169 lines
4.7 KiB
Diff
169 lines
4.7 KiB
Diff
From bddd8950ff3d82d503dfb64e67d24ce364e5a5af Mon Sep 17 00:00:00 2001
|
|
From: Petr Mensik <pemensik@redhat.com>
|
|
Date: Mon, 16 Jun 2025 19:36:13 +0200
|
|
Subject: [PATCH] Support runtime configurable limit of additional records
|
|
|
|
Use environment variable NAMED_MAXADDITIONAL to change default built-in
|
|
limit. Uses environment variable to avoid the need to support the variable
|
|
option in the more recent versions and after upgrades.
|
|
|
|
Use debug 1 verbosity for logging parsed limit at the start, but not
|
|
changing production logs.
|
|
---
|
|
bin/named/main.c | 5 +++++
|
|
bin/named/named.rst | 9 +++++++++
|
|
lib/ns/include/ns/server.h | 13 +++++++++++++
|
|
lib/ns/query.c | 4 ++--
|
|
lib/ns/server.c | 25 +++++++++++++++++++++++++
|
|
5 files changed, 54 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/bin/named/main.c b/bin/named/main.c
|
|
index f62f82c..0de658a 100644
|
|
--- a/bin/named/main.c
|
|
+++ b/bin/named/main.c
|
|
@@ -1327,6 +1327,11 @@ setup(void) {
|
|
if (sigvalinsecs) {
|
|
ns_server_setoption(sctx, NS_SERVER_SIGVALINSECS, true);
|
|
}
|
|
+ isc_log_write(named_g_lctx, NAMED_LOGCATEGORY_GENERAL,
|
|
+ NAMED_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
|
|
+ "using max %u additional records",
|
|
+ ns_server_getmaxadditionalrecords(sctx));
|
|
+
|
|
}
|
|
|
|
static void
|
|
diff --git a/bin/named/named.rst b/bin/named/named.rst
|
|
index 3cd6350..06af140 100644
|
|
--- a/bin/named/named.rst
|
|
+++ b/bin/named/named.rst
|
|
@@ -228,6 +228,15 @@ Files
|
|
``/var/run/named/named.pid``
|
|
The default process-id file.
|
|
|
|
+Environment
|
|
+~~~~~~~~~~~
|
|
+
|
|
+NAMED_MAXADDITIONAL
|
|
+ Red Hat specific extension. Accepts numeric value of maximal NS
|
|
+ records, which would get fetched additional addresses. Default
|
|
+ value is 13. Allows runtime configurable limit introduced in
|
|
+ CVE-2024-11187 fixes.
|
|
+
|
|
Notes
|
|
~~~~~
|
|
|
|
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
|
|
index 0abb579..4864ba4 100644
|
|
--- a/lib/ns/include/ns/server.h
|
|
+++ b/lib/ns/include/ns/server.h
|
|
@@ -122,6 +122,8 @@ struct ns_server {
|
|
isc_stats_t *tcpoutstats4;
|
|
isc_stats_t *tcpinstats6;
|
|
isc_stats_t *tcpoutstats6;
|
|
+
|
|
+ unsigned int max_additional_records;
|
|
};
|
|
|
|
struct ns_altsecret {
|
|
@@ -166,6 +168,17 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid);
|
|
*\li 'sctx' is valid.
|
|
*/
|
|
|
|
+unsigned int
|
|
+ns_server_getmaxadditionalrecords(ns_server_t *sctx);
|
|
+/*%<
|
|
+ * Returns the maximal number of records with additional addresses
|
|
+ * provided.
|
|
+ *
|
|
+ * Requires:
|
|
+ *\li 'sctx' is valid.
|
|
+ */
|
|
+
|
|
+
|
|
void
|
|
ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value);
|
|
/*%<
|
|
diff --git a/lib/ns/query.c b/lib/ns/query.c
|
|
index ce1d710..37893e2 100644
|
|
--- a/lib/ns/query.c
|
|
+++ b/lib/ns/query.c
|
|
@@ -2032,7 +2032,7 @@ addname:
|
|
if (trdataset != NULL && dns_rdatatype_followadditional(type)) {
|
|
eresult = dns_rdataset_additionaldata2(
|
|
trdataset, query_additional_cb, qctx,
|
|
- DNS_RDATASET_MAXADDITIONAL);
|
|
+ client->sctx->max_additional_records);
|
|
}
|
|
|
|
cleanup:
|
|
@@ -2124,7 +2124,7 @@ regular:
|
|
* We don't care if dns_rdataset_additionaldata() fails.
|
|
*/
|
|
(void)dns_rdataset_additionaldata2(rdataset, query_additional_cb,
|
|
- qctx, DNS_RDATASET_MAXADDITIONAL);
|
|
+ qctx, client->sctx->max_additional_records);
|
|
CTRACE(ISC_LOG_DEBUG(3), "query_additional: done");
|
|
}
|
|
|
|
diff --git a/lib/ns/server.c b/lib/ns/server.c
|
|
index 540bc2e..0a4abb3 100644
|
|
--- a/lib/ns/server.c
|
|
+++ b/lib/ns/server.c
|
|
@@ -17,6 +17,7 @@
|
|
#include <isc/stats.h>
|
|
#include <isc/util.h>
|
|
|
|
+#include <dns/rdataset.h>
|
|
#include <dns/stats.h>
|
|
#include <dns/tkey.h>
|
|
|
|
@@ -33,6 +34,22 @@
|
|
RUNTIME_CHECK(result == ISC_R_SUCCESS); \
|
|
} while (0)
|
|
|
|
+/*
|
|
+ * CVE-2024-11187 introduced a limit on maximal number of records,
|
|
+ * for which additional records would be fetched. Make this limit
|
|
+ * configurable runtime only by environment.
|
|
+ */
|
|
+static size_t
|
|
+initialize_maxadditional(void) {
|
|
+ const char *limits;
|
|
+
|
|
+ limits = getenv("NAMED_MAXADDITIONAL");
|
|
+ if (limits != NULL) {
|
|
+ return strtol(limits, NULL, 10);
|
|
+ }
|
|
+ return DNS_RDATASET_MAXADDITIONAL;
|
|
+}
|
|
+
|
|
isc_result_t
|
|
ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
|
|
ns_server_t **sctxp) {
|
|
@@ -90,6 +107,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
|
|
|
|
sctx->udpsize = 1232;
|
|
sctx->transfer_tcp_message_size = 20480;
|
|
+ sctx->max_additional_records = initialize_maxadditional();
|
|
|
|
sctx->fuzztype = isc_fuzz_none;
|
|
sctx->fuzznotify = NULL;
|
|
@@ -213,6 +231,13 @@ ns_server_setserverid(ns_server_t *sctx, const char *serverid) {
|
|
return (ISC_R_SUCCESS);
|
|
}
|
|
|
|
+unsigned int
|
|
+ns_server_getmaxadditionalrecords(ns_server_t *sctx) {
|
|
+ REQUIRE(SCTX_VALID(sctx));
|
|
+
|
|
+ return sctx->max_additional_records;
|
|
+}
|
|
+
|
|
void
|
|
ns_server_setoption(ns_server_t *sctx, unsigned int option, bool value) {
|
|
REQUIRE(SCTX_VALID(sctx));
|
|
--
|
|
2.49.0
|
|
|