1d416c2d77
6064. [security] An UPDATE message flood could cause named to exhaust all available memory. This flaw was addressed by adding a new "update-quota" statement that controls the number of simultaneous UPDATE messages that can be processed or forwarded. The default is 100. A stats counter has been added to record events when the update quota is exceeded, and the XML and JSON statistics version numbers have been updated. (CVE-2022-3094) [GL #3523] Resolves: CVE-2022-3094
137 lines
5.5 KiB
Diff
137 lines
5.5 KiB
Diff
From d9a03233c6ea11f20c2fbeca87b763673859f8b2 Mon Sep 17 00:00:00 2001
|
|
From: Evan Hunt <each@isc.org>
|
|
Date: Thu, 1 Sep 2022 16:22:46 -0700
|
|
Subject: [PATCH] add a configuration option for the update quota
|
|
|
|
add an "update-quota" option to configure the update quota.
|
|
|
|
(cherry picked from commit f57758a7303ad0034ff2ff08eaaf2ef899630f19)
|
|
---
|
|
bin/named/config.c | 1 +
|
|
bin/named/named.conf.docbook | 2 ++
|
|
bin/named/server.c | 1 +
|
|
bin/tests/system/checkconf/good.conf | 1 +
|
|
doc/arm/Bv9ARM-book.xml | 11 +++++++++++
|
|
doc/arm/options.grammar.xml | 1 +
|
|
doc/misc/options | 1 +
|
|
lib/isccfg/namedconf.c | 1 +
|
|
8 files changed, 19 insertions(+)
|
|
|
|
diff --git a/bin/named/config.c b/bin/named/config.c
|
|
index 62d1e88..e3731cf 100644
|
|
--- a/bin/named/config.c
|
|
+++ b/bin/named/config.c
|
|
@@ -134,6 +134,7 @@ options {\n\
|
|
transfers-per-ns 2;\n\
|
|
# treat-cr-as-space <obsolete>;\n\
|
|
trust-anchor-telemetry yes;\n\
|
|
+ update-quota 100;\n\
|
|
# use-id-pool <obsolete>;\n\
|
|
# use-ixfr <obsolete>;\n\
|
|
\n\
|
|
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
|
|
index 6565fce..5842cb5 100644
|
|
--- a/bin/named/named.conf.docbook
|
|
+++ b/bin/named/named.conf.docbook
|
|
@@ -455,6 +455,7 @@ options {
|
|
trust-anchor-telemetry <replaceable>boolean</replaceable>; // experimental
|
|
try-tcp-refresh <replaceable>boolean</replaceable>;
|
|
update-check-ksk <replaceable>boolean</replaceable>;
|
|
+ update-quota <replaceable>integer</replaceable>;
|
|
use-alt-transfer-source <replaceable>boolean</replaceable>;
|
|
use-v4-udp-ports { <replaceable>portrange</replaceable>; ... };
|
|
use-v6-udp-ports { <replaceable>portrange</replaceable>; ... };
|
|
@@ -864,6 +865,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
|
|
type ( delegation-only | forward | hint | master | redirect
|
|
| slave | static-stub | stub );
|
|
update-check-ksk <replaceable>boolean</replaceable>;
|
|
+ update-quota <replaceable>integer</replaceable>;
|
|
update-policy ( local | { ( deny | grant ) <replaceable>string</replaceable> (
|
|
6to4-self | external | krb5-self | krb5-selfsub |
|
|
krb5-subdomain | ms-self | ms-selfsub | ms-subdomain |
|
|
diff --git a/bin/named/server.c b/bin/named/server.c
|
|
index f09b895..7af90d0 100644
|
|
--- a/bin/named/server.c
|
|
+++ b/bin/named/server.c
|
|
@@ -7792,6 +7792,7 @@ load_configuration(const char *filename, ns_server_t *server,
|
|
configure_server_quota(maps, "tcp-clients", &server->tcpquota);
|
|
configure_server_quota(maps, "recursive-clients",
|
|
&server->recursionquota);
|
|
+ configure_server_quota(maps, "update-quota", &server->updquota);
|
|
|
|
if (server->recursionquota.max > 1000) {
|
|
int margin = ISC_MAX(100, ns_g_cpus + 1);
|
|
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
|
|
index 1359cf3..5d9b292 100644
|
|
--- a/bin/tests/system/checkconf/good.conf
|
|
+++ b/bin/tests/system/checkconf/good.conf
|
|
@@ -63,6 +63,7 @@ options {
|
|
serial-queries 10;
|
|
serial-query-rate 100;
|
|
server-id none;
|
|
+ update-quota 200;
|
|
max-cache-size 20000000000000;
|
|
nta-lifetime 604800;
|
|
nta-recheck 604800;
|
|
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
|
|
index 9aca6d7..acf772b 100644
|
|
--- a/doc/arm/Bv9ARM-book.xml
|
|
+++ b/doc/arm/Bv9ARM-book.xml
|
|
@@ -8599,6 +8599,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
+ <varlistentry>
|
|
+ <term><command>update-quota</command></term>
|
|
+ <listitem>
|
|
+ <para>
|
|
+ This is the maximum number of simultaneous DNS UPDATE messages that
|
|
+ the server will accept for updating local authoritiative zones or
|
|
+ forwarding to a primary server. The default is <userinput>100</userinput>.
|
|
+ </para>
|
|
+ </listitem>
|
|
+ </varlistentry>
|
|
+
|
|
</variablelist>
|
|
|
|
</section>
|
|
diff --git a/doc/arm/options.grammar.xml b/doc/arm/options.grammar.xml
|
|
index 793ac0b..1d17ea8 100644
|
|
--- a/doc/arm/options.grammar.xml
|
|
+++ b/doc/arm/options.grammar.xml
|
|
@@ -277,6 +277,7 @@
|
|
<command>trust-anchor-telemetry</command> <replaceable>boolean</replaceable>; // experimental
|
|
<command>try-tcp-refresh</command> <replaceable>boolean</replaceable>;
|
|
<command>update-check-ksk</command> <replaceable>boolean</replaceable>;
|
|
+ <command>update-quota</command> <replaceable>integer</replaceable>;
|
|
<command>use-alt-transfer-source</command> <replaceable>boolean</replaceable>;
|
|
<command>use-v4-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
|
<command>use-v6-udp-ports</command> { <replaceable>portrange</replaceable>; ... };
|
|
diff --git a/doc/misc/options b/doc/misc/options
|
|
index fde93c7..e6d6ba6 100644
|
|
--- a/doc/misc/options
|
|
+++ b/doc/misc/options
|
|
@@ -357,6 +357,7 @@ options {
|
|
trust-anchor-telemetry <boolean>; // experimental
|
|
try-tcp-refresh <boolean>;
|
|
update-check-ksk <boolean>;
|
|
+ update-quota <integer>;
|
|
use-alt-transfer-source <boolean>;
|
|
use-id-pool <boolean>; // obsolete
|
|
use-ixfr <boolean>; // obsolete
|
|
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
|
|
index b562f95..667111c 100644
|
|
--- a/lib/isccfg/namedconf.c
|
|
+++ b/lib/isccfg/namedconf.c
|
|
@@ -1136,6 +1136,7 @@ options_clauses[] = {
|
|
{ "transfers-out", &cfg_type_uint32, 0 },
|
|
{ "transfers-per-ns", &cfg_type_uint32, 0 },
|
|
{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
|
+ { "update-quota", &cfg_type_uint32, 0 },
|
|
{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
|
{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
|
|
{ "use-v4-udp-ports", &cfg_type_bracketed_portlist, 0 },
|
|
--
|
|
2.39.2
|
|
|