packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!167 [sync] PR-165: bind回合上游社区补丁

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @kircher 
Signed-off-by: @kircher
This commit is contained in:
openeuler-ci-bot 2023-03-07 13:48:31 +00:00 committed by Gitee
commit 5dc27f1bba
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
12 changed files with 816 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
backport-Add-missing-DbC-magic-checks.patch Normal file
View File

@ -0,0 +1,64 @@
From f9845df6d61e7491508a7f54b1d3caab7641652e Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 1 Dec 2022 12:51:30 +1100
Subject: [PATCH] Add missing DbC magic checks
Checking for value != NULL is not sufficient to detect use after
free errors.
(cherry picked from commit b1086a5561c8024fc39b5250063fc901c27eef06)
---
lib/dns/catz.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 332f9877360..68927e84bbf 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -638,7 +638,7 @@ cleanup_ht:
void
dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
- REQUIRE(view != NULL);
+ REQUIRE(DNS_VIEW_VALID(view));
/* Either it's a new one or it's being reconfigured. */
REQUIRE(catzs->view == NULL || !strcmp(catzs->view->name, view->name));
@@ -834,7 +834,7 @@ void
dns_catz_catzs_detach(dns_catz_zones_t **catzsp) {
dns_catz_zones_t *catzs;
- REQUIRE(catzsp != NULL && *catzsp != NULL);
+ REQUIRE(catzsp != NULL && DNS_CATZ_ZONES_VALID(*catzsp));
catzs = *catzsp;
*catzsp = NULL;
@@ -1515,7 +1515,7 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
bool special = false;
REQUIRE(DNS_CATZ_ZONE_VALID(zone));
- REQUIRE(entry != NULL);
+ REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
REQUIRE(buffer != NULL && *buffer != NULL);
isc_buffer_allocate(zone->catzs->mctx, &tbuf,
@@ -1613,7 +1613,7 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry,
char zname[DNS_NAME_FORMATSIZE];
REQUIRE(DNS_CATZ_ZONE_VALID(zone));
- REQUIRE(entry != NULL);
+ REQUIRE(DNS_CATZ_ENTRY_VALID(entry));
REQUIRE(buf != NULL && *buf == NULL);
/*
@@ -1745,7 +1745,7 @@ dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg) {
isc_region_t r;
REQUIRE(DNS_DB_VALID(db));
- REQUIRE(fn_arg != NULL);
+ REQUIRE(DNS_CATZ_ZONES_VALID(fn_arg));
catzs = (dns_catz_zones_t *)fn_arg;
dns_name_toregion(&db->origin, &r);
--
2.23.0

159
backport-Call-dns_db_updatenotify_unregister-earlier.patch Normal file
View File

@ -0,0 +1,159 @@
From dd73306509b4703011cbc6a8cc3d3667a58110d3 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 30 Nov 2022 18:44:37 +1100
Subject: [PATCH] Call dns_db_updatenotify_unregister earlier
dns_db_updatenotify_unregister needed to be called earlier to ensure
that listener->onupdate_arg always points to a valid object. The
existing lazy cleanup in rbtdb_free did not ensure that.
(cherry picked from commit 35839e91d84f4c22f3554ff4b6dc53d20359621e)
---
lib/dns/include/dns/zone.h | 3 +-
lib/dns/rbtdb.c | 10 +------
lib/dns/zone.c | 60 ++++++++++++++++++++++----------------
3 files changed, 38 insertions(+), 35 deletions(-)
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index cb5da5d046e..4bdc936949a 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -2610,7 +2610,8 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs);
void
dns_zone_catz_disable(dns_zone_t *zone);
/*%<
- * Disable zone as catalog zone, if it is one.
+ * Disable zone as catalog zone, if it is one. Also disables any
+ * registered callbacks for the catalog zone.
*
* Requires:
*
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 36fce510244..b36cdf22059 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1063,7 +1063,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
char buf[DNS_NAME_FORMATSIZE];
dns_rbt_t **treep;
isc_time_t start;
- dns_dbonupdatelistener_t *listener, *listener_next;
if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) {
overmem((dns_db_t *)rbtdb, (bool)-1);
@@ -1220,14 +1219,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
isc_file_munmap(rbtdb->mmap_location, (size_t)rbtdb->mmap_size);
}
- for (listener = ISC_LIST_HEAD(rbtdb->common.update_listeners);
- listener != NULL; listener = listener_next)
- {
- listener_next = ISC_LIST_NEXT(listener, link);
- ISC_LIST_UNLINK(rbtdb->common.update_listeners, listener, link);
- isc_mem_put(rbtdb->common.mctx, listener,
- sizeof(dns_dbonupdatelistener_t));
- }
+ INSIST(ISC_LIST_EMPTY(rbtdb->common.update_listeners));
isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb));
}
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 62c102b374f..21e71767e93 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1938,6 +1938,31 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) {
zone->rpzs->zones[zone->rpz_num]);
}
+/*
+ * If a zone is a catalog zone, attach it to update notification in database.
+ */
+void
+dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+ REQUIRE(db != NULL);
+
+ if (zone->catzs != NULL) {
+ dns_db_updatenotify_register(db, dns_catz_dbupdate_callback,
+ zone->catzs);
+ }
+}
+
+static void
+dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
+ REQUIRE(DNS_ZONE_VALID(zone));
+ REQUIRE(db != NULL);
+
+ if (zone->catzs != NULL) {
+ dns_db_updatenotify_unregister(db, dns_catz_dbupdate_callback,
+ zone->catzs);
+ }
+}
+
static void
zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) {
REQUIRE(DNS_ZONE_VALID(zone));
@@ -1964,6 +1989,9 @@ zone_catz_disable(dns_zone_t *zone) {
REQUIRE(DNS_ZONE_VALID(zone));
if (zone->catzs != NULL) {
+ if (zone->db != NULL) {
+ dns_zone_catz_disable_db(zone, zone->db);
+ }
dns_catz_catzs_detach(&zone->catzs);
}
}
@@ -1984,31 +2012,6 @@ dns_zone_catz_is_enabled(dns_zone_t *zone) {
return (zone->catzs != NULL);
}
-/*
- * If a zone is a catalog zone, attach it to update notification in database.
- */
-void
-dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(db != NULL);
-
- if (zone->catzs != NULL) {
- dns_db_updatenotify_register(db, dns_catz_dbupdate_callback,
- zone->catzs);
- }
-}
-
-static void
-dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) {
- REQUIRE(DNS_ZONE_VALID(zone));
- REQUIRE(db != NULL);
-
- if (zone->catzs != NULL) {
- dns_db_updatenotify_unregister(db, dns_catz_dbupdate_callback,
- zone->catzs);
- }
-}
-
/*
* Set catalog zone ownership of the zone
*/
@@ -5375,6 +5378,11 @@ cleanup:
isc_result_totext(result));
}
+ if (result != ISC_R_SUCCESS) {
+ dns_zone_rpz_disable_db(zone, db);
+ dns_zone_catz_disable_db(zone, db);
+ }
+
for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL;
inc = ISC_LIST_HEAD(zone->newincludes))
{
@@ -17472,6 +17480,8 @@ static void
zone_detachdb(dns_zone_t *zone) {
REQUIRE(zone->db != NULL);
+ dns_zone_rpz_disable_db(zone, zone->db);
+ dns_zone_catz_disable_db(zone, zone->db);
dns_db_detach(&zone->db);
}
--
2.23.0

43
backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch Normal file
View File

@ -0,0 +1,43 @@
From 148608c7b2a6fb55dafd35632b4a661f90ed36fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Mon, 13 Jun 2022 14:03:16 +0200
Subject: [PATCH] Check for NULL before dereferencing qctx->rpz_st
Commit 9ffb4a7ba11fae64a6ce2dd6390cd334372b7ab7 causes Clang Static
Analyzer to flag a potential NULL dereference in query_nxdomain():
query.c:9394:26: warning: Dereference of null pointer [core.NullDereference]
if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
^~~~~~~~~~~~~~~~~~~
1 warning generated.
The warning above is for qctx->rpz_st potentially being a NULL pointer
when query_nxdomain() is called from query_resume(). This is a false
positive because none of the database lookup result codes currently
causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN)
can be returned by a database lookup following a recursive resolution
attempt. Add a NULL check nevertheless in order to future-proof the
code and silence Clang Static Analyzer.
(cherry picked from commit 07592d1315412c38c978e8d009aace5d0f5bef93)
---
lib/ns/query.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 43638a35eb8..067c6a23729 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -9248,7 +9248,9 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
{
ttl = 0;
}
- if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) {
+ if (!qctx->nxrewrite ||
+ (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa))
+ {
result = query_addsoa(qctx, ttl, section);
if (result != ISC_R_SUCCESS) {
QUERY_ERROR(qctx, result);
--
2.23.0

67
backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch Normal file
View File

@ -0,0 +1,67 @@
From 949768b252f3cb8a64425f15c9819b24202bb553 Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Mon, 10 Oct 2022 14:14:43 +0200
Subject: [PATCH] Don't allow DNSSEC records in the raw zone
There was an exception for dnssec-policy that allowed DNSSEC in the
unsigned version of the zone. This however causes a crash if the
zone switches from dynamic to inline-signing in the case of NSEC3,
because we are now trying to add an NSEC3 record to a non-NSEC3 node.
This is because BIND expects none of the records in the unsigned
version of the zone to be NSEC3.
Remove the exception for dnssec-policy when copying non DNSSEC
records, but do allow for DNSKEY as this may be a published DNSKEY
from a different provider.
(cherry picked from commit 332b98ae49948e26a90f1d6e0a625f6eec568777)
---
lib/dns/zone.c | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 9a248ff318..e6c6bd01ca 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -16969,9 +16969,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
}
static isc_result_t
-copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
- dns_db_t *rawdb, dns_dbiterator_t *dbiterator,
- unsigned int *oldserial) {
+copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb,
+ dns_dbiterator_t *dbiterator, unsigned int *oldserial) {
dns_dbnode_t *rawnode = NULL, *node = NULL;
dns_fixedname_t fixed;
dns_name_t *name = dns_fixedname_initname(&fixed);
@@ -17008,14 +17007,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version,
rdataset.type == dns_rdatatype_dnskey ||
rdataset.type == dns_rdatatype_nsec3param)
{
- /*
- * Allow DNSSEC records with dnssec-policy.
- * WMM: Perhaps add config option for it.
- */
- if (dns_zone_getkasp(zone) == NULL) {
- dns_rdataset_disassociate(&rdataset);
- continue;
- }
+ dns_rdataset_disassociate(&rdataset);
+ continue;
}
if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) {
result = checkandaddsoa(db, node, version, &rdataset,
@@ -17118,8 +17111,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) {
for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS;
result = dns_dbiterator_next(dbiterator))
{
- result = copy_non_dnssec_records(zone, db, version, rawdb,
- dbiterator, oldserialp);
+ result = copy_non_dnssec_records(db, version, rawdb, dbiterator,
+ oldserialp);
if (result != ISC_R_SUCCESS) {
goto failure;
}
--
2.23.0

70
backport-Fix-a-logical-bug-in-cfg_print_duration.patch Normal file
View File

@ -0,0 +1,70 @@
From f458f6496de4dce06b1f9682537855800eda9675 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Mon, 17 Oct 2022 08:45:09 +0000
Subject: [PATCH] Fix a logical bug in cfg_print_duration()
The cfg_print_duration() function prints a ISO 8601 duration value
converted from an array of integers, where the parts of the date and
time are stored.
durationlen[6], which holds the "seconds" part of the duration, has
a special case in cfg_print_duration() to ensure that when there are
no values in the duration, the result still can be printed as "PT0S",
instead of just "P", so it can be a valid ISO 8601 duration value.
There is a logical error in one of the two special case code paths,
when it checks that no value from the "date" part is defined, and no
"hour" or "minute" from the "time" part are defined.
Because of the error, durationlen[6] can be used uninitialized, in
which case the second parameter passed to snprintf() (which is the
maximum allowed length) can contain a garbage value.
This can not be exploited because the buffer is still big enough to
hold the maximum possible amount of characters generated by the "%u%c"
format string.
Fix the logical bug, and initialize the 'durationlen' array to zeros
to be a little safer from other similar errors.
(cherry picked from commit 94409101870b689f77452b6324968687d9f3c72f)
---
lib/isccfg/parser.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index b2a4a0ee979..42056c974e8 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1041,7 +1041,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
char *str;
const char *indicators = "YMWDHMS";
int count, i;
- int durationlen[7];
+ int durationlen[7] = { 0 };
cfg_duration_t duration;
/*
* D ? The duration has a date part.
@@ -1073,10 +1073,8 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
} else {
T = true;
}
- } else {
- durationlen[i] = 0;
+ count += durationlen[i];
}
- count += durationlen[i];
}
/*
* Special case for seconds which is not taken into account in the
@@ -1114,7 +1112,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) {
}
/* Special case for seconds. */
if (duration.parts[6] > 0 ||
- (!D && !duration.parts[4] && !duration.parts[3])) {
+ (!D && !duration.parts[4] && !duration.parts[5])) {
snprintf(str, durationlen[6] + 2, "%u%c",
(uint32_t)duration.parts[6], indicators[6]);
}
--
2.23.0

34
backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch Normal file
View File

@ -0,0 +1,34 @@
From a634488a24f9be05d50a4a67f0d2bf4182161697 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 14 Dec 2022 14:40:31 +0000
Subject: [PATCH] Fix logging a uint32_t SOA serial value in
dns_catz_update_from_db()
The dns_catz_update_from_db() function prints serial number as a signed
number (with "%d" in the format string), but the `vers` variable's type
is 'uint32_t'. This breaks serials bigger than 2^31.
Use PRIu32 instead of "d" in the format string.
(cherry picked from commit 72b1760ea6cd415efe9868aad97c982fea8b0a42)
---
lib/dns/catz.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 49ad9bf37b..8a552d1259 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -1874,8 +1874,8 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER,
ISC_LOG_INFO,
- "catz: updating catalog zone '%s' with serial %d", bname,
- vers);
+ "catz: updating catalog zone '%s' with serial %" PRIu32,
+ bname, vers);
result = dns_catz_new_zone(catzs, &newzone, &db->origin);
if (result != ISC_R_SUCCESS) {
--
2.23.0

99
backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch Normal file
View File

@ -0,0 +1,99 @@
From 72724b258c1c86c638630559d7142723d595d69d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 3 Nov 2022 17:42:12 +0100
Subject: [PATCH] Propagate the shutdown event to the recursing ns_client(s)
Send the ns_query_cancel() on the recursing clients when we initiate the
named shutdown for faster shutdown.
When we are shutting down the resolver, we cancel all the outstanding
fetches, and the ISC_R_CANCEL events doesn't propagate to the ns_client
callback.
In the future, the better solution how to fix this would be to look at
the shutdown paths and let them all propagate from bottom (loopmgr) to
top (f.e. ns_client).
(cherry picked from commit d861d403bb9a7912e29a06aba6caf6d502839f1b)
---
lib/ns/client.c | 13 +++++++++++++
lib/ns/include/ns/client.h | 10 ++++++++--
lib/ns/interfacemgr.c | 1 +
lib/ns/win32/libns.def | 1 +
4 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 6bd5ddfdefb..d4ce000be87 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -2518,6 +2518,19 @@ cleanup_reclock:
return (result);
}
+void
+ns_clientmgr_shutdown(ns_clientmgr_t *manager) {
+ REQUIRE(VALID_MANAGER(manager));
+
+ LOCK(&manager->reclock);
+ for (ns_client_t *client = ISC_LIST_HEAD(manager->recursing);
+ client != NULL; client = ISC_LIST_NEXT(client, rlink))
+ {
+ ns_query_cancel(client);
+ }
+ UNLOCK(&manager->reclock);
+}
+
void
ns_clientmgr_destroy(ns_clientmgr_t **managerp) {
isc_result_t result;
diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h
index 9d152c6bbe8..d1e2fde4073 100644
--- a/lib/ns/include/ns/client.h
+++ b/lib/ns/include/ns/client.h
@@ -354,12 +354,18 @@ ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr,
*/
void
-ns_clientmgr_destroy(ns_clientmgr_t **managerp);
+ns_clientmgr_shutdown(ns_clientmgr_t *manager);
/*%<
- * Destroy a client manager and all ns_client_t objects
+ * Shutdown a client manager and all ns_client_t objects
* managed by it.
*/
+void
+ns_clientmgr_destroy(ns_clientmgr_t **managerp);
+/*%<
+ * Destroy a client manager.
+ */
+
isc_sockaddr_t *
ns_client_getsockaddr(ns_client_t *client);
/*%<
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index 687359058b0..216e274a54e 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -574,6 +574,7 @@ ns_interface_shutdown(ns_interface_t *ifp) {
isc_nmsocket_close(&ifp->tcplistensocket);
}
if (ifp->clientmgr != NULL) {
+ ns_clientmgr_shutdown(ifp->clientmgr);
ns_clientmgr_destroy(&ifp->clientmgr);
}
}
diff --git a/lib/ns/win32/libns.def b/lib/ns/win32/libns.def
index eadd940a9ce..50edf86730b 100644
--- a/lib/ns/win32/libns.def
+++ b/lib/ns/win32/libns.def
@@ -42,6 +42,7 @@ ns_client_shuttingdown
ns_client_sourceip
ns_clientmgr_create
ns_clientmgr_destroy
+ns_clientmgr_shutdown
ns_hook_add
ns_hooktable_create
ns_hooktable_free
--
2.23.0

31
backport-Release-unused-key-file-IO-lock-objects.patch Normal file
View File

@ -0,0 +1,31 @@
From 98fca774b62f35b0618c01430e424ca43c492e34 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 7 Dec 2022 16:45:33 +0100
Subject: [PATCH] Release unused key file IO lock objects
Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO
lock objects were never freed and they were kept until the server
shutdown. Adjust the returned value by -1 to accomodate the fact that
the atomic_fetch_*() functions return the value before the operation and
not current value after the operation.
(cherry picked from commit fb1acd6736609360f79a498d44dffcceb8ca0f54)
---
lib/dns/zone.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 2456cd23be..22ffc73b63 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -18656,7 +18656,7 @@ zonemgr_keymgmt_delete(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
if (dns_name_equal(kfio->name, &zone->origin)) {
unsigned int count;
- count = atomic_fetch_sub_relaxed(&kfio->count, 1);
+ count = atomic_fetch_sub_relaxed(&kfio->count, 1) - 1;
if (count > 0) {
/* Keep the entry. */
break;
--
2.23.0

87
backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch Normal file
View File

@ -0,0 +1,87 @@
From 3952f01cad20c5468a9f0aef818ee79b57aeb260 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 18 Oct 2022 10:02:08 +1100
Subject: [PATCH] Select the appropriate namespace when using a dual stack
server
When using dual-stack-servers the covering namespace to check whether
answers are in scope or not should be fctx->domain. To do this we need
to be able to distingish forwarding due to forwarders clauses and
dual-stack-servers. A new flag FCTX_ADDRINFO_DUALSTACK has been added
to signal this.
(cherry picked from commit dfbffd77f9fac6397f5223e0fc3b3de28de68b5f)
---
lib/dns/resolver.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 9a25a4cda7..41d79e9d46 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -320,6 +320,11 @@ struct fetchctx {
ISC_LIST(resquery_t) queries;
dns_adbfindlist_t finds;
dns_adbfind_t *find;
+ /*
+ * altfinds are names and/or addresses of dual stack servers that
+ * should be used when iterative resolution to a server is not
+ * possible because the address family of that server is not usable.
+ */
dns_adbfindlist_t altfinds;
dns_adbfind_t *altfind;
dns_adbaddrinfolist_t forwaddrs;
@@ -588,12 +593,14 @@ struct dns_resolver {
#define FCTX_ADDRINFO_EDNSOK 0x04000
#define FCTX_ADDRINFO_NOCOOKIE 0x08000
#define FCTX_ADDRINFO_BADCOOKIE 0x10000
+#define FCTX_ADDRINFO_DUALSTACK 0x20000
#define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) == 0)
#define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0)
#define NOCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0)
#define EDNSOK(a) (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0)
#define BADCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0)
+#define ISDUALSTACK(a) (((a)->flags & FCTX_ADDRINFO_DUALSTACK) != 0)
#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
@@ -3639,7 +3646,7 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port,
}
}
}
- if ((flags & FCTX_ADDRINFO_FORWARDER) != 0) {
+ if ((flags & FCTX_ADDRINFO_DUALSTACK) != 0) {
ISC_LIST_APPEND(fctx->altfinds, find, publink);
} else {
ISC_LIST_APPEND(fctx->finds, find, publink);
@@ -3938,7 +3945,7 @@ normal_nses:
a = ISC_LIST_NEXT(a, link)) {
if (!a->isaddress) {
findname(fctx, &a->_u._n.name, a->_u._n.port,
- stdoptions, FCTX_ADDRINFO_FORWARDER,
+ stdoptions, FCTX_ADDRINFO_DUALSTACK,
now, NULL, NULL, NULL);
continue;
}
@@ -3951,6 +3958,7 @@ normal_nses:
if (result == ISC_R_SUCCESS) {
dns_adbaddrinfo_t *cur;
ai->flags |= FCTX_ADDRINFO_FORWARDER;
+ ai->flags |= FCTX_ADDRINFO_DUALSTACK;
cur = ISC_LIST_HEAD(fctx->altaddrs);
while (cur != NULL && cur->srtt < ai->srtt) {
cur = ISC_LIST_NEXT(cur, publink);
@@ -7117,7 +7125,9 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) {
unsigned int labels;
dns_namereln_t rel;
- apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain;
+ apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo))
+ ? &fctx->domain
+ : fctx->fwdname;
/*
* The name is outside the queried namespace.
--
2.23.0

81
backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch Normal file
View File

@ -0,0 +1,81 @@
From ffeda92cd85461dad3bea74dd4892ef990fec4c9 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 30 Nov 2022 18:40:27 +1100
Subject: [PATCH] Suppress duplicate dns_db_updatenotify_register registrations
Duplicate dns_db_updatenotify_register registrations need to be
suppressed to ensure that dns_db_updatenotify_unregister is successful.
(cherry picked from commit f13e71e55167bf9c94f4faf1dab110467158e7b4)
---
lib/dns/catz.c | 6 +++---
lib/dns/db.c | 12 +++++++++++-
lib/dns/include/dns/db.h | 2 +-
3 files changed, 15 insertions(+), 5 deletions(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 487d20833e1..332f9877360 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -810,9 +810,9 @@ dns_catz_zone_detach(dns_catz_zone_t **zonep) {
zone->magic = 0;
isc_timer_detach(&zone->updatetimer);
if (zone->db_registered) {
- INSIST(dns_db_updatenotify_unregister(
- zone->db, dns_catz_dbupdate_callback,
- zone->catzs) == ISC_R_SUCCESS);
+ dns_db_updatenotify_unregister(
+ zone->db, dns_catz_dbupdate_callback,
+ zone->catzs);
}
if (zone->dbversion) {
dns_db_closeversion(zone->db, &zone->dbversion, false);
diff --git a/lib/dns/db.c b/lib/dns/db.c
index c5de3d9e0b0..04cf6560fea 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1013,7 +1013,7 @@ dns_db_rpz_ready(dns_db_t *db) {
return ((db->methods->rpz_ready)(db));
}
-/**
+/*
* Attach a notify-on-update function the database
*/
isc_result_t
@@ -1024,6 +1024,16 @@ dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn,
REQUIRE(db != NULL);
REQUIRE(fn != NULL);
+ for (listener = ISC_LIST_HEAD(db->update_listeners); listener != NULL;
+ listener = ISC_LIST_NEXT(listener, link))
+ {
+ if ((listener->onupdate == fn) &&
+ (listener->onupdate_arg == fn_arg))
+ {
+ return (ISC_R_SUCCESS);
+ }
+ }
+
listener = isc_mem_get(db->mctx, sizeof(dns_dbonupdatelistener_t));
listener->onupdate = fn;
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index f14d9f6c529..08bdc80e4ee 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -1673,11 +1673,11 @@ dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn,
void *fn_arg);
/*%<
* Register a notify-on-update callback function to a database.
+ * Duplicate callbacks are suppressed.
*
* Requires:
*
* \li 'db' is a valid database
- * \li 'db' does not have an update callback registered
* \li 'fn' is not NULL
*
*/
--
2.23.0

62
backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch Normal file
View File

@ -0,0 +1,62 @@
From 8e4a1f3483bedf262504583605ec07205bd17c2a Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Tue, 18 Oct 2022 13:48:52 -0700
Subject: [PATCH] ensure RPZ lookups handle CD=1 correctly
RPZ rewrites called dns_db_findext() without passing through the
client database options; as as result, if the client set CD=1,
DNS_DBFIND_PENDINGOK was not used as it should have been, and
cache lookups failed, resulting in failure of the rewrite.
(cherry picked from commit 305a50dbe12a43b0ee429c2e9bee04f35a8047c4)
---
lib/ns/query.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 43a0293d5d..baa28b5233 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -3585,7 +3585,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
struct in_addr ina;
struct in6_addr in6a;
isc_result_t result;
- unsigned int options = DNS_DBFIND_GLUEOK;
+ unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK;
bool done = false;
CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset");
@@ -3646,8 +3646,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name,
* otherwise we are done.
*/
if (result == DNS_R_GLUE) {
- options = 0;
+ options = client->query.dboptions;
} else {
+ options = client->query.dboptions | DNS_DBFIND_GLUEOK;
done = true;
}
@@ -4207,7 +4208,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
dns_fixedname_init(&nsnamef);
dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef));
- options = DNS_DBFIND_GLUEOK;
+ options = client->query.dboptions | DNS_DBFIND_GLUEOK;
while (st->r.label > st->popt.min_ns_labels) {
bool was_glue = false;
/*
@@ -4333,9 +4334,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult,
* glue responses, otherwise setup for the next name.
*/
if (was_glue) {
- options = 0;
+ options = client->query.dboptions;
} else {
- options = DNS_DBFIND_GLUEOK;
+ options = client->query.dboptions | DNS_DBFIND_GLUEOK;
st->r.label--;
}
--
2.23.0

21
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 15
Release: 16
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -173,13 +173,24 @@ Patch6004:backport-CVE-2022-38177.patch
Patch6005:backport-CVE-2022-38178.patch
Patch6006:backport-CVE-2022-2906.patch
Patch6007:backport-CVE-2022-2881.patch
Patch6096:backport-CVE-2022-3736.patch
Patch6097:backport-CVE-2022-3924.patch
Patch6098:backport-CVE-2022-3094-add-an-update-quota.patch
Patch6099:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch
Patch6100:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch
Patch6101:backport-Fix-a-logical-bug-in-cfg_print_duration.patch
Patch6102:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch
Patch6103:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch
Patch6104:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch
Patch6105:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch
Patch6106:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch
Patch6107:backport-Call-dns_db_updatenotify_unregister-earlier.patch
Patch6108:backport-Add-missing-DbC-magic-checks.patch
Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch
Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
%{?systemd_ordering}
@ -1188,6 +1199,12 @@ fi;
%endif
%changelog
* Sat Feb 25 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-16
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC: backport some patches from community
* Thu Feb 09 2023 zhanghao<zhanghao383@huawei.com> - 32:9.16.23-15
- Type:bugfix
- CVE:NA