Allow runtime customization of CVE-2024-1737 limits
Do not introduce new options into configuration file. But if limits are hit in unexpected way, allow tuning them by environment variables DNS_RDATASET_MAX_RECORDS and DNS_RBTDB_MAX_RTYPES. They accept number of maximum records of types. Both defaults to 100. These replaces max-records-per-type and max-types-per-name in later versions. But can be configured only by environment and can be configured only globally, not in each view or zone. Related: RHEL-49900
This commit is contained in:
parent
6a3f81b6a8
commit
7d262e3039
133
bind-9.16-CVE-2024-1737-runtime-env.patch
Normal file
133
bind-9.16-CVE-2024-1737-runtime-env.patch
Normal file
@ -0,0 +1,133 @@
|
|||||||
|
From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Mensik <pemensik@redhat.com>
|
||||||
|
Date: Mon, 29 Jul 2024 16:20:50 +0200
|
||||||
|
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
|
||||||
|
|
||||||
|
Modify rbtdb to not set it only at runtime, but allow setting that also
|
||||||
|
in runtime via environment variable. It is still possible to modify
|
||||||
|
default during the build define. In addition to it allows runtime change
|
||||||
|
also. Can be positive number to set limit, 0 disabled the check.
|
||||||
|
|
||||||
|
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
|
||||||
|
records for a single name. This must be positive number, 0 is no accepted.
|
||||||
|
|
||||||
|
These replaces max-records-per-type and max-types-per-name in later
|
||||||
|
versions. But can be configured only by environment and can be
|
||||||
|
configured only globally, not in each view or zone.
|
||||||
|
---
|
||||||
|
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
|
||||||
|
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
|
||||||
|
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||||
|
index e840c06..25242b2 100644
|
||||||
|
--- a/lib/dns/rbtdb.c
|
||||||
|
+++ b/lib/dns/rbtdb.c
|
||||||
|
@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
|
||||||
|
#define DNS_RBTDB_MAX_RTYPES 100
|
||||||
|
#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||||
|
|
||||||
|
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+init_max_rtypes(void) {
|
||||||
|
+ /* Red Hat change, allow setting different max value by environment. */
|
||||||
|
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
|
||||||
|
+ if (max) {
|
||||||
|
+ char *endp = NULL;
|
||||||
|
+ long l = strtol(max, &endp, 10);
|
||||||
|
+ if (max != endp && endp && !*endp && l >= 0)
|
||||||
|
+ dns_g_rbtdb_max_rtypes = l;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static bool
|
||||||
|
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||||
|
UNUSED(rbtdb);
|
||||||
|
|
||||||
|
- if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||||
|
+ if (dns_g_rbtdb_max_rtypes == 0) {
|
||||||
|
return (false);
|
||||||
|
}
|
||||||
|
|
||||||
|
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||||
|
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
|
||||||
|
NULL,
|
||||||
|
adjusthashsize };
|
||||||
|
|
||||||
|
+static isc_once_t once_db = ISC_ONCE_INIT;
|
||||||
|
+
|
||||||
|
isc_result_t
|
||||||
|
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
||||||
|
dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
|
||||||
|
@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
||||||
|
|
||||||
|
/* Keep the compiler happy. */
|
||||||
|
UNUSED(driverarg);
|
||||||
|
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
|
||||||
|
|
||||||
|
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
|
||||||
|
|
||||||
|
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
||||||
|
index dda9038..cef86af 100644
|
||||||
|
--- a/lib/dns/rdataslab.c
|
||||||
|
+++ b/lib/dns/rdataslab.c
|
||||||
|
@@ -15,6 +15,7 @@
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
#include <isc/mem.h>
|
||||||
|
+#include <isc/once.h>
|
||||||
|
#include <isc/region.h>
|
||||||
|
#include <isc/string.h> /* Required for HP/UX (and others?) */
|
||||||
|
#include <isc/util.h>
|
||||||
|
@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||||
|
#define DNS_RDATASET_MAX_RECORDS 100
|
||||||
|
#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||||
|
|
||||||
|
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
|
||||||
|
+static isc_once_t once = ISC_ONCE_INIT;
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+init_max_records(void) {
|
||||||
|
+ /* Red Hat change, allow setting different max value by environment. */
|
||||||
|
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
|
||||||
|
+ if (max) {
|
||||||
|
+ char *endp = NULL;
|
||||||
|
+ long l = strtol(max, &endp, 10);
|
||||||
|
+ if (max != endp && endp && !*endp && l > 0)
|
||||||
|
+ dns_g_rdataset_max_records = l;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+
|
||||||
|
isc_result_t
|
||||||
|
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
isc_region_t *region, unsigned int reservelen) {
|
||||||
|
@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
|
||||||
|
+
|
||||||
|
+ if (nitems > dns_g_rdataset_max_records) {
|
||||||
|
return (DNS_R_TOOMANYRECORDS);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||||
|
#endif /* if DNS_RDATASET_FIXED */
|
||||||
|
INSIST(ocount > 0 && ncount > 0);
|
||||||
|
|
||||||
|
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||||
|
+ if (ocount + ncount > dns_g_rdataset_max_records) {
|
||||||
|
return (DNS_R_TOOMANYRECORDS);
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -163,6 +163,8 @@ Patch206: bind-9.16-CVE-2024-1975.patch
|
|||||||
Patch207: bind-9.16-CVE-2024-1737.patch
|
Patch207: bind-9.16-CVE-2024-1737.patch
|
||||||
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
|
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
|
||||||
Patch208: bind-9.18-CVE-2024-4076.patch
|
Patch208: bind-9.18-CVE-2024-4076.patch
|
||||||
|
# RH downstream, allow changing by environment
|
||||||
|
Patch209: bind-9.16-CVE-2024-1737-runtime-env.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -503,6 +505,7 @@ in HTML and PDF format.
|
|||||||
%patch206 -p1 -b .CVE-2024-1975
|
%patch206 -p1 -b .CVE-2024-1975
|
||||||
%patch207 -p1 -b .CVE-2024-1737
|
%patch207 -p1 -b .CVE-2024-1737
|
||||||
%patch208 -p1 -b .CVE-2024-4076
|
%patch208 -p1 -b .CVE-2024-4076
|
||||||
|
%patch209 -p1 -b .CVE-2024-1737-env
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1235,6 +1238,7 @@ fi;
|
|||||||
- Resolve CVE-2024-1975
|
- Resolve CVE-2024-1975
|
||||||
- Resolve CVE-2024-1737
|
- Resolve CVE-2024-1737
|
||||||
- Resolve CVE-2024-4076
|
- Resolve CVE-2024-4076
|
||||||
|
- Add ability to change runtime limits for max types and records per name
|
||||||
|
|
||||||
* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
|
* Tue Jul 09 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-21
|
||||||
- Increase size of hazard pointer array (RHEL-39131)
|
- Increase size of hazard pointer array (RHEL-39131)
|
||||||
|
Loading…
Reference in New Issue
Block a user