[9.16] chg: usr: Backport max-records-per-type to BIND 9.16

This aligns the fix for large number of RRs in RRSet with 9.18 and up
by backporting to `max-records-per-type` configuration option to
BIND 9.16.

Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16'

See merge request isc-projects/bind9!9177

Remove also custom environment feature, which is not necessary with
proper config options backported.

Increase rightmost version to become higher than _4 suffix.

Resolves: RHEL-50591
This commit is contained in:
Petr Menšík 2024-08-07 13:24:32 +02:00
parent 9c17975ebc
commit e0120bb883
4 changed files with 4109 additions and 137 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,133 +0,0 @@
From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
From: Petr Mensik <pemensik@redhat.com>
Date: Mon, 29 Jul 2024 16:20:50 +0200
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
Modify rbtdb to not set it only at runtime, but allow setting that also
in runtime via environment variable. It is still possible to modify
default during the build define. In addition to it allows runtime change
also. Can be positive number to set limit, 0 disabled the check.
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
records for a single name. This must be positive number, 0 is no accepted.
These replaces max-records-per-type and max-types-per-name in later
versions. But can be configured only by environment and can be
configured only globally, not in each view or zone.
---
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
2 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index e840c06..25242b2 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
#define DNS_RBTDB_MAX_RTYPES 100
#endif /* DNS_RBTDB_MAX_RTYPES */
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
+
+static void
+init_max_rtypes(void) {
+ /* Red Hat change, allow setting different max value by environment. */
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
+ if (max) {
+ char *endp = NULL;
+ long l = strtol(max, &endp, 10);
+ if (max != endp && endp && !*endp && l >= 0)
+ dns_g_rbtdb_max_rtypes = l;
+ }
+}
+
static bool
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
UNUSED(rbtdb);
- if (DNS_RBTDB_MAX_RTYPES == 0) {
+ if (dns_g_rbtdb_max_rtypes == 0) {
return (false);
}
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
}
static bool
@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
NULL,
adjusthashsize };
+static isc_once_t once_db = ISC_ONCE_INIT;
+
isc_result_t
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
/* Keep the compiler happy. */
UNUSED(driverarg);
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index dda9038..cef86af 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -15,6 +15,7 @@
#include <stdlib.h>
#include <isc/mem.h>
+#include <isc/once.h>
#include <isc/region.h>
#include <isc/string.h> /* Required for HP/UX (and others?) */
#include <isc/util.h>
@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
#define DNS_RDATASET_MAX_RECORDS 100
#endif /* DNS_RDATASET_MAX_RECORDS */
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_max_records(void) {
+ /* Red Hat change, allow setting different max value by environment. */
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
+ if (max) {
+ char *endp = NULL;
+ long l = strtol(max, &endp, 10);
+ if (max != endp && endp && !*endp && l > 0)
+ dns_g_rdataset_max_records = l;
+ }
+}
+
+
+
isc_result_t
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
isc_region_t *region, unsigned int reservelen) {
@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
return (ISC_R_SUCCESS);
}
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
+
+ if (nitems > dns_g_rdataset_max_records) {
return (DNS_R_TOOMANYRECORDS);
}
@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
#endif /* if DNS_RDATASET_FIXED */
INSIST(ocount > 0 && ncount > 0);
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+ if (ocount + ncount > dns_g_rdataset_max_records) {
return (DNS_R_TOOMANYRECORDS);
}
--
2.45.2

View File

@ -57,7 +57,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
Name: bind9.16 Name: bind9.16
License: MPLv2.0 License: MPLv2.0
Version: 9.16.23 Version: 9.16.23
Release: 0.20%{?dist} Release: 0.21%{?dist}
Epoch: 32 Epoch: 32
Url: https://www.isc.org/downloads/bind/ Url: https://www.isc.org/downloads/bind/
# #
@ -156,8 +156,9 @@ Patch205: bind-9.16-CVE-2024-1975.patch
Patch206: bind-9.16-CVE-2024-1737.patch Patch206: bind-9.16-CVE-2024-1737.patch
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce # https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
Patch207: bind-9.18-CVE-2024-4076.patch Patch207: bind-9.18-CVE-2024-4076.patch
# RH downstream, allow changing by environment # https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
Patch208: bind-9.16-CVE-2024-1737-runtime-env.patch Patch209: bind-9.16-CVE-2024-1737-records.patch
Patch210: bind-9.16-CVE-2024-1737-records-test.patch
%{?systemd_ordering} %{?systemd_ordering}
Requires: coreutils Requires: coreutils
@ -486,7 +487,8 @@ in HTML and PDF format.
%patch205 -p1 -b .CVE-2024-1975 %patch205 -p1 -b .CVE-2024-1975
%patch206 -p1 -b .CVE-2024-1737 %patch206 -p1 -b .CVE-2024-1737
%patch207 -p1 -b .CVE-2024-4076 %patch207 -p1 -b .CVE-2024-4076
%patch208 -p1 -b .CVE-2024-1737-env %patch209 -p1 -b .CVE-2024-1737-records
%patch210 -p1 -b .CVE-2024-1737-records-test
%if %{with PKCS11} %if %{with PKCS11}
%patch135 -p1 -b .config-pkcs11 %patch135 -p1 -b .config-pkcs11
@ -1211,6 +1213,10 @@ fi;
%endif %endif
%changelog %changelog
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.21
- Backport addition of max-records-per-type and max-records-per-type options
(CVE-2024-1737)
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.20 * Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.20
- Resolve CVE-2024-1975 - Resolve CVE-2024-1975
- Resolve CVE-2024-1737 - Resolve CVE-2024-1737