packages/bind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE and sync some patches from upstream

Browse Source 
(cherry picked from commit 024c1c3a13843410cfc171309152f326fed846cf)
This commit is contained in:
chengyechun 2024-03-15 16:21:36 +08:00 committed by openeuler-sync-bot
parent f9f8cfd23b
commit 976d86a951
27 changed files with 5400 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch Normal file
View File

@ -0,0 +1,41 @@
yum 32779aba8a0a5f852c611f44ecbeab5aab633e34 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 31 Aug 2022 12:30:38 +0000
Subject: [PATCH] Add mctx attach/detach when creating/destroying a memory pool
This should make sure that the memory context is not destroyed
before the memory pool, which is using the context.
Conflict: Context adaptation in the original patch+ mpctx->lock = NULL;
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
(cherry picked from commit e97c3eea954e055634b72c21325d2611e960ee94)
---
lib/isc/mem.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index f84d300..33ece7a 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1656,7 +1656,8 @@ isc_mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
mpctx->common.impmagic = MEMPOOL_MAGIC;
mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
mpctx->lock = NULL;
- mpctx->mctx = mctx;
+ mpctx->mctx = NULL;
+ isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx);
/*
* Mempools are stored as a linked list of element.
*/
@@ -1765,7 +1766,8 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
mpctx->common.impmagic = 0;
mpctx->common.magic = 0;
- isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
+ isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx,
+ sizeof(isc__mempool_t));
if (lock != NULL) {
UNLOCK(lock);
--
2.33.0

17
backport-CVE-2022-3094-add-an-update-quota.patch
View File

@ -150,7 +150,7 @@ index a970a28..540bc2e 100644
isc_quota_destroy(&sctx->tcpquota);
isc_quota_destroy(&sctx->xfroutquota);
diff --git a/lib/ns/update.c b/lib/ns/update.c
index 582d4ff..a1650de 100644
index ddda25a..a69b6e5 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
@ -173,7 +173,7 @@ index 582d4ff..a1650de 100644
event = (update_event_t *)isc_event_allocate(
client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
sizeof(*event));
@@ -1685,12 +1698,19 @@ failure:
@@ -1682,12 +1695,19 @@ failure:
dns_zone_gettype(zone) == dns_zone_mirror);
inc_stats(client, zone, ns_statscounter_updaterej);
}
@ -194,7 +194,7 @@ index 582d4ff..a1650de 100644
if (zone != NULL) {
dns_zone_detach(&zone);
}
@@ -3498,6 +3518,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
@@ -3494,6 +3514,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
respond(client, uev->result);
@ -202,7 +202,7 @@ index 582d4ff..a1650de 100644
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3514,6 +3535,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
@@ -3510,6 +3531,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
INSIST(client->nupdates > 0);
client->nupdates--;
respond(client, DNS_R_SERVFAIL);
@ -211,16 +211,16 @@ index 582d4ff..a1650de 100644
isc_event_free(&event);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3551,6 +3574,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
@@ -3547,6 +3570,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
client->nupdates--;
ns_client_sendraw(client, uev->answer);
dns_message_detach(&uev->answer);
+
+ isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
isc_event_free(&event);
isc_nmhandle_detach(&client->reqhandle);
isc_nmhandle_detach(&client->updatehandle);
}
@@ -3585,6 +3610,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
@@ -3582,6 +3607,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
update_event_t *event = NULL;
isc_task_t *zonetask = NULL;
@ -239,4 +239,5 @@ index 582d4ff..a1650de 100644
client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
sizeof(*event));
--
GitLab
2.33.0

1645
backport-CVE-2023-4408.patch Normal file
View File

File diff suppressed because it is too large Load Diff

498
backport-CVE-2023-50387-CVE-2023-50868.patch Normal file
View File

@ -0,0 +1,498 @@
From c12608ca934c0433d280e65fe6c631013e200cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Thu, 11 Jan 2024 12:03:24 +0100
Subject: [PATCH] Split fast and slow task queues
Change the taskmgr (and thus netmgr) in a way that it supports fast and
slow task queues. The fast queue is used for incoming DNS traffic and
it will pass the processing to the slow queue for sending outgoing DNS
messages and processing resolver messages.
In the future, more tasks might get moved to the slow queues, so the
cached and authoritative DNS traffic can be handled without being slowed
down by operations that take longer time to process.
Conflict:Since the optimization patch 32a3970b has not been incorporated, the patch test modification part needs to be incorporated.
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0005-CVE-2023-50387-CVE-2023-50868.patch
(cherry picked from commit 1b3b0cef224e7a9e8279c5cfe2f7e188e3777cc7)
---
lib/dns/dst_api.c | 27 +++++++++----
lib/dns/include/dns/validator.h | 1 +
lib/dns/include/dst/dst.h | 4 ++
lib/dns/resolver.c | 4 +-
lib/dns/validator.c | 67 +++++++++++++++------------------
lib/isc/include/isc/netmgr.h | 3 ++
lib/isc/netmgr/netmgr-int.h | 1 +
lib/isc/netmgr/netmgr.c | 36 +++++++++++-------
lib/isc/netmgr/tcp.c | 6 +--
lib/isc/netmgr/tcpdns.c | 4 +-
lib/isc/netmgr/udp.c | 6 +--
lib/isc/tests/netmgr_test.c | 2 -
12 files changed, 91 insertions(+), 70 deletions(-)
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index c2977e0..0bf84b9 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -160,7 +160,8 @@ computeid(dst_key_t *key);
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
static isc_result_t
algorithm_status(unsigned int alg);
@@ -776,6 +777,13 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ return (dst_key_fromdns_ex(name, rdclass, source, mctx, false, keyp));
+}
+
+isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
uint8_t alg, proto;
uint32_t flags, extflags;
dst_key_t *key = NULL;
@@ -806,7 +814,7 @@ dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
}
result = frombuffer(name, alg, flags, proto, rdclass, source, mctx,
- &key);
+ no_rdata, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -827,7 +835,7 @@ dst_key_frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
REQUIRE(dst_initialized);
result = frombuffer(name, alg, flags, protocol, rdclass, source, mctx,
- &key);
+ false, &key);
if (result != ISC_R_SUCCESS) {
return (result);
}
@@ -2331,7 +2339,8 @@ computeid(dst_key_t *key) {
static isc_result_t
frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp) {
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp) {
dst_key_t *key;
isc_result_t ret;
@@ -2356,10 +2365,12 @@ frombuffer(const dns_name_t *name, unsigned int alg, unsigned int flags,
return (DST_R_UNSUPPORTEDALG);
}
- ret = key->func->fromdns(key, source);
- if (ret != ISC_R_SUCCESS) {
- dst_key_free(&key);
- return (ret);
+ if (!no_rdata) {
+ ret = key->func->fromdns(key, source);
+ if (ret != ISC_R_SUCCESS) {
+ dst_key_free(&key);
+ return (ret);
+ }
}
}
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index 4744014..73ac1cd 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -147,6 +147,7 @@ struct dns_validator {
unsigned int depth;
unsigned int authcount;
unsigned int authfail;
+ bool failed;
isc_stdtime_t start;
};
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index df48d8e..46fb193 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -469,6 +469,10 @@ dst_key_tofile(const dst_key_t *key, int type, const char *directory);
*/
isc_result_t
+dst_key_fromdns_ex(const dns_name_t *name, dns_rdataclass_t rdclass,
+ isc_buffer_t *source, isc_mem_t *mctx, bool no_rdata,
+ dst_key_t **keyp);
+isc_result_t
dst_key_fromdns(const dns_name_t *name, dns_rdataclass_t rdclass,
isc_buffer_t *source, isc_mem_t *mctx, dst_key_t **keyp);
/*%<
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 5f31d5b..cc8c9ab 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -10559,8 +10559,8 @@ dns_resolver_create(dns_view_t *view, isc_taskmgr_t *taskmgr,
* Since we have a pool of tasks we bind them to task queues
* to spread the load evenly
*/
- result = isc_task_create_bound(taskmgr, 0,
- &res->buckets[i].task, i);
+ result = isc_task_create_bound(
+ taskmgr, 0, &res->buckets[i].task, ISC_NM_TASK_SLOW(i));
if (result != ISC_R_SUCCESS) {
isc_mutex_destroy(&res->buckets[i].lock);
goto cleanup_buckets;
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index e54fc70..e416cc9 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1098,8 +1098,8 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
* 'rdataset'. If found, build a dst_key_t for it and point val->key at
* it.
*
- * If val->key is already non-NULL, locate it in the rdataset and then
- * search past it for the *next* key that could have signed 'siginfo', then
+ * If val->key is already non-NULL, start searching from the next position in
+ * 'rdataset' to find the *next* key that could have signed 'siginfo', then
* set val->key to that.
*
* Returns ISC_R_SUCCESS if a possible matching key has been found,
@@ -1112,59 +1112,59 @@ select_signing_key(dns_validator_t *val, dns_rdataset_t *rdataset) {
isc_buffer_t b;
dns_rdata_t rdata = DNS_RDATA_INIT;
dst_key_t *oldkey = val->key;
- bool foundold;
+ bool no_rdata = false;
if (oldkey == NULL) {
- foundold = true;
+ result = dns_rdataset_first(rdataset);
} else {
- foundold = false;
+ dst_key_free(&oldkey);
val->key = NULL;
+ result = dns_rdataset_next(rdataset);
}
-
- result = dns_rdataset_first(rdataset);
if (result != ISC_R_SUCCESS) {
- goto failure;
+ goto done;
}
+
do {
dns_rdataset_current(rdataset, &rdata);
isc_buffer_init(&b, rdata.data, rdata.length);
isc_buffer_add(&b, rdata.length);
INSIST(val->key == NULL);
- result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b,
- val->view->mctx, &val->key);
+ result = dst_key_fromdns_ex(&siginfo->signer, rdata.rdclass, &b,
+ val->view->mctx, no_rdata,
+ &val->key);
if (result == ISC_R_SUCCESS) {
if (siginfo->algorithm ==
(dns_secalg_t)dst_key_alg(val->key) &&
siginfo->keyid ==
(dns_keytag_t)dst_key_id(val->key) &&
+ (dst_key_flags(val->key) & DNS_KEYFLAG_REVOKE) ==
+ 0 &&
dst_key_iszonekey(val->key))
{
- if (foundold) {
- /*
- * This is the key we're looking for.
- */
- return (ISC_R_SUCCESS);
- } else if (dst_key_compare(oldkey, val->key)) {
- foundold = true;
- dst_key_free(&oldkey);
+ if (no_rdata) {
+ /* Retry with full key */
+ dns_rdata_reset(&rdata);
+ dst_key_free(&val->key);
+ no_rdata = false;
+ continue;
}
+ /* This is the key we're looking for. */
+ goto done;
}
dst_key_free(&val->key);
}
dns_rdata_reset(&rdata);
result = dns_rdataset_next(rdataset);
+ no_rdata = true;
} while (result == ISC_R_SUCCESS);
+done:
if (result == ISC_R_NOMORE) {
result = ISC_R_NOTFOUND;
}
-failure:
- if (oldkey != NULL) {
- dst_key_free(&oldkey);
- }
-
return (result);
}
@@ -1557,20 +1557,9 @@ validate_answer(dns_validator_t *val, bool resume) {
continue;
}
- do {
- isc_result_t tresult;
- vresult = verify(val, val->key, &rdata,
- val->siginfo->keyid);
- if (vresult == ISC_R_SUCCESS) {
- break;
- }
-
- tresult = select_signing_key(val, val->keyset);
- if (tresult != ISC_R_SUCCESS) {
- break;
- }
- } while (1);
+ vresult = verify(val, val->key, &rdata, val->siginfo->keyid);
if (vresult != ISC_R_SUCCESS) {
+ val->failed = true;
validator_log(val, ISC_LOG_DEBUG(3),
"failed to verify rdataset");
} else {
@@ -1607,9 +1596,13 @@ validate_answer(dns_validator_t *val, bool resume) {
} else {
validator_log(val, ISC_LOG_DEBUG(3),
"verify failure: %s",
- isc_result_totext(result));
+ isc_result_totext(vresult));
resume = false;
}
+ if (val->failed) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
validator_log(val, ISC_LOG_DEBUG(3),
diff --git a/lib/isc/include/isc/netmgr.h b/lib/isc/include/isc/netmgr.h
index dc44ef2..1b88832 100644
--- a/lib/isc/include/isc/netmgr.h
+++ b/lib/isc/include/isc/netmgr.h
@@ -455,6 +455,9 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
* 'cb'.
*/
+#define ISC_NM_TASK_SLOW_OFFSET -2
+#define ISC_NM_TASK_SLOW(i) (ISC_NM_TASK_SLOW_OFFSET - 1 - i)
+
void
isc_nm_task_enqueue(isc_nm_t *mgr, isc_task_t *task, int threadid);
/*%<
diff --git a/lib/isc/netmgr/netmgr-int.h b/lib/isc/netmgr/netmgr-int.h
index 23bc2a2..80de758 100644
--- a/lib/isc/netmgr/netmgr-int.h
+++ b/lib/isc/netmgr/netmgr-int.h
@@ -630,6 +630,7 @@ struct isc_nm {
isc_refcount_t references;
isc_mem_t *mctx;
int nworkers;
+ int nlisteners;
isc_mutex_t lock;
isc_condition_t wkstatecond;
isc_condition_t wkpausecond;
diff --git a/lib/isc/netmgr/netmgr.c b/lib/isc/netmgr/netmgr.c
index 71c6d62..1aa249e 100644
--- a/lib/isc/netmgr/netmgr.c
+++ b/lib/isc/netmgr/netmgr.c
@@ -272,31 +272,34 @@ isc__nm_winsock_destroy(void) {
#endif /* WIN32 */
static void
-isc__nm_threadpool_initialize(uint32_t workers) {
+isc__nm_threadpool_initialize(uint32_t nworkers) {
char buf[11];
int r = uv_os_getenv("UV_THREADPOOL_SIZE", buf,
&(size_t){ sizeof(buf) });
if (r == UV_ENOENT) {
- snprintf(buf, sizeof(buf), "%" PRIu32, workers);
+ snprintf(buf, sizeof(buf), "%" PRIu32, nworkers);
uv_os_setenv("UV_THREADPOOL_SIZE", buf);
}
}
void
-isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
+isc__netmgr_create(isc_mem_t *mctx, uint32_t nworkers, isc_nm_t **netmgrp) {
isc_nm_t *mgr = NULL;
char name[32];
- REQUIRE(workers > 0);
+ REQUIRE(nworkers > 0);
#ifdef WIN32
isc__nm_winsock_initialize();
#endif /* WIN32 */
- isc__nm_threadpool_initialize(workers);
+ isc__nm_threadpool_initialize(nworkers);
mgr = isc_mem_get(mctx, sizeof(*mgr));
- *mgr = (isc_nm_t){ .nworkers = workers };
+ *mgr = (isc_nm_t){
+ .nworkers = nworkers * 2,
+ .nlisteners = nworkers,
+ };
isc_mem_attach(mctx, &mgr->mctx);
isc_mutex_init(&mgr->lock);
@@ -337,11 +340,12 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
isc_mempool_associatelock(mgr->evpool, &mgr->evlock);
isc_mempool_setfillcount(mgr->evpool, 32);
- isc_barrier_init(&mgr->pausing, workers);
- isc_barrier_init(&mgr->resuming, workers);
+ isc_barrier_init(&mgr->pausing, mgr->nworkers);
+ isc_barrier_init(&mgr->resuming, mgr->nworkers);
- mgr->workers = isc_mem_get(mctx, workers * sizeof(isc__networker_t));
- for (size_t i = 0; i < workers; i++) {
+ mgr->workers = isc_mem_get(mctx,
+ mgr->nworkers * sizeof(isc__networker_t));
+ for (int i = 0; i < mgr->nworkers; i++) {
int r;
isc__networker_t *worker = &mgr->workers[i];
*worker = (isc__networker_t){
@@ -376,7 +380,7 @@ isc__netmgr_create(isc_mem_t *mctx, uint32_t workers, isc_nm_t **netmgrp) {
mgr->workers_running++;
isc_thread_create(nm_thread, &mgr->workers[i], &worker->thread);
- snprintf(name, sizeof(name), "isc-net-%04zu", i);
+ snprintf(name, sizeof(name), "isc-net-%04d", i);
isc_thread_setname(worker->thread, name);
}
@@ -860,9 +864,15 @@ isc_nm_task_enqueue(isc_nm_t *nm, isc_task_t *task, int threadid) {
isc__networker_t *worker = NULL;
if (threadid == -1) {
- tid = (int)isc_random_uniform(nm->nworkers);
+ tid = (int)isc_random_uniform(nm->nlisteners);
+ } else if (threadid == ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners +
+ (int)isc_random_uniform(nm->nworkers - nm->nlisteners);
+ } else if (threadid < ISC_NM_TASK_SLOW_OFFSET) {
+ tid = nm->nlisteners + (ISC_NM_TASK_SLOW(threadid) %
+ (nm->nworkers - nm->nlisteners));
} else {
- tid = threadid % nm->nworkers;
+ tid = threadid % nm->nlisteners;
}
worker = &nm->workers[tid];
diff --git a/lib/isc/netmgr/tcp.c b/lib/isc/netmgr/tcp.c
index dde592d..c2e059a 100644
--- a/lib/isc/netmgr/tcp.c
+++ b/lib/isc/netmgr/tcp.c
@@ -321,7 +321,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_connectcb(sock, req, result, false);
} else {
isc__nmsocket_clearcb(sock);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_connectcb(sock, req, result, true);
}
atomic_store(&sock->closed, true);
@@ -339,7 +339,7 @@ isc_nm_tcpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -435,7 +435,7 @@ isc_nm_listentcp(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/tcpdns.c b/lib/isc/netmgr/tcpdns.c
index f66944e..8f79a7f 100644
--- a/lib/isc/netmgr/tcpdns.c
+++ b/lib/isc/netmgr/tcpdns.c
@@ -301,7 +301,7 @@ isc_nm_tcpdnsconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_tcpdnsconnect(mgr, ievent);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)ievent);
}
@@ -400,7 +400,7 @@ isc_nm_listentcpdns(isc_nm_t *mgr, isc_sockaddr_t *iface,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
sock->children = isc_mem_get(mgr->mctx, children_size);
diff --git a/lib/isc/netmgr/udp.c b/lib/isc/netmgr/udp.c
index 1af63af..668edca 100644
--- a/lib/isc/netmgr/udp.c
+++ b/lib/isc/netmgr/udp.c
@@ -126,7 +126,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
uv_os_sock_t fd = -1;
/*
- * We are creating mgr->nworkers duplicated sockets, one
+ * We are creating mgr->nlisteners duplicated sockets, one
* socket for each worker thread.
*/
sock = isc_mem_get(mgr->mctx, sizeof(isc_nmsocket_t));
@@ -136,7 +136,7 @@ isc_nm_listenudp(isc_nm_t *mgr, isc_sockaddr_t *iface, isc_nm_recv_cb_t cb,
#if defined(WIN32)
sock->nchildren = 1;
#else
- sock->nchildren = mgr->nworkers;
+ sock->nchildren = mgr->nlisteners;
#endif
children_size = sock->nchildren * sizeof(sock->children[0]);
@@ -795,7 +795,7 @@ isc_nm_udpconnect(isc_nm_t *mgr, isc_sockaddr_t *local, isc_sockaddr_t *peer,
isc__nm_put_netievent_udpconnect(mgr, event);
} else {
atomic_init(&sock->active, false);
- sock->tid = isc_random_uniform(mgr->nworkers);
+ sock->tid = isc_random_uniform(mgr->nlisteners);
isc__nm_enqueue_ievent(&mgr->workers[sock->tid],
(isc__netievent_t *)event);
}
diff --git a/lib/isc/tests/netmgr_test.c b/lib/isc/tests/netmgr_test.c
index e44909e..d2c19e8 100644
--- a/lib/isc/tests/netmgr_test.c
+++ b/lib/isc/tests/netmgr_test.c
@@ -204,8 +204,6 @@ _setup(void **state __attribute__((unused))) {
return (-1);
}
- isc_hp_init(4 * workers);
-
signal(SIGPIPE, SIG_IGN);
if (getenv("CI") == NULL || getenv("CI_ENABLE_ALL_TESTS") != NULL) {
--
2.33.0

117
backport-CVE-2023-5517.patch Normal file
View File

@ -0,0 +1,117 @@
From c73262493658cb8623927ef6cc2f023501f7e809 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 10 Oct 2023 10:58:18 +1100
Subject: [PATCH] Save the correct result value to resume with
nxdomain-redirect
The wrong result value was being saved for resumption with
nxdomain-redirect when performing the fetch. This lead to an assert
when checking that RFC 1918 reverse queries where not leaking to
the global internet.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0002-CVE-2023-5517.patch
(cherry picked from commit 9d0fa07c5e7a39db89862a4f843d2190059afb4b)
---
lib/ns/query.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 62b5ea8463..55d815e6c0 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -455,10 +455,10 @@ static void
query_addnxrrsetnsec(query_ctx_t *qctx);
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild);
+query_nxdomain(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
-query_redirect(query_ctx_t *qctx);
+query_redirect(query_ctx_t *qctx, isc_result_t result);
static isc_result_t
query_ncache(query_ctx_t *qctx, isc_result_t result);
@@ -7345,8 +7345,7 @@ query_usestale(query_ctx_t *qctx, isc_result_t result) {
* result from the search.
*/
static isc_result_t
-query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
- isc_result_t result = res;
+query_gotanswer(query_ctx_t *qctx, isc_result_t result) {
char errmsg[256];
CCTRACE(ISC_LOG_DEBUG(3), "query_gotanswer");
@@ -7416,16 +7415,16 @@ query_gotanswer(query_ctx_t *qctx, isc_result_t res) {
return (query_nodata(qctx, DNS_R_NXRRSET));
case DNS_R_EMPTYWILD:
- return (query_nxdomain(qctx, true));
+ return (query_nxdomain(qctx, DNS_R_EMPTYWILD));
case DNS_R_NXDOMAIN:
- return (query_nxdomain(qctx, false));
+ return (query_nxdomain(qctx, DNS_R_NXDOMAIN));
case DNS_R_COVERINGNSEC:
return (query_coveringnsec(qctx));
case DNS_R_NCACHENXDOMAIN:
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9243,10 +9242,10 @@ query_addnxrrsetnsec(query_ctx_t *qctx) {
* Handle NXDOMAIN and empty wildcard responses.
*/
static isc_result_t
-query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
+query_nxdomain(query_ctx_t *qctx, isc_result_t result) {
dns_section_t section;
uint32_t ttl;
- isc_result_t result;
+ bool empty_wild = (result == DNS_R_EMPTYWILD);
CCTRACE(ISC_LOG_DEBUG(3), "query_nxdomain");
@@ -9255,7 +9254,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
INSIST(qctx->is_zone || REDIRECT(qctx->client));
if (!empty_wild) {
- result = query_redirect(qctx);
+ result = query_redirect(qctx, result);
if (result != ISC_R_COMPLETE) {
return (result);
}
@@ -9343,7 +9342,7 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) {
* redirecting, so query processing should continue past it.
*/
static isc_result_t
-query_redirect(query_ctx_t *qctx) {
+query_redirect(query_ctx_t *qctx, isc_result_t saved_result) {
isc_result_t result;
CCTRACE(ISC_LOG_DEBUG(3), "query_redirect");
@@ -9384,7 +9383,7 @@ query_redirect(query_ctx_t *qctx) {
SAVE(qctx->client->query.redirect.rdataset, qctx->rdataset);
SAVE(qctx->client->query.redirect.sigrdataset,
qctx->sigrdataset);
- qctx->client->query.redirect.result = DNS_R_NCACHENXDOMAIN;
+ qctx->client->query.redirect.result = saved_result;
dns_name_copynf(qctx->fname,
qctx->client->query.redirect.fname);
qctx->client->query.redirect.authoritative =
@@ -10005,7 +10004,7 @@ query_coveringnsec(query_ctx_t *qctx) {
* We now have the proof that we have an NXDOMAIN. Apply
* NXDOMAIN redirection if configured.
*/
- result = query_redirect(qctx);
+ result = query_redirect(qctx, DNS_R_COVERINGNSEC);
if (result != ISC_R_COMPLETE) {
redirected = true;
goto cleanup;
--
GitLab

38
backport-CVE-2023-5679.patch Normal file
View File

@ -0,0 +1,38 @@
From 7db2796507127b40e2f091dafb842c6a7e86b9a8 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 12 Oct 2023 12:01:46 +1100
Subject: [PATCH] Restore dns64 state during serve-stale processing
If we are in the process of looking for the A records as part of
dns64 processing and the server-stale timeout triggers, redo the
dns64 changes that had been made to the orignal qctx.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0003-CVE-2023-5679.patch
(cherry picked from commit 1fcc483df13e049b96f620e515f0d4d45f3680b7)
---
lib/ns/query.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/ns/query.c b/lib/ns/query.c
index 55d815e6c0..1290c308af 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -6095,6 +6095,13 @@ query_lookup_stale(ns_client_t *client) {
query_ctx_t qctx;
qctx_init(client, NULL, client->query.qtype, &qctx);
+ if (DNS64(client)) {
+ qctx.qtype = qctx.type = dns_rdatatype_a;
+ qctx.dns64 = true;
+ }
+ if (DNS64EXCLUDE(client)) {
+ qctx.dns64_exclude = true;
+ }
dns_db_attach(client->view->cachedb, &qctx.db);
client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
client->query.dboptions |= DNS_DBFIND_STALETIMEOUT;
--
GitLab

294
backport-CVE-2023-6516.patch Normal file
View File

@ -0,0 +1,294 @@
From c3377cbfaa44dcb033f5abfb2db031612c8f47d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Thu, 4 Jan 2024 13:39:27 +0100
Subject: [PATCH] Limit isc_task_send() overhead for tree pruning
Instead of issuing a separate isc_task_send() call for every RBTDB node
that triggers tree pruning, maintain a list of nodes from which tree
pruning can be started from and only issue an isc_task_send() call if
pruning has not yet been triggered by another RBTDB node.
The extra queuing overhead eliminated by this change could be remotely
exploited to cause excessive memory use.
As this change modifies struct dns_rbtnode by adding a new 'prunelink'
member to it, bump MAPAPI to prevent any attempts of loading map-format
zone files created using older BIND 9 versions.
Conflict:NA
Reference:https://downloads.isc.org/isc/bind/9.16.48/patches/0004-CVE-2023-6516.patch
(cherry picked from commit 24381cc36d8528f5a4046fb2614451aeac4cdfc1)
---
lib/dns/include/dns/rbt.h | 6 ++
lib/dns/mapapi | 2 +-
lib/dns/rbt.c | 1 +
lib/dns/rbtdb.c | 150 +++++++++++++++++++++++++-------------
4 files changed, 108 insertions(+), 51 deletions(-)
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index b67e602..0e48e1d 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -138,6 +138,12 @@ struct dns_rbtnode {
*/
ISC_LINK(dns_rbtnode_t) deadlink;
+ /*%
+ * This linked list is used to store nodes from which tree pruning can
+ * be started.
+ */
+ ISC_LINK(dns_rbtnode_t) prunelink;
+
/*@{*/
/*!
* These values are used in the RBT DB implementation. The appropriate
diff --git a/lib/dns/mapapi b/lib/dns/mapapi
index 1b502d3..a46e190 100644
--- a/lib/dns/mapapi
+++ b/lib/dns/mapapi
@@ -13,4 +13,4 @@
# Whenever releasing a new major release of BIND9, set this value
# back to 1.0 when releasing the first alpha. Map files are *never*
# compatible across major releases.
-MAPAPI=3.0
+MAPAPI=4.0
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 3fa2999..d453622 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -2292,6 +2292,7 @@ create_node(isc_mem_t *mctx, const dns_name_t *name, dns_rbtnode_t **nodep) {
HASHVAL(node) = 0;
ISC_LINK_INIT(node, deadlink);
+ ISC_LINK_INIT(node, prunelink);
LOCKNUM(node) = 0;
WILD(node) = 0;
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index c25023c..ab4caae 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -515,6 +515,10 @@ struct dns_rbtdb {
*/
rbtnodelist_t *deadnodes;
+ /* List of nodes from which recursive tree pruning can be started from.
+ * Locked by tree_lock. */
+ rbtnodelist_t prunenodes;
+
/*
* Heaps. These are used for TTL based expiry in a cache,
* or for zone resigning in a zone DB. hmctx is the memory
@@ -1060,6 +1064,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
unsigned int i;
isc_result_t result;
char buf[DNS_NAME_FORMATSIZE];
+ dns_rbtnode_t *node = NULL;
dns_rbt_t **treep;
isc_time_t start;
@@ -1085,8 +1090,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
* the overhead of unlinking all nodes here should be negligible.
*/
for (i = 0; i < rbtdb->node_lock_count; i++) {
- dns_rbtnode_t *node;
-
node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
while (node != NULL) {
ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
@@ -1094,6 +1097,12 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) {
}
}
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ while (node != NULL) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node, prunelink);
+ node = ISC_LIST_HEAD(rbtdb->prunenodes);
+ }
+
if (event == NULL) {
rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
}
@@ -1926,19 +1935,33 @@ is_leaf(dns_rbtnode_t *node) {
node->left == NULL && node->right == NULL);
}
+/*%
+ * The tree lock must be held when this function is called as it reads and
+ * updates rbtdb->prunenodes.
+ */
static inline void
send_to_prune_tree(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
isc_rwlocktype_t locktype) {
- isc_event_t *ev;
- dns_db_t *db;
+ bool pruning_queued = (ISC_LIST_HEAD(rbtdb->prunenodes) != NULL);
+
+ INSIST(locktype == isc_rwlocktype_write);
- ev = isc_event_allocate(rbtdb->common.mctx, NULL, DNS_EVENT_RBTPRUNE,
- prune_tree, node, sizeof(isc_event_t));
new_reference(rbtdb, node, locktype);
- db = NULL;
- attach((dns_db_t *)rbtdb, &db);
- ev->ev_sender = db;
- isc_task_send(rbtdb->task, &ev);
+ INSIST(!ISC_LINK_LINKED(node, prunelink));
+ ISC_LIST_APPEND(rbtdb->prunenodes, node, prunelink);
+
+ if (!pruning_queued) {
+ isc_event_t *ev = NULL;
+ dns_db_t *db = NULL;
+
+ attach((dns_db_t *)rbtdb, &db);
+
+ ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+ DNS_EVENT_RBTPRUNE, prune_tree, db,
+ sizeof(isc_event_t));
+ isc_task_send(rbtdb->task, &ev);
+ }
+
}
/*%
@@ -2212,17 +2235,26 @@ restore_locks:
}
/*
- * Prune the tree by recursively cleaning-up single leaves. In the worst
- * case, the number of iteration is the number of tree levels, which is at
- * most the maximum number of domain name labels, i.e, 127. In practice, this
- * should be much smaller (only a few times), and even the worst case would be
- * acceptable for a single event.
+ * Prune the tree by recursively cleaning up single leaves. Go through all
+ * nodes stored in the rbtdb->prunenodes list; for each of them, in the worst
+ * case, it will be necessary to traverse a number of tree levels equal to the
+ * maximum legal number of domain name labels (127); in practice, the number of
+ * tree levels to traverse will virtually always be much smaller (a few levels
+ * at most). While holding the tree lock throughout this entire operation is
+ * less than ideal, so is splitting the latter up by queueing a separate
+ * prune_tree() run for each node to start pruning from (as queueing requires
+ * allocating memory and can therefore potentially be exploited to exhaust
+ * available memory). Also note that actually freeing up the memory used by
+ * RBTDB nodes (which is what this function does) is essential to keeping cache
+ * memory use in check, so since the tree lock needs to be acquired anyway,
+ * freeing as many nodes as possible before the tree lock gets released is
+ * prudent.
*/
static void
prune_tree(isc_task_t *task, isc_event_t *event) {
- dns_rbtdb_t *rbtdb = event->ev_sender;
- dns_rbtnode_t *node = event->ev_arg;
- dns_rbtnode_t *parent;
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)event->ev_arg;
+ dns_rbtnode_t *node = NULL;
+ dns_rbtnode_t *parent = NULL;
unsigned int locknum;
UNUSED(task);
@@ -2230,44 +2262,60 @@ prune_tree(isc_task_t *task, isc_event_t *event) {
isc_event_free(&event);
RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
- locknum = node->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
- do {
- parent = node->parent;
- decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
- isc_rwlocktype_write, true);
- if (parent != NULL && parent->down == NULL) {
- /*
- * node was the only down child of the parent and has
- * just been removed. We'll then need to examine the
- * parent. Keep the lock if possible; otherwise,
- * release the old lock and acquire one for the parent.
- */
- if (parent->locknum != locknum) {
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
- locknum = parent->locknum;
- NODE_LOCK(&rbtdb->node_locks[locknum].lock,
- isc_rwlocktype_write);
+ while ((node = ISC_LIST_HEAD(rbtdb->prunenodes)) != NULL) {
+ locknum = node->locknum;
+ NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ do {
+ if (ISC_LINK_LINKED(node, prunelink)) {
+ ISC_LIST_UNLINK(rbtdb->prunenodes, node,
+ prunelink);
}
- /*
- * We need to gain a reference to the node before
- * decrementing it in the next iteration.
- */
- if (ISC_LINK_LINKED(parent, deadlink)) {
- ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+ parent = node->parent;
+ decrement_reference(rbtdb, node, 0,
+ isc_rwlocktype_write,
+ isc_rwlocktype_write, true);
+
+ if (parent != NULL && parent->down == NULL) {
+ /*
+ * node was the only down child of the parent
+ * and has just been removed. We'll then need
+ * to examine the parent. Keep the lock if
+ * possible; otherwise, release the old lock and
+ * acquire one for the parent.
+ */
+ if (parent->locknum != locknum) {
+ NODE_UNLOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ locknum = parent->locknum;
+ NODE_LOCK(
+ &rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
+
+ /*
+ * We need to gain a reference to the node
+ * before decrementing it in the next iteration.
+ */
+ if (ISC_LINK_LINKED(parent, deadlink)) {
+ ISC_LIST_UNLINK(
+ rbtdb->deadnodes[locknum],
parent, deadlink);
+ }
+ new_reference(rbtdb, parent,
+ isc_rwlocktype_write);
+ } else {
+ parent = NULL;
}
- new_reference(rbtdb, parent, isc_rwlocktype_write);
- } else {
- parent = NULL;
- }
- node = parent;
- } while (node != NULL);
- NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+ node = parent;
+ } while (node != NULL);
+ NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+ isc_rwlocktype_write);
+ }
RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
detach((dns_db_t **)&rbtdb);
@@ -8718,6 +8766,8 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
ISC_LIST_INIT(rbtdb->deadnodes[i]);
}
+ ISC_LIST_INIT(rbtdb->prunenodes);
+
rbtdb->active = rbtdb->node_lock_count;
for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
--
2.33.0

41
backport-Check-BN_dup-results-in-rsa_check.patch Normal file
View File

@ -0,0 +1,41 @@
From 12f902796d4adde1dfdbda9b23578049a2e530ee Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 12:06:44 +1000
Subject: [PATCH] Check BN_dup results in rsa_check
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/12f902796d4adde1dfdbda9b23578049a2e530ee
(cherry picked from commit a47235f4f5af0286aadd43eeccf946a8f35a5dc8)
---
lib/dns/opensslrsa_link.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 9bee2f0449..45570dac98 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -849,6 +849,9 @@ rsa_check(RSA *rsa, RSA *pub) {
}
} else {
n = BN_dup(n2);
+ if (n == NULL) {
+ return (ISC_R_NOMEMORY);
+ }
}
if (e1 != NULL) {
if (BN_cmp(e1, e2) != 0) {
@@ -859,6 +862,12 @@ rsa_check(RSA *rsa, RSA *pub) {
}
} else {
e = BN_dup(e2);
+ if (e == NULL) {
+ if (n != NULL) {
+ BN_free(n);
+ }
+ return (ISC_R_NOMEMORY);
+ }
}
if (RSA_set0_key(rsa, n, e, NULL) == 0) {
if (n != NULL) {
--
2.23.0

30
backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch Normal file
View File

@ -0,0 +1,30 @@
From 03c5db001e79e40011c3478e14593cdad72c5c1d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:57:17 +1000
Subject: [PATCH] Check that 'e' and 'n' are allocated in opensslrsa_fromdns
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/03c5db001e79e40011c3478e14593cdad72c5c1d
(cherry picked from commit db70c302138f02b6e1fca6e89cf2da35b2ca0ae4)
---
lib/dns/opensslrsa_link.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b23b6323fa..b744a62df9 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -671,6 +671,11 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
e = BN_bin2bn(r.base, e_bytes, NULL);
isc_region_consume(&r, e_bytes);
n = BN_bin2bn(r.base, r.length, NULL);
+ if (e == NULL || n == NULL) {
+ RSA_free(rsa);
+ return (ISC_R_NOMEMORY);
+ }
+
if (RSA_set0_key(rsa, n, e, NULL) == 0) {
if (n != NULL) {
BN_free(n);
--
2.23.0

37
backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch Normal file
View File

@ -0,0 +1,37 @@
From 0b0718fba3fb81507b7e82e6bca38007a94c475a Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:52:55 +1000
Subject: [PATCH] Check that 'e' and 'n' are non-NULL in opensslrsa_todns
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0b0718fba3fb81507b7e82e6bca38007a94c475a
(cherry picked from commit 5603cd69d170f49916bec3ca78ab3e4830170950)
---
lib/dns/opensslrsa_link.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 7aa743394b..b23b6323fa 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -585,13 +585,15 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
if (rsa == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
-
- isc_buffer_availableregion(data, &r);
-
RSA_get0_key(rsa, &n, &e, NULL);
+ if (e == NULL || n == NULL) {
+ DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ }
mod_bytes = BN_num_bytes(n);
e_bytes = BN_num_bytes(e);
+ isc_buffer_availableregion(data, &r);
+
if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
if (r.length < 1) {
DST_RET(ISC_R_NOSPACE);
--
2.23.0

52
backport-Check-that-primary-key-names-have-not-changed.patch Normal file
View File

@ -0,0 +1,52 @@
From 9524c493c9534654adb5c363972adcc521c1907b Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Sep 2022 16:52:44 +1000
Subject: [PATCH] Check that primary key names have not changed
When looking for changes in a catalog zone member zone we need to
also check if the TSIG key name associated with a primary server
has be added, removed or changed.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/9524c493c9534654adb5c363972adcc521c1907b
(cherry picked from commit 9172bd9b5a0b039cea187b6c7cc2c1314210c5d6)
---
lib/dns/catz.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index e46549be5e..702b081940 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -322,6 +322,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
return (false);
}
+ for (size_t i = 0; i < eb->opts.masters.count; i++) {
+ if ((ea->opts.masters.keys[i] == NULL) !=
+ (eb->opts.masters.keys[i] == NULL)) {
+ return (false);
+ }
+ if (ea->opts.masters.keys[i] == NULL) {
+ continue;
+ }
+ if (!dns_name_equal(ea->opts.masters.keys[i],
+ eb->opts.masters.keys[i])) {
+ return (false);
+ }
+ }
+
/* If one is NULL and the other isn't, the entries don't match */
if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
return (false);
@@ -350,7 +364,7 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
}
}
- /* xxxwpk TODO compare dscps/keys! */
+ /* xxxwpk TODO compare dscps! */
return (true);
}
--
2.23.0

14
backport-Disable-the-internale-memory-allocator-by-default.patch → backport-Disable-the-internal-memory-allocator-by-default.patch
View File

@ -1,10 +1,10 @@
From 1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0 Mon Sep 17 00:00:00 2001
From: Ondrej Sur <oerdnj@isc-projects>
Date: Wed, 15 Dec 2021 08:25:29 PM GMT+0800
Subject: [PATCH] Disable the internale memory allocator by default
From: Ondřej Sur <oerdnj@isc-projects>
Date: Wed, 15 Dec 2021 08:25:42 PM GMT+0800
Subject: [PATCH] Disable the internal memory allocator by default
Conflict:NA
Reference:https://githun.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0
Reference:https://github.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116868bb69eeacb1a0
---
bin/named/main.c | 1 +
@ -12,14 +12,14 @@ Reference:https://githun.com/isc-projects/bind9/commit/1f7d2d53f0e5b86e22e1dd116
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/bin/named/main.c b/bin/named/main.c
index f62f82c..b3d2498 100644
index f62f82c..c7c35ce 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -456,6 +456,7 @@ static struct flag_def {
{ "mctx", ISC_MEM_DEBUGCTX, false },
{ NULL, 0, false } },
mem_context_flags[] = { { "external", ISC_MEMFLAG_INTERNAL, true },
+ { "internal", ISC_MEMFLAG_INTERNAL, false },
+ { "internal", ISC_MEMFLAG_INTERNAL, false },
{ "fill", ISC_MEMFLAG_FILL, false },
{ "nofill", ISC_MEMFLAG_FILL, true },
{ NULL, 0, false } };
@ -37,5 +37,5 @@ index 58e1d0e..b9f58fa 100644
/*
--
2.23.0
2.33.0

146
backport-Ensure-that-named_server_t-is-properly-initialized.patch Normal file
View File

@ -0,0 +1,146 @@
From dff843199f3ed60090eb6e9ae60e9278c82bec5f Mon Sep 17 00:00:00 2001
From: Tony Finch <fanf@isc.org>
Date: Fri, 9 Sep 2022 08:21:10 +0100
Subject: [PATCH] Ensure that named_server_t is properly initialized
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/dff843199f3ed60090eb6e9ae60e9278c82bec5f
There was a ubsan error reporting an invalid value for interface_auto
(a boolean value cannot be 190) because it was not initialized. To
avoid this problem happening again, ensure the whole of the server
structure is initialized to zero before setting the (relatively few)
non-zero elements.
---
bin/named/server.c | 72 ++++++----------------------------------------
1 files changed, 9 insertions(+), 63 deletions(-)
diff --git a/bin/named/server.c b/bin/named/server.c
index 54b13f8f54..b4cbd953a9 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -9971,13 +9971,14 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_result_t result;
named_server_t *server = isc_mem_get(mctx, sizeof(*server));
- if (server == NULL) {
- fatal(server, "allocating server object", ISC_R_NOMEMORY);
- }
-
- server->mctx = mctx;
- server->task = NULL;
- server->zonemgr = NULL;
+ *server = (named_server_t){
+ .mctx = mctx,
+ .statsfile = isc_mem_strdup(mctx, "named.stats"),
+ .bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
+ .dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
+ .secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
+ .recfile = isc_mem_strdup(mctx, "named.recursing"),
+ };
#ifdef USE_DNSRPS
CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
@@ -9985,10 +9986,8 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
#endif /* ifdef USE_DNSRPS */
/* Initialize server data structures. */
- server->interfacemgr = NULL;
ISC_LIST_INIT(server->kasplist);
ISC_LIST_INIT(server->viewlist);
- server->in_roothints = NULL;
/* Must be first. */
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
@@ -10018,7 +10017,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_task_setname(server->task, "server", server);
isc_taskmgr_setexcltask(named_g_taskmgr, server->task);
- server->sctx = NULL;
CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx),
"creating server context");
@@ -10042,14 +10040,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
isc_app_onrun(named_g_mctx, server->task, run_server, server),
"isc_app_onrun");
- server->interface_timer = NULL;
- server->heartbeat_timer = NULL;
- server->pps_timer = NULL;
- server->tat_timer = NULL;
-
- server->interface_interval = 0;
- server->heartbeat_interval = 0;
-
CHECKFATAL(dns_zonemgr_create(named_g_mctx, named_g_taskmgr,
named_g_timermgr, named_g_socketmgr,
&server->zonemgr),
@@ -10057,37 +10047,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000), "dns_zonemgr_"
"setsize");
- server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
- CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->bindkeysfile = isc_mem_strdup(server->mctx,
- named_g_defaultbindkeys);
- CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY
- : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
- CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
- CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY
- : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
- CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
- "isc_mem_strdup");
-
- server->hostname_set = false;
- server->hostname = NULL;
- server->version_set = false;
- server->version = NULL;
-
- server->zonestats = NULL;
- server->resolverstats = NULL;
- server->sockstats = NULL;
CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
isc_sockstatscounter_max),
"isc_stats_create");
@@ -10102,28 +10061,15 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
dns_resstatscounter_max),
"dns_stats_create (resolver)");
- server->flushonshutdown = false;
-
- server->controls = NULL;
CHECKFATAL(named_controls_create(server, &server->controls),
"named_controls_create");
- server->dispatchgen = 0;
+
ISC_LIST_INIT(server->dispatches);
ISC_LIST_INIT(server->statschannels);
ISC_LIST_INIT(server->cachelist);
- server->sessionkey = NULL;
- server->session_keyfile = NULL;
- server->session_keyname = NULL;
- server->session_keyalg = DST_ALG_UNKNOWN;
- server->session_keybits = 0;
-
- server->lockfile = NULL;
-
- server->dtenv = NULL;
-
server->magic = NAMED_SERVER_MAGIC;
*serverp = server;
}
--
2.23.0

30
backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch Normal file
View File

@ -0,0 +1,30 @@
From 3e77d6bf87f4a8c8793c9dd2a506432a24a4366c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Mon, 19 Sep 2022 09:07:51 +0200
Subject: [PATCH] Fix memory leak in dns_message_checksig() - SIG(0) sigs
Impact should be visible only in tests or tools because named never
uses view == NULL, which is a necessary condition to trigger this leak.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/3e77d6bf87f4a8c8793c9dd2a506432a24a4366c
(cherry picked from commit 69256b3553d3b8b73b6fa4de9b030b39f1b96d34)
---
lib/dns/message.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 0b5d9355e5..7b3d72abd9 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -3227,7 +3227,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
dns_rdataset_init(&keyset);
if (view == NULL) {
- return (DNS_R_KEYUNAUTHORIZED);
+ result = DNS_R_KEYUNAUTHORIZED;
+ goto freesig;
}
result = dns_view_simplefind(view, &sig.signer,
dns_rdatatype_key /* SIG(0) */, 0,
--
2.23.0

39
backport-Fix-ns_statscounter_recursclients-counting-bug.patch Normal file
View File

@ -0,0 +1,39 @@
From b6aeccf697729c4c721fc71da7063bb18a89c751 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Tue, 18 Oct 2022 08:54:04 +0000
Subject: [PATCH] Fix ns_statscounter_recursclients counting bug
The incrementing and decrementing of 'ns_statscounter_recursclients'
were not properly balanced: for example, it would be incremented for
a prefetch query but not decremented if the query failed.
This commit ensures that the recursion quota and the recursive clients
counter are always in sync with each other.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b6aeccf697729c4c721fc71da7063bb18a89c751
(cherry picked from commit 82991451b41793af201d070aba654c4ea89819cb)
---
lib/ns/client.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/lib/ns/client.c b/lib/ns/client.c
index 41d3fa0..dc8a10a 100644
--- a/lib/ns/client.c
+++ b/lib/ns/client.c
@@ -242,10 +242,8 @@ ns_client_endrequest(ns_client_t *client) {
*/
if (client->recursionquota != NULL) {
isc_quota_detach(&client->recursionquota);
- if (client->query.prefetch == NULL) {
- ns_stats_decrement(client->sctx->nsstats,
- ns_statscounter_recursclients);
- }
+ ns_stats_decrement(client->sctx->nsstats,
+ ns_statscounter_recursclients);
}
/*
--
2.33.0

28
backport-Free-n-on-error-path-in-rsa_check.patch Normal file
View File

@ -0,0 +1,28 @@
From 2c8e38f359bb90bcec67419ce95d2eee81bfd7a2 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 12:05:33 +1000
Subject: [PATCH] Free 'n' on error path in rsa_check
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2c8e38f359bb90bcec67419ce95d2eee81bfd7a2
(cherry picked from commit 483c5a19781b0930c6e72bb2b498130c3f83d13f)
---
lib/dns/opensslrsa_link.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b744a62df9..9bee2f0449 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -852,6 +852,9 @@ rsa_check(RSA *rsa, RSA *pub) {
}
if (e1 != NULL) {
if (BN_cmp(e1, e2) != 0) {
+ if (n != NULL) {
+ BN_free(n);
+ }
return (DST_R_INVALIDPRIVATEKEY);
}
} else {
--
2.23.0

29
backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch Normal file
View File

@ -0,0 +1,29 @@
From 6f1e04409a24b275d756fdddc1ed8fffc2d48254 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 26 Sep 2022 11:51:05 +1000
Subject: [PATCH] Free 'rsa' if 'e' is NULL in opensslrsa_verify2
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6f1e04409a24b275d756fdddc1ed8fffc2d48254
(cherry picked from commit a2b51ca6acae9e1c819e0d2e4aa1584b675c4cb7)
---
lib/dns/opensslrsa_link.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index b0d8dd85b9..7aa743394b 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -333,6 +333,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
RSA_get0_key(rsa, NULL, &e, NULL);
+ if (e == NULL) {
+ RSA_free(rsa);
+ return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
+ }
bits = BN_num_bits(e);
RSA_free(rsa);
if (bits > maxbits && maxbits != 0) {
--
2.23.0

408
backport-Make-isc_ht_init-and-isc_ht_iter_create-return-void.patch Normal file
View File

@ -0,0 +1,408 @@
From ba89da052a025928823055614e3f43fe8f8e3ef8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Tue, 8 Mar 2022 11:22:55 +0100
Subject: [PATCH] Make isc_ht_init() and isc_ht_iter_create() return void
Previously, the function(s) in the commit subject could fail for various
reasons - mostly allocation failures, or other functions returning
different return code than ISC_R_SUCCESS. Now, the aforementioned
function(s) cannot ever fail and they would always return ISC_R_SUCCESS.
Change the function(s) to return void and remove the extra checks in
the code that uses them.
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/ba89da052a025928823055614e3f43fe8f8e3ef8.patch
(cherry picked from commit 8fa27365ec8ea47b498ea64a9b72553c0b662b6b)
---
bin/plugins/filter-aaaa.c | 4 +-
lib/dns/catz.c | 82 ++++++++++-----------------------------
lib/dns/rpz.c | 29 ++------------
lib/isc/ht.c | 7 +---
lib/isc/include/isc/ht.h | 13 +++----
lib/isc/tests/ht_test.c | 9 ++---
6 files changed, 35 insertions(+), 109 deletions(-)
diff --git a/bin/plugins/filter-aaaa.c b/bin/plugins/filter-aaaa.c
index 1db3ca2..c390b45 100644
--- a/bin/plugins/filter-aaaa.c
+++ b/bin/plugins/filter-aaaa.c
@@ -337,7 +337,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file,
unsigned long cfg_line, isc_mem_t *mctx, isc_log_t *lctx,
void *actx, ns_hooktable_t *hooktable, void **instp) {
filter_instance_t *inst = NULL;
- isc_result_t result;
+ isc_result_t result = ISC_R_SUCCESS;
isc_log_write(lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_HOOKS,
ISC_LOG_INFO,
@@ -355,7 +355,7 @@ plugin_register(const char *parameters, const void *cfg, const char *cfg_file,
}
isc_mempool_create(mctx, sizeof(filter_data_t), &inst->datapool);
- CHECK(isc_ht_init(&inst->ht, mctx, 16));
+ isc_ht_init(&inst->ht, mctx, 16);
isc_mutex_init(&inst->hlock);
/*
diff --git a/lib/dns/catz.c b/lib/dns/catz.c
index 77b7a24..fbe13f4 100644
--- a/lib/dns/catz.c
+++ b/lib/dns/catz.c
@@ -418,39 +418,21 @@ dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
dns_name_format(&target->name, czname, DNS_NAME_FORMATSIZE);
- result = isc_ht_init(&toadd, target->catzs->mctx, 16);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_init(&toadd, target->catzs->mctx, 16);
- result = isc_ht_init(&tomod, target->catzs->mctx, 16);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_init(&tomod, target->catzs->mctx, 16);
- result = isc_ht_iter_create(newzone->entries, &iter1);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(newzone->entries, &iter1);
- result = isc_ht_iter_create(target->entries, &iter2);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(target->entries, &iter2);
/*
* We can create those iterators now, even though toadd and tomod are
* empty
*/
- result = isc_ht_iter_create(toadd, &iteradd);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(toadd, &iteradd);
- result = isc_ht_iter_create(tomod, &itermod);
- if (result != ISC_R_SUCCESS) {
- goto cleanup;
- }
+ isc_ht_iter_create(tomod, &itermod);
/*
* First - walk the new zone and find all nodes that are not in the
@@ -598,25 +580,11 @@ dns_catz_zones_merge(dns_catz_zone_t *target, dns_catz_zone_t *newzone) {
result = ISC_R_SUCCESS;
-cleanup:
- if (iter1 != NULL) {
- isc_ht_iter_destroy(&iter1);
- }
- if (iter2 != NULL) {
- isc_ht_iter_destroy(&iter2);
- }
- if (iteradd != NULL) {
- isc_ht_iter_destroy(&iteradd);
- }
- if (itermod != NULL) {
- isc_ht_iter_destroy(&itermod);
- }
- if (toadd != NULL) {
- isc_ht_destroy(&toadd);
- }
- if (tomod != NULL) {
- isc_ht_destroy(&tomod);
- }
+ isc_ht_iter_destroy(&iteradd);
+ isc_ht_iter_destroy(&itermod);
+ isc_ht_destroy(&toadd);
+ isc_ht_destroy(&tomod);
+
return (result);
}
@@ -637,10 +605,7 @@ dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
isc_refcount_init(&new_zones->refs, 1);
- result = isc_ht_init(&new_zones->zones, mctx, 4);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_refcount;
- }
+ isc_ht_init(&new_zones->zones, mctx, 4);
isc_mem_attach(mctx, &new_zones->mctx);
new_zones->zmm = zmm;
@@ -658,7 +623,6 @@ dns_catz_new_zones(dns_catz_zones_t **catzsp, dns_catz_zonemodmethods_t *zmm,
cleanup_ht:
isc_ht_destroy(&new_zones->zones);
-cleanup_refcount:
isc_refcount_destroy(&new_zones->refs);
isc_mutex_destroy(&new_zones->lock);
isc_mem_putanddetach(&new_zones->mctx, new_zones, sizeof(*new_zones));
@@ -693,10 +657,7 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
dns_name_init(&new_zone->name, NULL);
dns_name_dup(name, catzs->mctx, &new_zone->name);
- result = isc_ht_init(&new_zone->entries, catzs->mctx, 4);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_name;
- }
+ isc_ht_init(&new_zone->entries, catzs->mctx, 4);
new_zone->updatetimer = NULL;
result = isc_timer_create(catzs->timermgr, isc_timertype_inactive, NULL,
@@ -726,7 +687,6 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **zonep,
cleanup_ht:
isc_ht_destroy(&new_zone->entries);
-cleanup_name:
dns_name_free(&new_zone->name, catzs->mctx);
isc_mem_put(catzs->mctx, new_zone, sizeof(*new_zone));
@@ -827,8 +787,7 @@ dns_catz_zone_detach(dns_catz_zone_t **zonep) {
if (zone->entries != NULL) {
isc_ht_iter_t *iter = NULL;
isc_result_t result;
- result = isc_ht_iter_create(zone->entries, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(zone->entries, &iter);
for (result = isc_ht_iter_first(iter);
result == ISC_R_SUCCESS;
result = isc_ht_iter_delcurrent_next(iter))
@@ -884,8 +843,7 @@ dns_catz_catzs_detach(dns_catz_zones_t **catzsp) {
if (catzs->zones != NULL) {
isc_ht_iter_t *iter = NULL;
isc_result_t result;
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter);
result == ISC_R_SUCCESS;) {
dns_catz_zone_t *zone = NULL;
@@ -2060,8 +2018,7 @@ dns_catz_prereconfig(dns_catz_zones_t *catzs) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
result = isc_ht_iter_next(iter))
{
@@ -2082,8 +2039,7 @@ dns_catz_postreconfig(dns_catz_zones_t *catzs) {
REQUIRE(DNS_CATZ_ZONES_VALID(catzs));
LOCK(&catzs->lock);
- result = isc_ht_iter_create(catzs->zones, &iter);
- INSIST(result == ISC_R_SUCCESS);
+ isc_ht_iter_create(catzs->zones, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;) {
dns_catz_zone_t *zone = NULL;
@@ -2122,5 +2078,7 @@ dns_catz_postreconfig(dns_catz_zones_t *catzs) {
isc_result_t
dns_catz_get_iterator(dns_catz_zone_t *catz, isc_ht_iter_t **itp) {
REQUIRE(DNS_CATZ_ZONE_VALID(catz));
- return (isc_ht_iter_create(catz->entries, itp));
+ isc_ht_iter_create(catz->entries, itp);
+
+ return (ISC_R_SUCCESS);
}
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 1bdaac9..13cfc85 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -1541,10 +1541,7 @@ dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp) {
* simplifies update_from_db
*/
- result = isc_ht_init(&zone->nodes, rpzs->mctx, 1);
- if (result != ISC_R_SUCCESS) {
- goto cleanup_ht;
- }
+ isc_ht_init(&zone->nodes, rpzs->mctx, 1);
dns_name_init(&zone->origin, NULL);
dns_name_init(&zone->client_ip, NULL);
@@ -1578,9 +1575,6 @@ dns_rpz_new_zone(dns_rpz_zones_t *rpzs, dns_rpz_zone_t **rpzp) {
return (ISC_R_SUCCESS);
-cleanup_ht:
- isc_timer_detach(&zone->updatetimer);
-
cleanup_timer:
isc_refcount_decrementz(&zone->refs);
isc_refcount_destroy(&zone->refs);
@@ -1724,14 +1718,7 @@ setup_update(dns_rpz_zone_t *rpz) {
ISC_LOG_DEBUG(1), "rpz: %s: using hashtable size %d",
domain, hashsize);
- result = isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
- if (result != ISC_R_SUCCESS) {
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
- "rpz: %s: failed to initialize hashtable - %s",
- domain, isc_result_totext(result));
- goto cleanup;
- }
+ isc_ht_init(&rpz->newnodes, rpz->rpzs->mctx, hashsize);
result = dns_db_createiterator(rpz->updb, DNS_DB_NONSEC3, &rpz->updbit);
if (result != ISC_R_SUCCESS) {
@@ -1838,17 +1825,7 @@ cleanup_quantum(isc_task_t *task, isc_event_t *event) {
* Iterate over old ht with existing nodes deleted to
* delete deleted nodes from RPZ
*/
- result = isc_ht_iter_create(rpz->nodes, &iter);
- if (result != ISC_R_SUCCESS) {
- dns_name_format(&rpz->origin, domain,
- DNS_NAME_FORMATSIZE);
- isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
- DNS_LOGMODULE_MASTER, ISC_LOG_ERROR,
- "rpz: %s: failed to create HT "
- "iterator - %s",
- domain, isc_result_totext(result));
- goto cleanup;
- }
+ isc_ht_iter_create(rpz->nodes, &iter);
}
name = dns_fixedname_initname(&fname);
diff --git a/lib/isc/ht.c b/lib/isc/ht.c
index 82f8ac8..88e8578 100644
--- a/lib/isc/ht.c
+++ b/lib/isc/ht.c
@@ -47,7 +47,7 @@ struct isc_ht_iter {
isc_ht_node_t *cur;
};
-isc_result_t
+void
isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
isc_ht_t *ht = NULL;
size_t i;
@@ -74,7 +74,6 @@ isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits) {
ht->magic = ISC_HT_MAGIC;
*htp = ht;
- return (ISC_R_SUCCESS);
}
void
@@ -199,7 +198,7 @@ isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize) {
return (ISC_R_NOTFOUND);
}
-isc_result_t
+void
isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
isc_ht_iter_t *it;
@@ -213,8 +212,6 @@ isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp) {
it->cur = NULL;
*itp = it;
-
- return (ISC_R_SUCCESS);
}
void
diff --git a/lib/isc/include/isc/ht.h b/lib/isc/include/isc/ht.h
index 9d5ab82..280ee7e 100644
--- a/lib/isc/include/isc/ht.h
+++ b/lib/isc/include/isc/ht.h
@@ -31,11 +31,8 @@ typedef struct isc_ht_iter isc_ht_iter_t;
*\li 'mctx' is a valid memory context.
*\li 'bits' >=1 and 'bits' <=32
*
- * Returns:
- *\li #ISC_R_NOMEMORY -- not enough memory to create pool
- *\li #ISC_R_SUCCESS -- all is well.
*/
-isc_result_t
+void
isc_ht_init(isc_ht_t **htp, isc_mem_t *mctx, uint8_t bits);
/*%
@@ -100,7 +97,7 @@ isc_ht_delete(isc_ht_t *ht, const unsigned char *key, uint32_t keysize);
*\li 'ht' is a valid hashtable
*\li 'itp' is non NULL and '*itp' is NULL.
*/
-isc_result_t
+void
isc_ht_iter_create(isc_ht_t *ht, isc_ht_iter_t **itp);
/*%
@@ -119,7 +116,7 @@ isc_ht_iter_destroy(isc_ht_iter_t **itp);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- no data in the hashtable
*/
isc_result_t
@@ -132,7 +129,7 @@ isc_ht_iter_first(isc_ht_iter_t *it);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- end of hashtable reached
*/
isc_result_t
@@ -145,7 +142,7 @@ isc_ht_iter_next(isc_ht_iter_t *it);
*\li 'it' is non NULL.
*
* Returns:
- * \li #ISC_R_SUCCESS -- success
+ * \li #ISC_R_SUCCESS -- success
* \li #ISC_R_NOMORE -- end of hashtable reached
*/
isc_result_t
diff --git a/lib/isc/tests/ht_test.c b/lib/isc/tests/ht_test.c
index 6a8e319..61b8c3d 100644
--- a/lib/isc/tests/ht_test.c
+++ b/lib/isc/tests/ht_test.c
@@ -59,8 +59,7 @@ test_ht_full(int bits, uintptr_t count) {
isc_result_t result;
uintptr_t i;
- result = isc_ht_init(&ht, test_mctx, bits);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_init(&ht, test_mctx, bits);
assert_non_null(ht);
for (i = 1; i < count; i++) {
@@ -205,8 +204,7 @@ test_ht_iterator() {
unsigned char key[16];
size_t tksize;
- result = isc_ht_init(&ht, test_mctx, 16);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_init(&ht, test_mctx, 16);
assert_non_null(ht);
for (i = 1; i <= count; i++) {
/*
@@ -220,8 +218,7 @@ test_ht_iterator() {
}
walked = 0;
- result = isc_ht_iter_create(ht, &iter);
- assert_int_equal(result, ISC_R_SUCCESS);
+ isc_ht_iter_create(ht, &iter);
for (result = isc_ht_iter_first(iter); result == ISC_R_SUCCESS;
result = isc_ht_iter_next(iter))
--
2.33.0

1353
backport-Replace-netievent-lock-free-queue-with-simple-locked.patch Normal file
View File

File diff suppressed because it is too large Load Diff

29
backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch Normal file
View File

@ -0,0 +1,29 @@
From ba9a140e1f3165145164a5923c65461824d80ab3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 11 Aug 2022 11:41:30 +0200
Subject: [PATCH] Reset parser before parsing of internal trust anchor
It might be reused if /etc/bind.keys exists, but failed correct parsing.
Release traces of previous parsing attempt of different data.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/ba9a140e1f3165145164a5923c65461824d80ab3
(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
---
bin/delv/delv.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/bin/delv/delv.c b/bin/delv/delv.c
index f4c7c015dd..0702eec862 100644
--- a/bin/delv/delv.c
+++ b/bin/delv/delv.c
@@ -852,6 +852,7 @@ setup_dnsseckeys(dns_client_t *client) {
isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
isc_buffer_add(&b, sizeof(anchortext) - 1);
+ cfg_parser_reset(parser);
result = cfg_parse_buffer(parser, &b, NULL, 0,
&cfg_type_bindkeys, 0, &bindkeys);
if (result != ISC_R_SUCCESS) {
--
2.23.0

107
backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch Normal file
View File

@ -0,0 +1,107 @@
From 2022384b8dc7249671d521dc9ef5a292a960521d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 13 Jul 2022 10:27:18 +0200
Subject: [PATCH] Test dnssec-policy max-zone-ttl rejects zone with too high
TTL
Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2022384b8dc7249671d521dc9ef5a292a960521d
---
bin/tests/system/kasp/ns3/named.conf.in | 9 +++++++
.../system/kasp/ns3/policies/kasp.conf.in | 4 ++++
bin/tests/system/kasp/ns3/setup.sh | 24 ++++++++-----------
bin/tests/system/kasp/tests.sh | 9 +++++++
4 files changed, 32 insertions(+), 14 deletions(-)
diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index e229fd9158..64ae2aa402 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -223,6 +223,15 @@ zone "ecdsa384.kasp" {
dnssec-policy "ecdsa384";
};
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+ type primary;
+ file "max-zone-ttl.kasp.db";
+ dnssec-policy "ttl";
+};
+
/*
* Zones in different signing states.
*/
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index d0ae96ce08..17b900c7b3 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -132,3 +132,7 @@ dnssec-policy "checkds-csk" {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
+
+dnssec-policy "ttl" {
+ max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 21c4c9126d..bc4a0fc11d 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -64,20 +64,16 @@ if [ -f ../ed448-supported.file ]; then
cat ed448.conf >> named.conf
fi
-# Set up zone that stays unsigned.
-zone="unsigned.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $infile
-cp template.db.in $zonefile
-
-# Set up zone that stays unsigned.
-zone="insecure.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $zonefile
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+ zone="${zn}.kasp"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in $infile
+ cp template.db.in $zonefile
+done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4a458945a0..ff4d32cc7b 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -253,6 +253,15 @@ status=$((status+ret))
next_key_event_threshold=$((next_key_event_threshold+i))
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
#
# Zone: default.kasp.
#
--
2.27.0

67
backport-clean-up-properly-when-interface-creation-fails.patch Normal file
View File

@ -0,0 +1,67 @@
From 80a8322d6594cfaa9ffe90d3de0c315a0d34efc3 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 2 Sep 2022 15:41:26 -0700
Subject: [PATCH] clean up properly when interface creation fails
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/80a8322d6594cfaa9ffe90d3de0c315a0d34efc3
previously, if ns_clientmgr_create() failed, the interface was not
cleaned up correctly and an assertion or segmentation fault could
follow. this has been fixed.
---
lib/ns/interfacemgr.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
index facb0d141b..51429de716 100644
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -391,7 +391,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
static isc_result_t
ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
const char *name, ns_interface_t **ifpret) {
- ns_interface_t *ifp;
+ ns_interface_t *ifp = NULL;
isc_result_t result;
int disp;
@@ -422,13 +422,13 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
ISC_LINK_INIT(ifp, link);
ns_interfacemgr_attach(mgr, &ifp->mgr);
+ isc_refcount_init(&ifp->references, 1);
+ ifp->magic = IFACE_MAGIC;
+
LOCK(&mgr->lock);
ISC_LIST_APPEND(mgr->interfaces, ifp, link);
UNLOCK(&mgr->lock);
- isc_refcount_init(&ifp->references, 1);
- ifp->magic = IFACE_MAGIC;
-
result = ns_clientmgr_create(mgr->mctx, mgr->sctx, mgr->taskmgr,
mgr->timermgr, ifp, mgr->ncpus,
&ifp->clientmgr);
@@ -444,11 +444,17 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
return (ISC_R_SUCCESS);
failure:
- isc_mutex_destroy(&ifp->lock);
+ LOCK(&ifp->mgr->lock);
+ ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
+ UNLOCK(&ifp->mgr->lock);
ifp->magic = 0;
- isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
+ ns_interfacemgr_detach(&ifp->mgr);
+ isc_refcount_decrement(&ifp->references);
+ isc_refcount_destroy(&ifp->references);
+ isc_mutex_destroy(&ifp->lock);
+ isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
return (ISC_R_UNEXPECTED);
}
--
2.23.0

61
backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch Normal file
View File

@ -0,0 +1,61 @@
From e1fa6cbab82fe424a94269e3ae9e106c10bf59be Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 26 Aug 2022 15:38:34 -0700
Subject: [PATCH] dnstap query_message field was erroneously set with responses
The dnstap query_message field was in some cases being filled in
with response messages, along with the response_message field.
The query_message field should only be used when logging requests,
and the response_message field only when logging responses.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e1fa6cbab82fe424a94269e3ae9e106c10bf59be
---
lib/dns/dnstap.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
index 30ca97e636..97f070937d 100644
--- a/lib/dns/dnstap.c
+++ b/lib/dns/dnstap.c
@@ -808,10 +808,11 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
dm.m.response_time_nsec = isc_time_nanoseconds(t);
dm.m.has_response_time_nsec = 1;
- cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
-
- /* Types RR and FR get both query and response times */
- if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR) {
+ /*
+ * Types RR and FR can fall through and get the query
+ * time set as well. Any other response type, break.
+ */
+ if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) {
break;
}
@@ -831,8 +832,6 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
dm.m.has_query_time_sec = 1;
dm.m.query_time_nsec = isc_time_nanoseconds(t);
dm.m.has_query_time_nsec = 1;
-
- cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
break;
default:
isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
@@ -841,6 +840,13 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
return;
}
+ /* Query and response messages */
+ if ((msgtype & DNS_DTTYPE_QUERY) != 0) {
+ cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+ } else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) {
+ cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+ }
+
/* Zone/bailiwick */
switch (msgtype) {
case DNS_DTTYPE_AR:
--
2.23.0

84
backport-fix-an-incorrect-detach-in-update-processing.patch Normal file
View File

@ -0,0 +1,84 @@
From 17924f4bdfbd99e06057c090d6ac3e8074deb642 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Fri, 2 Sep 2022 14:44:58 -0700
Subject: [PATCH] fix an incorrect detach in update processing
when processing UDPATE requests, hold the request handle until
we either drop the request or respond to it.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/17924f4bdfbd99e06057c090d6ac3e8074deb642
(cherry picked from commit 00e0758e1218f82fd1fe995c161ce4243bbbbb89)
---
lib/ns/update.c | 25 +++++++++++--------------
1 file changed, 11 insertions(+), 14 deletions(-)
diff --git a/lib/ns/update.c b/lib/ns/update.c
index c4bde3d4eb..a21b725f39 100644
--- a/lib/ns/update.c
+++ b/lib/ns/update.c
@@ -1569,19 +1569,17 @@ respond(ns_client_t *client, isc_result_t result) {
msg_result = dns_message_reply(client->message, true);
if (msg_result != ISC_R_SUCCESS) {
- goto msg_failure;
+ isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE,
+ NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
+ "could not create update response message: %s",
+ isc_result_totext(msg_result));
+ ns_client_drop(client, msg_result);
+ isc_nmhandle_detach(&client->reqhandle);
+ return;
}
- client->message->rcode = dns_result_torcode(result);
+ client->message->rcode = dns_result_torcode(result);
ns_client_send(client);
- return;
-
-msg_failure:
- isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
- ISC_LOG_ERROR,
- "could not create update response message: %s",
- isc_result_totext(msg_result));
- ns_client_drop(client, msg_result);
isc_nmhandle_detach(&client->reqhandle);
}
@@ -1595,7 +1593,8 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
dns_zone_t *zone = NULL, *raw = NULL;
/*
- * Attach to the request handle
+ * Attach to the request handle. This will be held until
+ * we respond, or drop the request.
*/
isc_nmhandle_attach(handle, &client->reqhandle);
@@ -1677,8 +1676,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
default:
FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
}
-
- isc_nmhandle_detach(&client->reqhandle);
return;
failure:
@@ -1696,7 +1693,6 @@ failure:
if (zone != NULL) {
dns_zone_detach(&zone);
}
- isc_nmhandle_detach(&client->reqhandle);
}
/*%
@@ -3554,6 +3550,7 @@ forward_done(isc_task_t *task, isc_event_t *event) {
ns_client_sendraw(client, uev->answer);
dns_message_detach(&uev->answer);
isc_event_free(&event);
+ isc_nmhandle_detach(&client->reqhandle);
isc_nmhandle_detach(&client->updatehandle);
}
--
2.23.0

33
backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch Normal file
View File

@ -0,0 +1,33 @@
From 58d01b821af93448714ccb22cea15c35088bd33a Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 23 Aug 2022 10:54:42 +0200
Subject: [PATCH] nsec3.c: Add a missing dns_db_detachnode() call
There is one case in 'dns_nsec3_activex()' where it returns but forgets
to detach the db node. Add the missing 'dns_db_detachnode()' call.
This case only triggers if 'sig-signing-type' (privatetype) is set to 0
(which by default is not), or if the function is called with 'complete'
is set to 'true' (which at this moment do not exist).
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/58d01b821af93448714ccb22cea15c35088bd33a
(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
---
lib/dns/nsec3.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
index f4f7cdeb53..45240b2499 100644
--- a/lib/dns/nsec3.c
+++ b/lib/dns/nsec3.c
@@ -1833,6 +1833,7 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
try_private:
if (privatetype == 0 || complete) {
+ dns_db_detachnode(db, &node);
*answer = false;
return (ISC_R_SUCCESS);
}
--
2.23.0

102
backport-warn-about-zones-with-both-dnssec-policy-and-max-zon.patch Normal file
View File

@ -0,0 +1,102 @@
From fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Thu, 21 Jul 2022 11:07:31 -0700
Subject: [PATCH] warn about zones with both dnssec-policy and max-zone-ttl
max-zone-ttl in zone/view/options is a no-op if dnssec-policy
is in use, so generate a warning.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/fb8f102ffcd0e0bb3b9691ceec5ee8a24025af28
---
bin/tests/system/checkconf/tests.sh | 8 ++++++
.../checkconf/warn-kasp-max-zone-ttl.conf | 26 +++++++++++++++++++
lib/bind9/check.c | 21 +++++++++++++++
3 files changed, 55 insertions(+)
create mode 100644 bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index cec8f8407e..9143e9e08c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -585,6 +585,14 @@ grep "not recommended" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
+n=`expr $n + 1`
+echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
+ret=0
+$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
n=$((n+1))
echo_i "check that masterfile-format map generates deprecation warning ($n)"
ret=0
diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
new file mode 100644
index 0000000000..0b5939478e
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+ dnssec-policy default;
+};
+
+zone "example.net" {
+ type primary;
+ file "example.db";
+ max-zone-ttl 600;
+};
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 0be4871020..0707ea44b9 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -2633,6 +2633,27 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
}
}
+ /*
+ * Warn about zones with both dnssec-policy and max-zone-ttl
+ */
+ if (has_dnssecpolicy) {
+ obj = NULL;
+ (void)cfg_map_get(zoptions, "max-zone-ttl", &obj);
+ if (obj == NULL && voptions != NULL) {
+ (void)cfg_map_get(voptions, "max-zone-ttl", &obj);
+ }
+ if (obj == NULL && goptions != NULL) {
+ (void)cfg_map_get(goptions, "max-zone-ttl", &obj);
+ }
+ if (obj != NULL) {
+ cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
+ "zone '%s': option 'max-zone-ttl' "
+ "is ignored when used together with "
+ "'dnssec-policy'",
+ znamestr);
+ }
+ }
+
/*
* Check validity of the zone options.
*/
--
2.27.0

115
bind.spec
View File

@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind
License: MPLv2.0
Version: 9.16.23
Release: 20
Release: 21
Epoch: 32
Url: https://www.isc.org/downloads/bind/
#
@ -167,49 +167,78 @@ Patch6093:backport-Increase-the-BUFSIZ-long-buffers.patch
Patch6094:backport-Inherit-dnssec-policy-in-check-for-inline-signing.patch
Patch6095:backport-Reject-zones-with-TTL-higher-than-dnssec-policy-max.patch
Patch6002:backport-CVE-2022-2795.patch
Patch6003:backport-CVE-2022-3080.patch
Patch6004:backport-CVE-2022-38177.patch
Patch6005:backport-CVE-2022-38178.patch
Patch6006:backport-CVE-2022-2906.patch
Patch6007:backport-CVE-2022-2881.patch
Patch6096:backport-CVE-2022-3736.patch
Patch6097:backport-CVE-2022-3924.patch
Patch6098:backport-CVE-2022-3094-add-an-update-quota.patch
Patch6099:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch
Patch6100:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch
Patch6096:backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch
Patch6097:backport-warn-about-zones-with-both-dnssec-policy-and-max-zon.patch
Patch6101:backport-Fix-a-logical-bug-in-cfg_print_duration.patch
Patch6102:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch
Patch6103:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch
Patch6104:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch
Patch6105:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch
Patch6106:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch
Patch6107:backport-Call-dns_db_updatenotify_unregister-earlier.patch
Patch6108:backport-Add-missing-DbC-magic-checks.patch
Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch
Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch6098:backport-CVE-2022-2795.patch
Patch6099:backport-CVE-2022-3080.patch
Patch6100:backport-CVE-2022-38177.patch
Patch6101:backport-CVE-2022-38178.patch
Patch6102:backport-CVE-2022-2906.patch
Patch6103:backport-CVE-2022-2881.patch
Patch6112:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch
Patch6113:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch
Patch6114:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch
Patch6115:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch
Patch6116:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch
Patch6117:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch
Patch6118:backport-delay-trust-anchor-management-until-zones-are-loaded.patch
Patch6119:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch
Patch6120:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch
Patch6121:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch
Patch6122:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch
Patch6123:backport-Searching-catzs-zones-requires-a-read-lock.patch
Patch6124:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch
Patch6104:backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
Patch6105:backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch
Patch6106:backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
Patch6107:backport-fix-an-incorrect-detach-in-update-processing.patch
Patch6108:backport-clean-up-properly-when-interface-creation-fails.patch
Patch6109:backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
Patch6110:backport-Ensure-that-named_server_t-is-properly-initialized.patch
Patch6111:backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
Patch6112:backport-Free-n-on-error-path-in-rsa_check.patch
Patch6113:backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
Patch6114:backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
Patch6115:backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
Patch6116:backport-Check-BN_dup-results-in-rsa_check.patch
Patch6117:backport-Check-that-primary-key-names-have-not-changed.patch
Patch6118:backport-Fix-ns_statscounter_recursclients-counting-bug.patch
Patch6125:backport-CVE-2023-2911.patch
Patch6126:backport-CVE-2023-2828.patch
Patch6127:backport-Disable-the-internale-memory-allocator-by-default.patch
Patch6119:backport-Fix-a-logical-bug-in-cfg_print_duration.patch
Patch6120:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch
Patch6121:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch
Patch6122:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch
Patch6123:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch
Patch6124:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch
Patch6125:backport-Call-dns_db_updatenotify_unregister-earlier.patch
Patch6126:backport-Add-missing-DbC-magic-checks.patch
Patch6127:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch
Patch6128:backport-Release-unused-key-file-IO-lock-objects.patch
Patch6129:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch
Patch6128:backport-CVE-2023-3341.patch
Patch6130:backport-CVE-2022-3736.patch
Patch6131:backport-CVE-2022-3924.patch
Patch6132:backport-CVE-2022-3094-add-an-update-quota.patch
Patch6133:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch
Patch6134:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch
Patch6135:backport-Don-t-perform-arithmetic-on-NULL-pointers.patch
Patch6136:backport-Accept-in-NULL-with-inlen-0-in-isc_-half-siphash24.patch
Patch6137:backport-Fix-a-use-after-free-bug-in-dns_zonemgr_releasezone.patch
Patch6138:backport-Fix-dns_fwdtable_addfwd-error-path-cleanup-bug.patch
Patch6139:backport-Detach-the-views-in-zone_shutdown-not-in-zone_free.patch
Patch6140:backport-Detach-the-zone-views-outside-of-the-zone-lock.patch
Patch6141:backport-delay-trust-anchor-management-until-zones-are-loaded.patch
Patch6142:backport-In-hmac_createctx-free-ctx-on-isc_hmac_init-failure.patch
Patch6143:backport-Fix-dns_kasp_attach-dns_kasp_detach-usage.patch
Patch6144:backport-Fix-backport-error-in-84929d1cd7e1042452094ceeae969324b9df504f.patch
Patch6145:backport-Fix-a-cleanup-bug-when-isc_task_create-fails-in-dns_catz_new_zones.patch
Patch6146:backport-Searching-catzs-zones-requires-a-read-lock.patch
Patch6147:backport-Fix-view-s-zones-reverting-bug-during-reconfiguration.patch
Patch6148:backport-Disable-the-internal-memory-allocator-by-default.patch
Patch6149:backport-CVE-2023-2911.patch
Patch6150:backport-CVE-2023-2828.patch
Patch6151:backport-CVE-2023-3341.patch
Patch6152:backport-CVE-2023-5679.patch
Patch6153:backport-CVE-2023-5517.patch
Patch6154:backport-CVE-2023-6516.patch
Patch6155:backport-Make-isc_ht_init-and-isc_ht_iter_create-return-void.patch
Patch6156:backport-CVE-2023-4408.patch
Patch6157:backport-CVE-2023-50387-CVE-2023-50868.patch
Patch6158:backport-Replace-netievent-lock-free-queue-with-simple-locked.patch
Patch9000:bugfix-limit-numbers-of-test-threads.patch
@ -1219,6 +1248,12 @@ fi;
%endif
%changelog
* Fri Mar 15 2024 chengyechun <chengyechun1@huawei.com> - 32:9.16.23-21
- Type:CVE
- CVE:CVE-2023-6516 CVE-2023-4408 CVE-2023-5517 CVE-2023-5680 CVE-2023-5679 CVE-50387 CVE-2023-50868
- SUG:NA
- DESC:fix CVE-2023-6516 CVE-2023-4408 CVE-2023-5517 CVE-2023-5680 CVE-2023-5679 CVE-50387 CVE-2023-50868 and sync some patches from upstream
* Sat Sep 23 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-20
- Type:CVE
- CVE:CVE-2023-3341