Updates to nsupdate TLS backport fixing memory

Properly release memory when TLS is used. Resolves: RHEL-77354
2025-02-10 17:31:24 +01:00 · 2025-02-10 17:31:24 +01:00 · 95523016c1
commit 95523016c1
parent 8c9ca2f8f6
1 changed files with 80 additions and 32 deletions
--- a/bind-9.20-nsupdate-tls.patch
+++ b/bind-9.20-nsupdate-tls.patch
@ -1,7 +1,7 @@
-From ec00ba4b215963af5e05892cf2ce1a62222ede46 Mon Sep 17 00:00:00 2001
+From b44dc4ed5c34445511f06d4b972407d539f8e9da Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
 Date: Mon, 11 Nov 2024 18:09:07 +0100
-Subject: [PATCH 1/3] Backport nsupdate TLS support into 9.18
+Subject: [PATCH] Backport nsupdate TLS support into 9.18
 Attempt to support TLS from nsupdate even in 9.18 release.
@ -40,9 +40,15 @@ implementation as a model for the newly added features.
 [pemensik] Adapted to previous 9.18 changes.
 Add usage and command line parsing
 Fixup tls initialization from nsupdate
 Detach transport also on dispatch_destroy properly.
 Adapted to 9.18.33.
 ---
 bin/nsupdate/nsupdate.c         | 192 ++++++++++++++++++++----
- lib/dns/dispatch.c              | 107 ++++++++++++--
+ lib/dns/dispatch.c              | 128 ++++++++++++++--
 lib/dns/include/dns/dispatch.h  |  22 +++
 lib/dns/include/dns/request.h   |  23 +++
 lib/dns/include/dns/transport.h |  45 +++++-
@ -50,10 +56,10 @@ Add usage and command line parsing
 lib/dns/request.c               |  63 ++++++--
 lib/dns/transport.c             | 253 ++++++++++++++++++++++++++++++++
 lib/dns/xfrin.c                 | 232 +----------------------------
- 9 files changed, 649 insertions(+), 290 deletions(-)
+ 9 files changed, 668 insertions(+), 292 deletions(-)
 diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 45ba90fba7b..93c7ea6cb17 100644
+index 293ed28..819925e 100644
 --- a/bin/nsupdate/nsupdate.c
 +++ b/bin/nsupdate/nsupdate.c
@@ -45,6 +45,7 @@
@ -449,7 +455,7 @@ index 45ba90fba7b..93c7ea6cb17 100644
 	if (answer != NULL) {
 		dns_message_detach(&answer);
 diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
-index d737363fea4..44a2896cb03 100644
+index eb37198..8273c32 100644
 --- a/lib/dns/dispatch.c
 +++ b/lib/dns/dispatch.c
@@ -30,6 +30,7 @@
@ -517,18 +523,33 @@ index d737363fea4..44a2896cb03 100644
 +
 +	switch (transport_type) {
 +	case DNS_TRANSPORT_UDP:
- 		return ("UDP");
+ 		return "UDP";
 -	case isc_socktype_tcp:
 +	case DNS_TRANSPORT_TCP:
- 		return ("TCP");
+ 		return "TCP";
 +	case DNS_TRANSPORT_TLS:
 +		return "TLS";
 +	case DNS_TRANSPORT_HTTP:
 +		return "HTTP";
 	default:
- 		return ("<unexpected>");
+ 		return "<unexpected>";
 	}
-@@ -1161,6 +1182,15 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, isc_socktype_t type,
+@@ -457,6 +478,14 @@ dispentry_destroy(dns_dispentry_t *resp) {
 		isc_nmhandle_detach(&resp->handle);
 	}
 +	if (resp->tlsctx_cache != NULL) {
 +		isc_tlsctx_cache_detach(&resp->tlsctx_cache);
 +	}
 +
 +	if (resp->transport != NULL) {
 +		dns_transport_detach(&resp->transport);
 +	}
 +
 	isc_mem_put(disp->mgr->mctx, resp, sizeof(*resp));
 	dns_dispatch_detach(&disp); /* DISPATCH001 */
@@ -1161,6 +1190,15 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, isc_socktype_t type,
 isc_result_t
 dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
 		       const isc_sockaddr_t *destaddr, dns_dispatch_t **dispp) {
@ -544,7 +565,7 @@ index d737363fea4..44a2896cb03 100644
 	dns_dispatch_t *disp = NULL;
 	REQUIRE(VALID_DISPATCHMGR(mgr));
-@@ -1170,7 +1200,11 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1170,7 +1208,11 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
 	dispatch_allocate(mgr, isc_socktype_tcp, &disp);
@ -556,7 +577,7 @@ index d737363fea4..44a2896cb03 100644
 	if (localaddr != NULL) {
 		disp->local = *localaddr;
-@@ -1185,6 +1219,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1185,6 +1227,7 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
 	 * Append it to the dispatcher list.
 	 */
@ -564,7 +585,7 @@ index d737363fea4..44a2896cb03 100644
 	/* FIXME: There should be a lookup hashtable here */
 	ISC_LIST_APPEND(mgr->list, disp, link);
 	UNLOCK(&mgr->lock);
-@@ -1208,6 +1243,13 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
+@@ -1208,6 +1251,13 @@ dns_dispatch_createtcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *localaddr,
 isc_result_t
 dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
 		    const isc_sockaddr_t *localaddr, dns_dispatch_t **dispp) {
@ -578,7 +599,7 @@ index d737363fea4..44a2896cb03 100644
 	dns_dispatch_t *disp_connected = NULL;
 	dns_dispatch_t *disp_fallback = NULL;
 	isc_result_t result = ISC_R_NOTFOUND;
-@@ -1248,8 +1290,10 @@ dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
+@@ -1248,8 +1298,10 @@ dns_dispatch_gettcp(dns_dispatchmgr_t *mgr, const isc_sockaddr_t *destaddr,
 		if (disp->socktype != isc_socktype_tcp ||
 		    !isc_sockaddr_equal(destaddr, &peeraddr) ||
 		    (localaddr != NULL &&
@ -590,7 +611,17 @@ index d737363fea4..44a2896cb03 100644
 			UNLOCK(&disp->lock);
 			continue;
 		}
-@@ -1426,7 +1470,18 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1403,6 +1455,9 @@ dispatch_destroy(dns_dispatch_t *disp) {
 			     disp->handle, &disp->handle);
 		isc_nmhandle_detach(&disp->handle);
 	}
 +	if (disp->transport != NULL) {
 +		dns_transport_detach(&disp->transport);
 +	}
 	isc_mutex_destroy(&disp->lock);
@@ -1426,7 +1481,18 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
 		 unsigned int timeout, const isc_sockaddr_t *dest,
 		 dispatch_cb_t connected, dispatch_cb_t sent,
 		 dispatch_cb_t response, void *arg, dns_messageid_t *idp,
@ -610,7 +641,7 @@ index d737363fea4..44a2896cb03 100644
 	dns_dispentry_t *resp = NULL;
 	dns_qid_t *qid = NULL;
 	in_port_t localport;
-@@ -1444,6 +1499,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1444,6 +1510,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
 	REQUIRE(connected != NULL);
 	REQUIRE(response != NULL);
 	REQUIRE(sent != NULL);
@ -618,7 +649,7 @@ index d737363fea4..44a2896cb03 100644
 	LOCK(&disp->lock);
-@@ -1471,6 +1527,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1471,6 +1538,7 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
 		.rlink = ISC_LINK_INITIALIZER,
 		.magic = RESPONSE_MAGIC,
 	};
@ -626,8 +657,8 @@ index d737363fea4..44a2896cb03 100644
 #if DNS_DISPATCH_TRACE
 	fprintf(stderr, "dns_dispentry__init:%s:%s:%d:%p->references = 1\n",
-@@ -1530,6 +1587,14 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
+@@ -1530,6 +1598,14 @@ dns_dispatch_add(dns_dispatch_t *disp, unsigned int options,
- 		return (ISC_R_NOMORE);
+ 		return ISC_R_NOMORE;
 	}
 +	if (transport != NULL) {
@ -641,7 +672,7 @@ index d737363fea4..44a2896cb03 100644
 	dns_dispatch_attach(disp, &resp->disp); /* DISPATCH001 */
 	disp->requests++;
-@@ -1779,6 +1844,7 @@ dns_dispatch_done(dns_dispentry_t **respp) {
+@@ -1779,6 +1855,7 @@ dns_dispatch_done(dns_dispentry_t **respp) {
 	*respp = NULL;
 	dispentry_cancel(resp, ISC_R_CANCELED);
@ -649,7 +680,7 @@ index d737363fea4..44a2896cb03 100644
 	dns_dispentry_detach(&resp); /* DISPENTRY000 */
 }
-@@ -1970,6 +2036,27 @@ udp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
+@@ -1970,6 +2047,27 @@ udp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 static isc_result_t
 tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
@ -677,8 +708,25 @@ index d737363fea4..44a2896cb03 100644
 	/* Check whether the dispatch is already connecting or connected. */
 	LOCK(&disp->lock);
 	switch (disp->state) {
@@ -1995,8 +2093,14 @@ tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 			      "connecting from %s to %s, timeout %u", localbuf,
 			      peerbuf, resp->timeout);
 -		isc_nm_tcpdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
 -				     tcp_connected, disp, resp->timeout, 0);
 +		if (tlsctx != NULL) {
 +			isc_nm_tlsdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
 +					     tcp_connected, disp, resp->timeout, 0,
 +					     tlsctx, sess_cache);
 +		} else {
 +			isc_nm_tcpdnsconnect(disp->mgr->nm, &disp->local, &disp->peer,
 +					     tcp_connected, disp, resp->timeout, 0);
 +		}
 		break;
 	case DNS_DISPATCHSTATE_CONNECTING:
 diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
-index ad377f078ed..cfdc37481ce 100644
+index ad377f0..cfdc374 100644
 --- a/lib/dns/include/dns/dispatch.h
 +++ b/lib/dns/include/dns/dispatch.h
@@ -56,6 +56,7 @@
@ -739,7 +787,7 @@ index ad377f078ed..cfdc37481ce 100644
  * Add a response entry for this dispatch.
  *
 diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
-index d00574f9827..17bcbf68c3b 100644
+index d00574f..17bcbf6 100644
 --- a/lib/dns/include/dns/request.h
 +++ b/lib/dns/include/dns/request.h
@@ -44,6 +44,7 @@
@ -787,7 +835,7 @@ index d00574f9827..17bcbf68c3b 100644
  * \brief Create and send a request.
  *
 diff --git a/lib/dns/include/dns/transport.h b/lib/dns/include/dns/transport.h
-index e74ccd7f970..e6499a97e73 100644
+index e74ccd7..e6499a9 100644
 --- a/lib/dns/include/dns/transport.h
 +++ b/lib/dns/include/dns/transport.h
@@ -13,7 +13,9 @@
@ -874,7 +922,7 @@ index e74ccd7f970..e6499a97e73 100644
  * Requires:
  *\li	'transport' is valid.
 diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
-index 6465962bd41..f0aaa24e936 100644
+index 6465962..f0aaa24 100644
 --- a/lib/dns/include/dns/types.h
 +++ b/lib/dns/include/dns/types.h
@@ -141,6 +141,8 @@ typedef struct dns_ssutable	     dns_ssutable_t;
@ -887,7 +935,7 @@ index 6465962bd41..f0aaa24e936 100644
 typedef struct dns_tsec		     dns_tsec_t;
 typedef struct dns_tsig_keyring	     dns_tsig_keyring_t;
 diff --git a/lib/dns/request.c b/lib/dns/request.c
-index fb17ed2262e..463a7ca6d63 100644
+index 8aaa29f..badedab 100644
 --- a/lib/dns/request.c
 +++ b/lib/dns/request.c
@@ -399,12 +399,12 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) {
@ -914,7 +962,7 @@ index fb17ed2262e..463a7ca6d63 100644
 -					destaddr, dispatchp);
 +	result = dns_dispatch_createtcp2(requestmgr->dispatchmgr, srcaddr,
 +					 destaddr, transport, 0, dispatchp);
- 	return (result);
+ 	return result;
 }
@@ -452,12 +452,12 @@ udp_dispatch(dns_requestmgr_t *requestmgr, const isc_sockaddr_t *srcaddr,
@ -1021,7 +1069,7 @@ index fb17ed2262e..463a7ca6d63 100644
 		goto detach;
 	}
 diff --git a/lib/dns/transport.c b/lib/dns/transport.c
-index ae1ab7415b1..59eba1db252 100644
+index 88a3df4..2a779ba 100644
 --- a/lib/dns/transport.c
 +++ b/lib/dns/transport.c
@@ -15,9 +15,11 @@
@ -1302,7 +1350,7 @@ index ae1ab7415b1..59eba1db252 100644
 transport_destroy(dns_transport_t *transport) {
 	isc_refcount_destroy(&transport->references);
 diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
-index 72b24e15ac3..73bd834070c 100644
+index 3a4f761..3695815 100644
 --- a/lib/dns/xfrin.c
 +++ b/lib/dns/xfrin.c
@@ -962,234 +962,6 @@ xfrin_create(isc_mem_t *mctx, dns_zone_t *zone, dns_db_t *db, isc_nm_t *netmgr,
@ -1516,7 +1564,7 @@ index 72b24e15ac3..73bd834070c 100644
 -		*pctx = found;
 -	}
 -
-	return (ISC_R_SUCCESS);
+-	return ISC_R_SUCCESS;
 -
 -failure:
 -	if (tlsctx != NULL) {
@ -1534,7 +1582,7 @@ index 72b24e15ac3..73bd834070c 100644
 -		isc_tls_cert_store_free(&store);
 -	}
 -
-	return (result);
+-	return result;
 -}
 -
 static isc_result_t
@ -1552,5 +1600,5 @@ index 72b24e15ac3..73bd834070c 100644
 			goto failure;
 		}
 -- 
-2.47.0
+2.48.1