[9.16] chg: usr: Backport max-records-per-type to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up by backporting to `max-records-per-type` configuration option to BIND 9.16. Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16' See merge request isc-projects/bind9!9177 Remove also custom environment feature, which is not necessary with proper config options backported. Increase rightmost version to become higher than _4 suffix. Resolves: RHEL-49900
This commit is contained in:
parent
7d262e3039
commit
979a7d3a93
2947
bind-9.16-CVE-2024-1737-records-test.patch
Normal file
2947
bind-9.16-CVE-2024-1737-records-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
1152
bind-9.16-CVE-2024-1737-records.patch
Normal file
1152
bind-9.16-CVE-2024-1737-records.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,133 +0,0 @@
|
|||||||
From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Mensik <pemensik@redhat.com>
|
|
||||||
Date: Mon, 29 Jul 2024 16:20:50 +0200
|
|
||||||
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
|
|
||||||
|
|
||||||
Modify rbtdb to not set it only at runtime, but allow setting that also
|
|
||||||
in runtime via environment variable. It is still possible to modify
|
|
||||||
default during the build define. In addition to it allows runtime change
|
|
||||||
also. Can be positive number to set limit, 0 disabled the check.
|
|
||||||
|
|
||||||
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
|
|
||||||
records for a single name. This must be positive number, 0 is no accepted.
|
|
||||||
|
|
||||||
These replaces max-records-per-type and max-types-per-name in later
|
|
||||||
versions. But can be configured only by environment and can be
|
|
||||||
configured only globally, not in each view or zone.
|
|
||||||
---
|
|
||||||
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
|
|
||||||
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
|
|
||||||
2 files changed, 41 insertions(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
|
||||||
index e840c06..25242b2 100644
|
|
||||||
--- a/lib/dns/rbtdb.c
|
|
||||||
+++ b/lib/dns/rbtdb.c
|
|
||||||
@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
|
|
||||||
#define DNS_RBTDB_MAX_RTYPES 100
|
|
||||||
#endif /* DNS_RBTDB_MAX_RTYPES */
|
|
||||||
|
|
||||||
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+init_max_rtypes(void) {
|
|
||||||
+ /* Red Hat change, allow setting different max value by environment. */
|
|
||||||
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
|
|
||||||
+ if (max) {
|
|
||||||
+ char *endp = NULL;
|
|
||||||
+ long l = strtol(max, &endp, 10);
|
|
||||||
+ if (max != endp && endp && !*endp && l >= 0)
|
|
||||||
+ dns_g_rbtdb_max_rtypes = l;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static bool
|
|
||||||
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
|
||||||
UNUSED(rbtdb);
|
|
||||||
|
|
||||||
- if (DNS_RBTDB_MAX_RTYPES == 0) {
|
|
||||||
+ if (dns_g_rbtdb_max_rtypes == 0) {
|
|
||||||
return (false);
|
|
||||||
}
|
|
||||||
|
|
||||||
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
|
||||||
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool
|
|
||||||
@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
|
|
||||||
NULL,
|
|
||||||
adjusthashsize };
|
|
||||||
|
|
||||||
+static isc_once_t once_db = ISC_ONCE_INIT;
|
|
||||||
+
|
|
||||||
isc_result_t
|
|
||||||
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
|
||||||
dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
|
|
||||||
@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
|
||||||
|
|
||||||
/* Keep the compiler happy. */
|
|
||||||
UNUSED(driverarg);
|
|
||||||
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
|
|
||||||
|
|
||||||
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
|
|
||||||
|
|
||||||
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
|
||||||
index dda9038..cef86af 100644
|
|
||||||
--- a/lib/dns/rdataslab.c
|
|
||||||
+++ b/lib/dns/rdataslab.c
|
|
||||||
@@ -15,6 +15,7 @@
|
|
||||||
#include <stdlib.h>
|
|
||||||
|
|
||||||
#include <isc/mem.h>
|
|
||||||
+#include <isc/once.h>
|
|
||||||
#include <isc/region.h>
|
|
||||||
#include <isc/string.h> /* Required for HP/UX (and others?) */
|
|
||||||
#include <isc/util.h>
|
|
||||||
@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
|
||||||
#define DNS_RDATASET_MAX_RECORDS 100
|
|
||||||
#endif /* DNS_RDATASET_MAX_RECORDS */
|
|
||||||
|
|
||||||
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
|
|
||||||
+static isc_once_t once = ISC_ONCE_INIT;
|
|
||||||
+
|
|
||||||
+static void
|
|
||||||
+init_max_records(void) {
|
|
||||||
+ /* Red Hat change, allow setting different max value by environment. */
|
|
||||||
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
|
|
||||||
+ if (max) {
|
|
||||||
+ char *endp = NULL;
|
|
||||||
+ long l = strtol(max, &endp, 10);
|
|
||||||
+ if (max != endp && endp && !*endp && l > 0)
|
|
||||||
+ dns_g_rdataset_max_records = l;
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+
|
|
||||||
isc_result_t
|
|
||||||
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
||||||
isc_region_t *region, unsigned int reservelen) {
|
|
||||||
@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
|
||||||
return (ISC_R_SUCCESS);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
|
||||||
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
|
|
||||||
+
|
|
||||||
+ if (nitems > dns_g_rdataset_max_records) {
|
|
||||||
return (DNS_R_TOOMANYRECORDS);
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
|
||||||
#endif /* if DNS_RDATASET_FIXED */
|
|
||||||
INSIST(ocount > 0 && ncount > 0);
|
|
||||||
|
|
||||||
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
|
||||||
+ if (ocount + ncount > dns_g_rdataset_max_records) {
|
|
||||||
return (DNS_R_TOOMANYRECORDS);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
13
bind.spec
13
bind.spec
@ -51,7 +51,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.16.23
|
Version: 9.16.23
|
||||||
Release: 22%{?dist}
|
Release: 23%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
@ -163,8 +163,9 @@ Patch206: bind-9.16-CVE-2024-1975.patch
|
|||||||
Patch207: bind-9.16-CVE-2024-1737.patch
|
Patch207: bind-9.16-CVE-2024-1737.patch
|
||||||
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
|
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
|
||||||
Patch208: bind-9.18-CVE-2024-4076.patch
|
Patch208: bind-9.18-CVE-2024-4076.patch
|
||||||
# RH downstream, allow changing by environment
|
# https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
|
||||||
Patch209: bind-9.16-CVE-2024-1737-runtime-env.patch
|
Patch210: bind-9.16-CVE-2024-1737-records.patch
|
||||||
|
Patch211: bind-9.16-CVE-2024-1737-records-test.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -505,7 +506,8 @@ in HTML and PDF format.
|
|||||||
%patch206 -p1 -b .CVE-2024-1975
|
%patch206 -p1 -b .CVE-2024-1975
|
||||||
%patch207 -p1 -b .CVE-2024-1737
|
%patch207 -p1 -b .CVE-2024-1737
|
||||||
%patch208 -p1 -b .CVE-2024-4076
|
%patch208 -p1 -b .CVE-2024-4076
|
||||||
%patch209 -p1 -b .CVE-2024-1737-env
|
%patch210 -p1 -b .CVE-2024-1737-records
|
||||||
|
%patch211 -p1 -b .CVE-2024-1737-records-test
|
||||||
|
|
||||||
%if %{with PKCS11}
|
%if %{with PKCS11}
|
||||||
%patch135 -p1 -b .config-pkcs11
|
%patch135 -p1 -b .config-pkcs11
|
||||||
@ -1234,6 +1236,9 @@ fi;
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-23
|
||||||
|
- Backport addition of max-records-per-type and max-records-per-type options
|
||||||
|
|
||||||
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-22
|
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-22
|
||||||
- Resolve CVE-2024-1975
|
- Resolve CVE-2024-1975
|
||||||
- Resolve CVE-2024-1737
|
- Resolve CVE-2024-1737
|
||||||
|
Loading…
Reference in New Issue
Block a user