- /* xxxwpk TODO compare dscps/keys! */
+ /* xxxwpk TODO compare dscps! */
return (true);
}
--
2.23.0

14
backport-Disable-the-internale-memory-allocator-by-default.patch → backport-Disable-the-internal-memory-allocator-by-default.patch
View File

@ -1,10 +1,10 @@
From 1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0 Mon Sep 17 00:00:00 2001
From: Ondrej Sur <oerdnj@isc-projects>
Date: Wed, 15 Dec 2021 08:25:29 PM GMT+0800
Subject: [PATCH] Disable the internale memory allocator by default
From: Ondřej Sur <oerdnj@isc-projects>
Date: Wed, 15 Dec 2021 08:25:42 PM GMT+0800
Subject: [PATCH] Disable the internal memory allocator by default
Conflict:NA
Reference:https://githun.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0
Reference:https://github.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0
---
bin/named/main.c | 1 +
@ -12,14 +12,14 @@ Reference:https://githun.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/main.c b/bin/named/main.c
index f62f82c..b3d2498 100644
index f62f82c..c7c35ce 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -456,6 +456,7 @@ static struct flag_def {
{ "mctx", ISC_MEM_DEBUGCTX, false },
{ NULL, 0, false } },
mem_context_flags[] = { { "external", ISC_MEMFLAG_INTERNAL, true },
+ { "internal", ISC_MEMFLAG_INTERNAL, false },
+ { "internal", ISC_MEMFLAG_INTERNAL, false },
{ "fill", ISC_MEMFLAG_FILL, false },
{ "nofill", ISC_MEMFLAG_FILL, true },
{ NULL, 0, false } };
@ -37,5 +37,5 @@ index 58e1d0e..b9f58fa 100644
/*
--
2.23.0
2.33.0

146
backport-Ensure-that-named_server_t-is-properly-initialized.patch Normal file
View File

@ -0,0 +1,146 @@
From dff843199f3ed60090eb6e9ae60e9278c82bec5f Mon Sep 17 00:00:00 2001
From: Tony Finch <fanf@isc.org>
Date: Fri, 9 Sep 2022 08:21:10 +0100
Subject: [PATCH] Ensure that named_server_t is properly initialized
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/dff843199f3ed60090eb6e9ae60e9278c82bec5f
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
---
bin/named/server.c | 72 ++++++----------------------------------------
1 files changed, 9 insertions(+), 63 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 54b13f8f54..b4cbd953a9 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9971,13 +9971,14 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_result_t result;
named_server_t *server = isc_mem_get(mctx, sizeof(*server));
- if (server == NULL) {
- fatal(server, "allocating server object", ISC_R_NOMEMORY);
- }
-
- server->mctx = mctx;
- server->task = NULL;
- server->zonemgr = NULL;
+ *server = (named_server_t){
+ .mctx = mctx,
+ .statsfile = isc_mem_strdup(mctx, "named.stats"),
+ .bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
+ .dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
+ .secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
+ .recfile = isc_mem_strdup(mctx, "named.recursing"),
+ };
#ifdef USE_DNSRPS
CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
@@ -9985,10 +9986,8 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
#endif /* ifdef USE_DNSRPS */
/* Initialize server data structures. */
- server->interfacemgr = NULL;
ISC_LIST_INIT(server->kasplist);
ISC_LIST_INIT(server->viewlist);
- server->in_roothints = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
@@ -10018,7 +10017,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_task_setname(server->task, "server", server);
isc_taskmgr_setexcltask(named_g_taskmgr, server->task);
- server->sctx = NULL;
CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx),
"creating server context");
@@ -10042,14 +10040,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_app_onrun(named_g_mctx, server->task, run_server, server),
"isc_app_onrun");
- server->interface_timer = NULL;
- server->heartbeat_timer = NULL;
- server->pps_timer = NULL;
- server->tat_timer = NULL;
-
- server->interface_interval = 0;
- server->heartbeat_interval = 0;
-
CHECKFATAL(dns_zonemgr_create(named_g_mctx, named_g_taskmgr,
named_g_timermgr, named_g_socketmgr,
&server->zonemgr),
@@ -10057,37 +10047,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000), "dns_zonemgr_"
"setsize");
- server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
- CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->bindkeysfile = isc_mem_strdup(server->mctx,
- named_g_defaultbindkeys);
- CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY
- : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
- CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
- CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY
- : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
- CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->hostname_set = false;
- server->hostname = NULL;
- server->version_set = false;
- server->version = NULL;
-
- server->zonestats = NULL;
- server->resolverstats = NULL;
- server->sockstats = NULL;
CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
isc_sockstatscounter_max),
"isc_stats_create");
@@ -10102,28 +10061,15 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
dns_resstatscounter_max),
"dns_stats_create (resolver)");
- server->flushonshutdown = false;
-
- server->controls = NULL;
CHECKFATAL(named_controls_create(server, &server->controls),
"named_controls_create");
- server->dispatchgen = 0;
+
ISC_LIST_INIT(server->dispatches);
ISC_LIST_INIT(server->statschannels);
ISC_LIST_INIT(server->cachelist);
- server->sessionkey = NULL;
- server->session_keyfile = NULL;
- server->session_keyname = NULL;
- server->session_keyalg = DST_ALG_UNKNOWN;
- server->session_keybits = 0;
-
- server->lockfile = NULL;
-
- server->dtenv = NULL;
-
server->magic = NAMED_SERVER_MAGIC;
*serverp = server;
}
--
2.23.0

30
backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch Normal file
View File

@ -0,0 +1,30 @@
From 3e77d6bf87f4a8c8793c9dd2a506432a24a4366c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Mon, 19 Sep 2022 09:07:51 +0200
Subject: [PATCH] Fix memory leak in dns_message_checksig() - SIG(0) sigs
Impact should be visible only in tests or tools because named never
uses view == NULL, which is a necessary condition to trigger this leak.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/3e77d6bf87f4a8c8793c9dd2a506432a24a4366c
(cherry picked from commit 69256b3553d3b8b73b6fa4de9b030b39f1b96d34)
---
lib/dns/message.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 0b5d9355e5..7b3d72abd9 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3227,7 +3227,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
dns_rdataset_init(&keyset);
if (view == NULL) {
- return (DNS_R_KEYUNAUTHORIZED);
+ result = DNS_R_KEYUNAUTHORIZED;
+ goto freesig;
}
result = dns_view_simplefind(view, &sig.signer,
dns_rdatatype_key /* SIG(0) */, 0,
--
2.23.0

39
backport-Fix-ns_statscounter_recursclients-counting-bug.patch Normal file
View File

@ -0,0 +1,39 @@
From b6aeccf697729c4c721fc71da7063bb18a89c751 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 18 Oct 2022 08:54:04 +0000
Subject: [PATCH] Fix ns_statscounter_recursclients counting bug
The incrementing and decrementing of 'ns_statscounter_recursclients'
were not properly balanced: for example, it would be incremented for
a prefetch query but not decremented if the query failed.
This commit ensures that the recursion quota and the recursive clients
counter are always in sync with each other.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b6aeccf697729c4c721fc71da7063bb18a89c751
(cherry picked from commit 82991451b41793af201d070aba654c4ea89819cb)
---
lib/ns/client.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 41d3fa0..dc8a10a 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -242,10 +242,8 @@ ns_client_endrequest(ns_client_t *client) {
*/
if (client->recursionquota != NULL) {
isc_quota_detach(&client->recursionquota);
- if (client->query.prefetch == NULL) {
- ns_stats_decrement(client->sctx->nsstats,
- ns_statscounter_recursclients);
- }
+ ns_stats_decrement(client->sctx->nsstats,
+ ns_statscounter_recursclients);
}
/*
--
2.33.0

28
backport-Free-n-on-error-path-in-rsa_check.patch Normal file
View File

@ -0,0 +1,28 @@
From 2c8e38f359bb90bcec67419ce95d2eee81bfd7a2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 12:05:33 +1000
Subject: [PATCH] Free 'n' on error path in rsa_check
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2c8e38f359bb90bcec67419ce95d2eee81bfd7a2
(cherry picked from commit 483c5a19781b0930c6e72bb2b498130c3f83d13f)
---
lib/dns/opensslrsa_link.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b744a62df9..9bee2f0449 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -852,6 +852,9 @@ rsa_check(RSA *rsa, RSA *pub) {
}
if (e1 != NULL) {
if (BN_cmp(e1, e2) != 0) {
+ if (n != NULL) {
+ BN_free(n);
+ }
return (DST_R_INVALIDPRIVATEKEY);
}
} else {
--
2.23.0

29
backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch Normal file
View File

@ -0,0 +1,29 @@
From 6f1e04409a24b275d756fdddc1ed8fffc2d48254 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:51:05 +1000
Subject: [PATCH] Free 'rsa' if 'e' is NULL in opensslrsa_verify2
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6f1e04409a24b275d756fdddc1ed8fffc2d48254
(cherry picked from commit a2b51ca6acae9e1c819e0d2e4aa1584b675c4cb7)
---
lib/dns/opensslrsa_link.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b0d8dd85b9..7aa743394b 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -333,6 +333,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
RSA_get0_key(rsa, NULL, &e, NULL);
+ if (e == NULL) {
+ RSA_free(rsa);
+ return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+ }
bits = BN_num_bits(e);
RSA_free(rsa);
if (bits > maxbits && maxbits != 0) {
--
2.23.0

408
backport-Make-isc_ht_init-and-isc_ht_iter_create-return-void.patch Normal file
View File

@ -0,0 +1,408 @@
From ba89da052a025928823055614e3f43fe8f8e3ef8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 8 Mar 2022 11:22:55 +0100
Subject: [PATCH] Make isc_ht_init() and isc_ht_iter_create() return void
Previously, the function(s) in the commit subject could fail for various
reasons - mostly allocation failures, or other functions returning
different return code than ISC_R_SUCCESS. Now, the aforementioned
function(s) cannot ever fail and they would always return ISC_R_SUCCESS.
Change the function(s) to return void and remove the extra checks in
the code that uses them.
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/ba89da052a025928823055614e3f43fe8f8e3ef8.patch
(cherry picked from commit 8fa27365ec8ea47b498ea64a9b72553c0b662b6b)
---
bin/plugins/filter-aaaa.c | 4 +-
lib/dns/catz.c | 82 ++++++++++-----------------------------
lib/dns/rpz.c | 29 ++------------
lib/isc/ht.c | 7 +---
lib/isc/include/isc/ht.h | 13 +++----
lib/isc/tests/ht_test.c | 9 ++---
6 files changed, 35 insertions(+), 109 deletions(-)
diff --git a/bin/plugins/filter-aaaa.c b/bin/plugins/filter-aaaa.c
index 1db3ca2..c390b45 100644
--- a/bin/plugins/filter-aaaa.c
+++ b/bin/plugins/filter-aaaa.c
@@ -337,7 +337,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file,
unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx,
void *actx, ns_hooktable_t *hooktable, void **instp) {
filter_instance_t *inst = NULL;
- isc_result_t result;
+ isc_result_t result = ISC_R_SUCCESS;
isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
ISC_LOG_INFO,
@@ -355,7 +355,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file,
}
isc_mempool_create(mctx, sizeof(filter_data_t), &inst->datapool);
- CHECK(isc_ht_init(&inst->ht, mctx, 16));
+ isc_ht_init(&inst->ht, mctx, 16);
isc_mutex_init(&inst->hlock);
/*
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 77b7a24..fbe13f4 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -418,39 +418,21 @@ dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE);
- result = isc_ht_init(&toadd, target->catzs->mctx, 16);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_init(&toadd, target->catzs->mctx, 16);
- result = isc_ht_init(&tomod, target->catzs->mctx, 16);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_init(&tomod, target->catzs->mctx, 16);
- result = isc_ht_iter_create(newzone->entries, &iter1);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(newzone->entries, &iter1);
- result = isc_ht_iter_create(target->entries, &iter2);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(target->entries, &iter2);
/*
* We can create those iterators now, even though toadd and tomod are
* empty
*/
- result = isc_ht_iter_create(toadd, &iteradd);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(toadd, &iteradd);
- result = isc_ht_iter_create(tomod, &itermod);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(tomod, &itermod);
/*
* First - walk the new zone and find all nodes that are not in the
@@ -598,25 +580,11 @@ dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
result = ISC_R_SUCCESS;
-cleanup:
- if (iter1 != NULL) {
- isc_ht_iter_destroy(&iter1);
- }
- if (iter2 != NULL) {
- isc_ht_iter_destroy(&iter2);
- }
- if (iteradd != NULL) {
- isc_ht_iter_destroy(&iteradd);
- }
- if (itermod != NULL) {
- isc_ht_iter_destroy(&itermod);
- }
- if (toadd != NULL) {
- isc_ht_destroy(&toadd);
- }
- if (tomod != NULL) {
- isc_ht_destroy(&tomod);
- }
+ isc_ht_iter_destroy(&iteradd);
+ isc_ht_iter_destroy(&itermod);
+ isc_ht_destroy(&toadd);
+ isc_ht_destroy(&tomod);
+
return (result);
}
@@ -637,10 +605,7 @@ dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
isc_refcount_init(&new_zones->refs, 1);
- result = isc_ht_init(&new_zones->zones, mctx, 4);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_refcount;
- }
+ isc_ht_init(&new_zones->zones, mctx, 4);
isc_mem_attach(mctx, &new_zones->mctx);
new_zones->zmm = zmm;
@@ -658,7 +623,6 @@ dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
cleanup_ht:
isc_ht_destroy(&new_zones->zones);
-cleanup_refcount:
isc_refcount_destroy(&new_zones->refs);
isc_mutex_destroy(&new_zones->lock);
isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones));
@@ -693,10 +657,7 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
dns_name_init(&new_zone->name, NULL);
dns_name_dup(name, catzs->mctx, &new_zone->name);
- result = isc_ht_init(&new_zone->entries, catzs->mctx, 4);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_name;
- }
+ isc_ht_init(&new_zone->entries, catzs->mctx, 4);
new_zone->updatetimer = NULL;
result = isc_timer_create(catzs->timermgr, isc_timertype_inactive, NULL,
@@ -726,7 +687,6 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
cleanup_ht:
isc_ht_destroy(&new_zone->entries);
-cleanup_name:
dns_name_free(&new_zone->name, catzs->mctx);
isc_mem_put(catzs->mctx, new_zone, sizeof(*new_zone));
@@ -827,8 +787,7 @@ dns_catz_zone_detach(dns_catz_zone_t **zonep) {
if (zone->entries != NULL) {
isc_ht_iter_t *iter = NULL;
isc_result_t result;
- result = isc_ht_iter_create(zone->entries, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(zone->entries, &iter);
for (result = isc_ht_iter_first(iter);
result == ISC_R_SUCCESS;
result = isc_ht_iter_delcurrent_next(iter))
@@ -884,8 +843,7 @@ dns_catz_catzs_detach(dns_catz_zones_t **catzsp) {
if (catzs->zones != NULL) {
isc_ht_iter_t *iter = NULL;
isc_result_t result;
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter);
result == ISC_R_SUCCESS;) {
dns_catz_zone_t *zone = NULL;
@@ -2060,8 +2018,7 @@ dns_catz_prereconfig(dns_catz_zones_t *catzs) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
result = isc_ht_iter_next(iter))
{
@@ -2082,8 +2039,7 @@ dns_catz_postreconfig(dns_catz_zones_t *catzs) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
LOCK(&catzs->lock);
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;) {
dns_catz_zone_t *zone = NULL;
@@ -2122,5 +2078,7 @@ dns_catz_postreconfig(dns_catz_zones_t *catzs) {
isc_result_t
dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp) {
REQUIRE(DNS_CATZ_ZONE_VALID(catz));
- return (isc_ht_iter_create(catz->entries, itp));
+ isc_ht_iter_create(catz->entries, itp);
+
+ return (ISC_R_SUCCESS);
}
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 1bdaac9..13cfc85 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -1541,10 +1541,7 @@ dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp) {
* simplifies update_from_db
*/
- result = isc_ht_init(&zone->nodes, rpzs->mctx, 1);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_ht;
- }
+ isc_ht_init(&zone->nodes, rpzs->mctx, 1);
dns_name_init(&zone->origin, NULL);
dns_name_init(&zone->client_ip, NULL);
@@ -1578,9 +1575,6 @@ dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp) {
return (ISC_R_SUCCESS);
-cleanup_ht:
- isc_timer_detach(&zone->updatetimer);
-
cleanup_timer:
isc_refcount_decrementz(&zone->refs);
isc_refcount_destroy(&zone->refs);
@@ -1724,14 +1718,7 @@ setup_update(dns_rpz_zone_t *rpz) {
ISC_LOG_DEBUG(1), "rpz: %s: using hashtable size %d",
domain, hashsize);
- result = isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
- "rpz: %s: failed to initialize hashtable - %s",
- domain, isc_result_totext(result));
- goto cleanup;
- }
+ isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
result = dns_db_createiterator(rpz->updb, DNS_DB_NONSEC3, &rpz->updbit);
if (result != ISC_R_SUCCESS) {
@@ -1838,17 +1825,7 @@ cleanup_quantum(isc_task_t *task, isc_event_t *event) {
* Iterate over old ht with existing nodes deleted to
* delete deleted nodes from RPZ
*/
- result = isc_ht_iter_create(rpz->nodes, &iter);
- if (result != ISC_R_SUCCESS) {
- dns_name_format(&rpz->origin, domain,
- DNS_NAME_FORMATSIZE);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
- "rpz: %s: failed to create HT "
- "iterator - %s",
- domain, isc_result_totext(result));
- goto cleanup;
- }
+ isc_ht_iter_create(rpz->nodes, &iter);
}
name = dns_fixedname_initname(&fname);
diff --git a/lib/isc/ht.c b/lib/isc/ht.c
index 82f8ac8..88e8578 100644
--- a/lib/isc/ht.c
+++ b/lib/isc/ht.c
@@ -47,7 +47,7 @@ struct isc_ht_iter {
isc_ht_node_t *cur;
};
-isc_result_t
+void
isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
isc_ht_t *ht = NULL;
size_t i;
@@ -74,7 +74,6 @@ isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
ht->magic = ISC_HT_MAGIC;
*htp = ht;
- return (ISC_R_SUCCESS);
}
void
@@ -199,7 +198,7 @@ isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize) {
return (ISC_R_NOTFOUND);
}
-isc_result_t
+void
isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
isc_ht_iter_t *it;
@@ -213,8 +212,6 @@ isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
it->cur = NULL;
*itp = it;
-
- return (ISC_R_SUCCESS);
}
void
diff --git a/lib/isc/include/isc/ht.h b/lib/isc/include/isc/ht.h
index 9d5ab82..280ee7e 100644
--- a/lib/isc/include/isc/ht.h
+++ b/lib/isc/include/isc/ht.h
@@ -31,11 +31,8 @@ typedef struct isc_ht_iter isc_ht_iter_t;
*\li 'mctx' is a valid memory context.
*\li 'bits' >=1 and 'bits' <=32
*
- * Returns:
- *\li #ISC_R_NOMEMORY -- not enough memory to create pool
- *\li #ISC_R_SUCCESS -- all is well.
*/
-isc_result_t
+void
isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits);
/*%
@@ -100,7 +97,7 @@ isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize);
*\li 'ht' is a valid hashtable
*\li 'itp' is non NULL and '*itp' is NULL.
*/
-isc_result_t
+void
isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp);
/*%
@@ -119,7 +116,7 @@ isc_ht_iter_destroy(isc_ht_iter_t **itp);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- no data in the hashtable
*/
isc_result_t
@@ -132,7 +129,7 @@ isc_ht_iter_first(isc_ht_iter_t *it);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- end of hashtable reached
*/
isc_result_t
@@ -145,7 +142,7 @@ isc_ht_iter_next(isc_ht_iter_t *it);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- end of hashtable reached
*/
isc_result_t
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
index 6a8e319..61b8c3d 100644
--- a/lib/isc/tests/ht_test.c
+++ b/lib/isc/tests/ht_test.c
@@ -59,8 +59,7 @@ test_ht_full(int bits, uintptr_t count) {
isc_result_t result;
uintptr_t i;
- result = isc_ht_init(&ht, test_mctx, bits);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_init(&ht, test_mctx, bits);
assert_non_null(ht);
for (i = 1; i < count; i++) {
@@ -205,8 +204,7 @@ test_ht_iterator() {
unsigned char key[16];
size_t tksize;
- result = isc_ht_init(&ht, test_mctx, 16);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_init(&ht, test_mctx, 16);
assert_non_null(ht);
for (i = 1; i <= count; i++) {
/*
@@ -220,8 +218,7 @@ test_ht_iterator() {
}
walked = 0;
- result = isc_ht_iter_create(ht, &iter);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_iter_create(ht, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
result = isc_ht_iter_next(iter))
--
2.33.0

1353
backport-Replace-netievent-lock-free-queue-with-simple-locked.patch Normal file
View File

File diff suppressed because it is too large Load Diff

29
backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch Normal file
View File

@ -0,0 +1,29 @@
From ba9a140e1f3165145164a5923c65461824d80ab3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 11 Aug 2022 11:41:30 +0200
Subject: [PATCH] Reset parser before parsing of internal trust anchor
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/ba9a140e1f3165145164a5923c65461824d80ab3
(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
---
bin/delv/delv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index f4c7c015dd..0702eec862 100644
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -852,6 +852,7 @@ setup_dnsseckeys(dns_client_t *client) {
isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
isc_buffer_add(&b, sizeof(anchortext) - 1);
+ cfg_parser_reset(parser);
result = cfg_parse_buffer(parser, &b, NULL, 0,
&cfg_type_bindkeys, 0, &bindkeys);
if (result != ISC_R_SUCCESS) {
--
2.23.0

107
backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch Normal file
View File

@ -0,0 +1,107 @@
From 2022384b8dc7249671d521dc9ef5a292a960521d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 13 Jul 2022 10:27:18 +0200
Subject: [PATCH] Test dnssec-policy max-zone-ttl rejects zone with too high
TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2022384b8dc7249671d521dc9ef5a292a960521d
---
bin/tests/system/kasp/ns3/named.conf.in | 9 +++++++
.../system/kasp/ns3/policies/kasp.conf.in | 4 ++++
bin/tests/system/kasp/ns3/setup.sh | 24 ++++++++-----------
bin/tests/system/kasp/tests.sh | 9 +++++++
4 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index e229fd9158..64ae2aa402 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -223,6 +223,15 @@ zone "ecdsa384.kasp" {
dnssec-policy "ecdsa384";
};
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+ type primary;
+ file "max-zone-ttl.kasp.db";
+ dnssec-policy "ttl";
+};
+
/*
* Zones in different signing states.
*/
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index d0ae96ce08..17b900c7b3 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -132,3 +132,7 @@ dnssec-policy "checkds-csk" {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
+
+dnssec-policy "ttl" {
+ max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 21c4c9126d..bc4a0fc11d 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -64,20 +64,16 @@ if [ -f ../ed448-supported.file ]; then
cat ed448.conf >> named.conf
fi
-# Set up zone that stays unsigned.
-zone="unsigned.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $infile
-cp template.db.in $zonefile
-
-# Set up zone that stays unsigned.
-zone="insecure.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $zonefile
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+ zone="${zn}.kasp"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in $infile
+ cp template.db.in $zonefile
+done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4a458945a0..ff4d32cc7b 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -253,6 +253,15 @@ status=$((status+ret))
next_key_event_threshold=$((next_key_event_threshold+i))
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
#
# Zone: default.kasp.
#
--
2.27.0

67
backport-clean-up-properly-when-interface-creation-fails.patch Normal file
View File

@ -0,0 +1,67 @@
From 80a8322d6594cfaa9ffe90d3de0c315a0d34efc3 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 2 Sep 2022 15:41:26 -0700
Subject: [PATCH] clean up properly when interface creation fails
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/80a8322d6594cfaa9ffe90d3de0c315a0d34efc3
previously, if ns_clientmgr_create() failed, the interface was not
cleaned up correctly and an assertion or segmentation fault could
follow. this has been fixed.
---
lib/ns/interfacemgr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index facb0d141b..51429de716 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -391,7 +391,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
static isc_result_t
ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
const char *name, ns_interface_t **ifpret) {
- ns_interface_t *ifp;
+ ns_interface_t *ifp = NULL;
isc_result_t result;
int disp;
@@ -422,13 +422,13 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
ISC_LINK_INIT(ifp, link);
ns_interfacemgr_attach(mgr, &ifp->mgr);
+ isc_refcount_init(&ifp->references, 1);
+ ifp->magic = IFACE_MAGIC;
+
LOCK(&mgr->lock);
ISC_LIST_APPEND(mgr->interfaces, ifp, link);
UNLOCK(&mgr->lock);
- isc_refcount_init(&ifp->references, 1);
- ifp->magic = IFACE_MAGIC;
-
result = ns_clientmgr_create(mgr->mctx, mgr->sctx, mgr->taskmgr,
mgr->timermgr, ifp, mgr->ncpus,
&ifp->clientmgr);
@@ -444,11 +444,17 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
return (ISC_R_SUCCESS);
failure:
- isc_mutex_destroy(&ifp->lock);
+ LOCK(&ifp->mgr->lock);
+ ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+ UNLOCK(&ifp->mgr->lock);
ifp->magic = 0;
- isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
+ ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_decrement(&ifp->references);
+ isc_refcount_destroy(&ifp->references);
+ isc_mutex_destroy(&ifp->lock);
+ isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
return (ISC_R_UNEXPECTED);
}
--
2.23.0

61
backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch Normal file
View File

@ -0,0 +1,61 @@
From e1fa6cbab82fe424a94269e3ae9e106c10bf59be Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 26 Aug 2022 15:38:34 -0700
Subject: [PATCH] dnstap query_message field was erroneously set with responses
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e1fa6cbab82fe424a94269e3ae9e106c10bf59be
---
lib/dns/dnstap.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
index 30ca97e636..97f070937d 100644
--- a/lib/dns/dnstap.c
+++ b/lib/dns/dnstap.c
@@ -808,10 +808,11 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
dm.m.response_time_nsec = isc_time_nanoseconds(t);
dm.m.has_response_time_nsec = 1;
- cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
-
- /* Types RR and FR get both query and response times */
- if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR) {
+ /*
+ * Types RR and FR can fall through and get the query
+ * time set as well. Any other response type, break.
+ */
+ if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) {
break;
}
@@ -831,8 +832,6 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
dm.m.has_query_time_sec = 1;
dm.m.query_time_nsec = isc_time_nanoseconds(t);
dm.m.has_query_time_nsec = 1;
-
- cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
break;
default:
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
@@ -841,6 +840,13 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
return;
}
+ /* Query and response messages */
+ if ((msgtype & DNS_DTTYPE_QUERY) != 0) {
+ cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+ } else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) {
+ cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+ }
+
/* Zone/bailiwick */
switch (msgtype) {
case DNS_DTTYPE_AR:
--
2.23.0

84
backport-fix-an-incorrect-detach-in-update-processing.patch Normal file
View File

@ -0,0 +1,84 @@
From 17924f4bdfbd99e06057c090d6ac3e8074deb642 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 2 Sep 2022 14:44:58 -0700
Subject: [PATCH] fix an incorrect detach in update processing
when processing UDPATE requests, hold the request handle until
we either drop the request or respond to it.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/17924f4bdfbd99e06057c090d6ac3e8074deb642
(cherry picked from commit 00e0758e1218f82fd1fe995c161ce4243bbbbb89)
---
lib/ns/update.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/lib/ns/update.c b/lib/ns/update.c
index c4bde3d4eb..a21b725f39 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1569,19 +1569,17 @@ respond(ns_client_t *client, isc_result_t result) {
msg_result = dns_message_reply(client->message, true);
if (msg_result != ISC_R_SUCCESS) {
- goto msg_failure;
+ isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE,
+ NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
+ "could not create update response message: %s",
+ isc_result_totext(msg_result));
+ ns_client_drop(client, msg_result);
+ isc_nmhandle_detach(&client->reqhandle);
+ return;
}
- client->message->rcode = dns_result_torcode(result);
+ client->message->rcode = dns_result_torcode(result);
ns_client_send(client);
- return;
-
-msg_failure:
- isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
- ISC_LOG_ERROR,
- "could not create update response message: %s",
- isc_result_totext(msg_result));
- ns_client_drop(client, msg_result);
isc_nmhandle_detach(&client->reqhandle);
}
@@ -1595,7 +1593,8 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
dns_zone_t *zone = NULL, *raw = NULL;
/*
- * Attach to the request handle
+ * Attach to the request handle. This will be held until
+ * we respond, or drop the request.
*/
isc_nmhandle_attach(handle, &client->reqhandle);
@@ -1677,8 +1676,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
default:
FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
}
-
- isc_nmhandle_detach(&client->reqhandle);
return;
failure:
@@ -1696,7 +1693,6 @@ failure:
if (zone != NULL) {
dns_zone_detach(&zone);
}
- isc_nmhandle_detach(&client->reqhandle);
}
/*%
@@ -3554,6 +3550,7 @@ forward_done(isc_task_t *task, isc_event_t *event) {
ns_client_sendraw(client, uev->answer);
dns_message_detach(&uev->answer);
isc_event_free(&event);
+ isc_nmhandle_detach(&client->reqhandle);
isc_nmhandle_detach(&client->updatehandle);
}
--
2.23.0

33
backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch Normal file
View File

@ -0,0 +1,33 @@
From 58d01b821af93448714ccb22cea15c35088bd33a Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 23 Aug 2022 10:54:42 +0200
Subject: [PATCH] nsec3.c: Add a missing dns_db_detachnode() call
There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.
This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/58d01b821af93448714ccb22cea15c35088bd33a
(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
---
lib/dns/nsec3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index f4f7cdeb53..45240b2499 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1833,6 +1833,7 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
try_private:
if (privatetype == 0 || complete) {
+ dns_db_detachnode(db, &node);
*answer = false;
return (ISC_R_SUCCESS);
}
--
2.23.0

98
backport-optimize-the-slabheader-placement-for-certain-RRtype.patch Normal file
View File

@ -0,0 +1,98 @@
From 8ef414a7f38a04cfc11df44adaedaf3126fa3878 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Mon, 29 Jan 2024 16:36:30 +0100
Subject: [PATCH] Optimize the slabheader placement for certain RRTypes
Mark the infrastructure RRTypes as "priority" types and place them at
the beginning of the rdataslab header data graph. The non-priority
types either go right after the priority types (if any).
(cherry picked from commit 3ac482be7fd058d284e89873021339579fad0615)
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/8ef414a7f38a04cfc11df44adaedaf3126fa3878
---
lib/dns/rbtdb.c | 44 ++++++++++++++++++++++++++++++++++++++++++--
1 file changed, 42 insertions(+), 2 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index ab4caae..d86ed64 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -967,6 +967,30 @@ set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
}
}
+static bool
+prio_type(rbtdb_rdatatype_t type) {
+ switch (type) {
+ case dns_rdatatype_soa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_soa):
+ case dns_rdatatype_a:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_a):
+ case dns_rdatatype_aaaa:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_aaaa):
+ case dns_rdatatype_nsec:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec):
+ case dns_rdatatype_nsec3:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3):
+ case dns_rdatatype_ns:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns):
+ case dns_rdatatype_ds:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ds):
+ case dns_rdatatype_cname:
+ case RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_cname):
+ return (true);
+ }
+ return (false);
+}
+
/*%
* These functions allow the heap code to rank the priority of each
* element. It returns true if v1 happens "sooner" than v2.
@@ -6183,6 +6207,7 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
rbtdb_changed_t *changed = NULL;
rdatasetheader_t *topheader = NULL, *topheader_prev = NULL;
rdatasetheader_t *header = NULL, *sigheader = NULL;
+ rdatasetheader_t *prioheader = NULL;
unsigned char *merged = NULL;
isc_result_t result;
bool header_nx;
@@ -6324,6 +6349,9 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, const dns_name_t *nodename,
for (topheader = rbtnode->data; topheader != NULL;
topheader = topheader->next) {
+ if (prio_type(topheader->type)) {
+ prioheader = topheader;
+ }
if (topheader->type == newheader->type ||
topheader->type == negtype) {
break;
@@ -6705,9 +6733,21 @@ find_header:
/*
* No rdatasets of the given type exist at the node.
*/
- newheader->next = rbtnode->data;
newheader->down = NULL;
- rbtnode->data = newheader;
+
+ if (prio_type(newheader->type)) {
+ /* This is a priority type, prepend it */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ } else if (prioheader != NULL) {
+ /* Append after the priority headers */
+ newheader->next = prioheader->next;
+ prioheader->next = newheader;
+ } else {
+ /* There were no priority headers */
+ newheader->next = rbtnode->data;
+ rbtnode->data = newheader;
+ }
}
}
--
2.33.0

102
backport-warn-about-zones-with-both-dnssec-policy-and-max-zon.patch Normal file
View File

@ -0,0 +1,102 @@
From fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 21 Jul 2022 11:07:31 -0700
Subject: [PATCH] warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28
---
bin/tests/system/checkconf/tests.sh | 8 ++++++
.../checkconf/warn-kasp-max-zone-ttl.conf | 26 +++++++++++++++++++
lib/bind9/check.c | 21 +++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index cec8f8407e..9143e9e08c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -585,6 +585,14 @@ grep "not recommended" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
+ret=0
+$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
n=$((n+1))
echo_i "check that masterfile-format map generates deprecation warning ($n)"
ret=0
diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
new file mode 100644
index 0000000000..0b5939478e
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+ dnssec-policy default;
+};
+
+zone "example.net" {
+ type primary;
+ file "example.db";
+ max-zone-ttl 600;
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 0be4871020..0707ea44b9 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2633,6 +2633,27 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
}
+ /*
+ * Warn about zones with both dnssec-policy and max-zone-ttl
+ */
+ if (has_dnssecpolicy) {
+ obj = NULL;
+ (void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+ if (obj == NULL && voptions != NULL) {
+ (void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+ }
+ if (obj == NULL && goptions != NULL) {
+ (void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+ }
+ if (obj != NULL) {
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "zone '%s': option 'max-zone-ttl' "
+ "is ignored when used together with "
+ "'dnssec-policy'",
+ znamestr);
+ }
+ }
+
/*
* Check validity of the zone options.
*/
--
2.27.0

153
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 20
Release: 25
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -167,49 +167,91 @@ Patch6093:backport-Increase-the-BUFSIZ-long-buffers.patch
Patch6094:backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch
Patch6095:backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch
Patch6002:backport-CVE-2022-2795.patch
Patch6003:backport-CVE-2022-3080.patch
Patch6004:backport-CVE-2022-38177.patch
Patch6005:backport-CVE-2022-38178.patch
Patch6006:backport-CVE-2022-2906.patch
Patch6007:backport-CVE-2022-2881.patch
Patch6096:backport-CVE-2022-3736.patch
Patch6097:backport-CVE-2022-3924.patch
Patch6098:backport-CVE-2022-3094-add-an-update-quota.patch
Patch6099:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch
Patch6100:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch
Patch6096:backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch
Patch6097:backport-warn-about-zones-with-both-dnssec-policy-and-max-zon.patch
Patch6101:backport-Fix-a-logical-bug-in-cfg_print_duration.patch
Patch6102:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch
Patch6103:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch
Patch6104:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch
Patch6105:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch
Patch6106:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch
Patch6107:backport-Call-dns_db_updatenotify_unregister-earlier.patch
Patch6108:backport-Add-missing-DbC-magic-checks.patch
Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch
Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch6098:backport-CVE-2022-2795.patch
Patch6099:backport-CVE-2022-3080.patch
Patch6100:backport-CVE-2022-38177.patch
Patch6101:backport-CVE-2022-38178.patch
Patch6102:backport-CVE-2022-2906.patch
Patch6103:backport-CVE-2022-2881.patch
Patch6112:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch
Patch6113:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch
Patch6114:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch
Patch6115:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch
Patch6116:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch
Patch6117:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch
Patch6118:backport-delay-trust-anchor-management-until-zones-are-loaded.patch
Patch6119:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch
Patch6120:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch
Patch6121:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch
Patch6122:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch
Patch6123:backport-Searching-catzs-zones-requires-a-read-lock.patch
Patch6124:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch
Patch6104:backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
Patch6105:backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch
Patch6106:backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
Patch6107:backport-fix-an-incorrect-detach-in-update-processing.patch
Patch6108:backport-clean-up-properly-when-interface-creation-fails.patch
Patch6109:backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
Patch6110:backport-Ensure-that-named_server_t-is-properly-initialized.patch
Patch6111:backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
Patch6112:backport-Free-n-on-error-path-in-rsa_check.patch
Patch6113:backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
Patch6114:backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
Patch6115:backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
Patch6116:backport-Check-BN_dup-results-in-rsa_check.patch
Patch6117:backport-Check-that-primary-key-names-have-not-changed.patch
Patch6118:backport-Fix-ns_statscounter_recursclients-counting-bug.patch
Patch6125:backport-CVE-2023-2911.patch
Patch6126:backport-CVE-2023-2828.patch
Patch6127:backport-Disable-the-internale-memory-allocator-by-default.patch
Patch6119:backport-Fix-a-logical-bug-in-cfg_print_duration.patch
Patch6120:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch
Patch6121:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch
Patch6122:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch
Patch6123:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch
Patch6124:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch
Patch6125:backport-Call-dns_db_updatenotify_unregister-earlier.patch
Patch6126:backport-Add-missing-DbC-magic-checks.patch
Patch6127:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch
Patch6128:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6129:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch6128:backport-CVE-2023-3341.patch
Patch6130:backport-CVE-2022-3736.patch
Patch6131:backport-CVE-2022-3924.patch
Patch6132:backport-CVE-2022-3094-add-an-update-quota.patch
Patch6133:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch
Patch6134:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch
Patch6135:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch
Patch6136:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch
Patch6137:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch
Patch6138:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch
Patch6139:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch
Patch6140:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch
Patch6141:backport-delay-trust-anchor-management-until-zones-are-loaded.patch
Patch6142:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch
Patch6143:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch
Patch6144:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch
Patch6145:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch
Patch6146:backport-Searching-catzs-zones-requires-a-read-lock.patch
Patch6147:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch
Patch6148:backport-Disable-the-internal-memory-allocator-by-default.patch
Patch6149:backport-CVE-2023-2911.patch
Patch6150:backport-CVE-2023-2828.patch
Patch6151:backport-CVE-2023-3341.patch
Patch6152:backport-CVE-2023-5679.patch
Patch6153:backport-CVE-2023-5517.patch
Patch6154:backport-CVE-2023-6516.patch
Patch6155:backport-Make-isc_ht_init-and-isc_ht_iter_create-return-void.patch
Patch6156:backport-CVE-2023-4408.patch
Patch6157:backport-CVE-2023-50387-CVE-2023-50868.patch
Patch6158:backport-Replace-netievent-lock-free-queue-with-simple-locked.patch
Patch6159:backport-CVE-2024-1975.patch
Patch6160:backport-CVE-2024-4076.patch
Patch6161:backport-optimize-the-slabheader-placement-for-certain-RRtype.patch
Patch6162:backport-0001-CVE-2024-1737.patch
Patch6163:backport-0002-CVE-2024-1737.patch
Patch6164:backport-0003-CVE-2024-1737.patch
Patch6165:backport-0004-CVE-2024-1737.patch
Patch6166:backport-CVE-2024-11187.patch
Patch6167:backport-CVE-2024-1737-records.patch
Patch6168:backport-CVE-2024-1737-records-test.patch
Patch6169:backport-CVE-2024-1737-types.patch
Patch6170:backport-CVE-2024-1737-types-test.patch
Patch6171:backport-CVE-2024-1737-records-test2.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
@ -1219,6 +1261,37 @@ fi;
%endif
%changelog
* Wed Apr 23 2025 chengyechun <chengyechun1@huawei.com> - 32:9.16.23-25
- Type:CVE
- CVE:CVE-2024-1737
- SUG:NA
- DESC:add max-records-per-type and max-types-per-name for fix CVE-2024-1737
The default value both of max-records-per-type and max-types-per-name is 5000
* Wed Feb 19 2025 chengyechun <chengyechun1@huawei.com> - 32:9.16.23-24
- Type:CVE
- CVE:CVE-2024-11187
- SUG:NA
- DESC:fix CVE-2024-11187
* Fri Aug 02 2024 chengyechun <chengyechun1@huawei.com> - 32:9.16.23-23
- Type:CVE
- CVE:CVE-2024-1975,CVE-2024-4076,CVE-2024-1737
- SUG:NA
- DESC:fix CVE-2024-1975 CVE-2024-4076 CVE-2024-1737
* Thu Mar 21 2024 chengyechun <chengyechun1@huaweic.om> - 32:9.16.23-22
- Type:bugfix
- CVE:
- SUG:NA
- DESC:update release version
* Fri Mar 15 2024 chengyechun <chengyechun1@huawei.com> - 32:9.16.23-21
- Type:CVE
- CVE:CVE-2023-6516 CVE-2023-4408 CVE-2023-5517 CVE-2023-5680 CVE-2023-5679 CVE-50387 CVE-2023-50868
- SUG:NA
- DESC:fix CVE-2023-6516 CVE-2023-4408 CVE-2023-5517 CVE-2023-5680 CVE-2023-5679 CVE-50387 CVE-2023-50868 and sync some patches from upstream
* Sat Sep 23 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-20
- Type:CVE
- CVE:CVE-2023-3341