[9.16] chg: usr: Backport max-records-per-type to BIND 9.16
This aligns the fix for large number of RRs in RRSet with 9.18 and up by backporting to `max-records-per-type` configuration option to BIND 9.16. Merge branch 'ondrej/max-records-per-type-backport-9.16' into 'bind-9.16' See merge request isc-projects/bind9!9177 Remove also custom environment feature, which is not necessary with proper config options backported. Increase rightmost version to become higher than _4 suffix. Resolves: RHEL-50591
This commit is contained in:
Petr Menšík
parent
9c17975ebc
commit
e0120bb883
2947
bind-9.16-CVE-2024-1737-records-test.patch
Normal file
2947
bind-9.16-CVE-2024-1737-records-test.patch
Normal file
File diff suppressed because it is too large
Load Diff
1152
bind-9.16-CVE-2024-1737-records.patch
Normal file
1152
bind-9.16-CVE-2024-1737-records.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,133 +0,0 @@
|
||||
From f88517c844075f57f631dc3aac527145f21e038f Mon Sep 17 00:00:00 2001
|
||||
From: Petr Mensik <pemensik@redhat.com>
|
||||
Date: Mon, 29 Jul 2024 16:20:50 +0200
|
||||
Subject: [PATCH] Allow global runtime definition by DNS_RBTDB_MAX_RTYPES
|
||||
|
||||
Modify rbtdb to not set it only at runtime, but allow setting that also
|
||||
in runtime via environment variable. It is still possible to modify
|
||||
default during the build define. In addition to it allows runtime change
|
||||
also. Can be positive number to set limit, 0 disabled the check.
|
||||
|
||||
Similarly add also DNS_RDATASET_MAX_RECORDS to set maximum number of
|
||||
records for a single name. This must be positive number, 0 is no accepted.
|
||||
|
||||
These replaces max-records-per-type and max-types-per-name in later
|
||||
versions. But can be configured only by environment and can be
|
||||
configured only globally, not in each view or zone.
|
||||
---
|
||||
lib/dns/rbtdb.c | 21 +++++++++++++++++++--
|
||||
lib/dns/rdataslab.c | 24 ++++++++++++++++++++++--
|
||||
2 files changed, 41 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
||||
index e840c06..25242b2 100644
|
||||
--- a/lib/dns/rbtdb.c
|
||||
+++ b/lib/dns/rbtdb.c
|
||||
@@ -6225,15 +6225,29 @@ update_recordsandxfrsize(bool add, rbtdb_version_t *rbtversion,
|
||||
#define DNS_RBTDB_MAX_RTYPES 100
|
||||
#endif /* DNS_RBTDB_MAX_RTYPES */
|
||||
|
||||
+static uint32_t dns_g_rbtdb_max_rtypes = DNS_RBTDB_MAX_RTYPES;
|
||||
+
|
||||
+static void
|
||||
+init_max_rtypes(void) {
|
||||
+ /* Red Hat change, allow setting different max value by environment. */
|
||||
+ const char *max = getenv("DNS_RBTDB_MAX_RTYPES");
|
||||
+ if (max) {
|
||||
+ char *endp = NULL;
|
||||
+ long l = strtol(max, &endp, 10);
|
||||
+ if (max != endp && endp && !*endp && l >= 0)
|
||||
+ dns_g_rbtdb_max_rtypes = l;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static bool
|
||||
overmaxtype(dns_rbtdb_t *rbtdb, uint32_t ntypes) {
|
||||
UNUSED(rbtdb);
|
||||
|
||||
- if (DNS_RBTDB_MAX_RTYPES == 0) {
|
||||
+ if (dns_g_rbtdb_max_rtypes == 0) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
- return (ntypes >= DNS_RBTDB_MAX_RTYPES);
|
||||
+ return (ntypes >= dns_g_rbtdb_max_rtypes);
|
||||
}
|
||||
|
||||
static bool
|
||||
@@ -8785,6 +8799,8 @@ static dns_dbmethods_t cache_methods = { attach,
|
||||
NULL,
|
||||
adjusthashsize };
|
||||
|
||||
+static isc_once_t once_db = ISC_ONCE_INIT;
|
||||
+
|
||||
isc_result_t
|
||||
dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
||||
dns_rdataclass_t rdclass, unsigned int argc, char *argv[],
|
||||
@@ -8798,6 +8814,7 @@ dns_rbtdb_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
|
||||
|
||||
/* Keep the compiler happy. */
|
||||
UNUSED(driverarg);
|
||||
+ RUNTIME_CHECK(isc_once_do(&once_db, init_max_rtypes) == ISC_R_SUCCESS);
|
||||
|
||||
rbtdb = isc_mem_get(mctx, sizeof(*rbtdb));
|
||||
|
||||
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
|
||||
index dda9038..cef86af 100644
|
||||
--- a/lib/dns/rdataslab.c
|
||||
+++ b/lib/dns/rdataslab.c
|
||||
@@ -15,6 +15,7 @@
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <isc/mem.h>
|
||||
+#include <isc/once.h>
|
||||
#include <isc/region.h>
|
||||
#include <isc/string.h> /* Required for HP/UX (and others?) */
|
||||
#include <isc/util.h>
|
||||
@@ -114,6 +115,23 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
|
||||
#define DNS_RDATASET_MAX_RECORDS 100
|
||||
#endif /* DNS_RDATASET_MAX_RECORDS */
|
||||
|
||||
+static unsigned int dns_g_rdataset_max_records = DNS_RDATASET_MAX_RECORDS;
|
||||
+static isc_once_t once = ISC_ONCE_INIT;
|
||||
+
|
||||
+static void
|
||||
+init_max_records(void) {
|
||||
+ /* Red Hat change, allow setting different max value by environment. */
|
||||
+ const char *max = getenv("DNS_RDATASET_MAX_RECORDS");
|
||||
+ if (max) {
|
||||
+ char *endp = NULL;
|
||||
+ long l = strtol(max, &endp, 10);
|
||||
+ if (max != endp && endp && !*endp && l > 0)
|
||||
+ dns_g_rdataset_max_records = l;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+
|
||||
+
|
||||
isc_result_t
|
||||
dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
isc_region_t *region, unsigned int reservelen) {
|
||||
@@ -158,7 +176,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
- if (nitems > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ RUNTIME_CHECK(isc_once_do(&once, init_max_records) == ISC_R_SUCCESS);
|
||||
+
|
||||
+ if (nitems > dns_g_rdataset_max_records) {
|
||||
return (DNS_R_TOOMANYRECORDS);
|
||||
}
|
||||
|
||||
@@ -528,7 +548,7 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
|
||||
#endif /* if DNS_RDATASET_FIXED */
|
||||
INSIST(ocount > 0 && ncount > 0);
|
||||
|
||||
- if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
|
||||
+ if (ocount + ncount > dns_g_rdataset_max_records) {
|
||||
return (DNS_R_TOOMANYRECORDS);
|
||||
}
|
||||
|
||||
--
|
||||
2.45.2
|
||||
|
||||
@ -57,7 +57,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
||||
Name: bind9.16
|
||||
License: MPLv2.0
|
||||
Version: 9.16.23
|
||||
Release: 0.20%{?dist}
|
||||
Release: 0.21%{?dist}
|
||||
Epoch: 32
|
||||
Url: https://www.isc.org/downloads/bind/
|
||||
#
|
||||
@ -156,8 +156,9 @@ Patch205: bind-9.16-CVE-2024-1975.patch
|
||||
Patch206: bind-9.16-CVE-2024-1737.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/a61be8eef0ee0ca8fd8036ccb61c6f9b728158ce
|
||||
Patch207: bind-9.18-CVE-2024-4076.patch
|
||||
# RH downstream, allow changing by environment
|
||||
Patch208: bind-9.16-CVE-2024-1737-runtime-env.patch
|
||||
# https://gitlab.isc.org/isc-projects/bind9/commit/2f2f0a900b9baf5e6eba02a82e2fe9e967dc1760
|
||||
Patch209: bind-9.16-CVE-2024-1737-records.patch
|
||||
Patch210: bind-9.16-CVE-2024-1737-records-test.patch
|
||||
|
||||
%{?systemd_ordering}
|
||||
Requires: coreutils
|
||||
@ -486,7 +487,8 @@ in HTML and PDF format.
|
||||
%patch205 -p1 -b .CVE-2024-1975
|
||||
%patch206 -p1 -b .CVE-2024-1737
|
||||
%patch207 -p1 -b .CVE-2024-4076
|
||||
%patch208 -p1 -b .CVE-2024-1737-env
|
||||
%patch209 -p1 -b .CVE-2024-1737-records
|
||||
%patch210 -p1 -b .CVE-2024-1737-records-test
|
||||
|
||||
%if %{with PKCS11}
|
||||
%patch135 -p1 -b .config-pkcs11
|
||||
@ -1211,6 +1213,10 @@ fi;
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 07 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.21
|
||||
- Backport addition of max-records-per-type and max-records-per-type options
|
||||
(CVE-2024-1737)
|
||||
|
||||
* Thu Jul 18 2024 Petr Menšík <pemensik@redhat.com> - 32:9.16.23-0.20
|
||||
- Resolve CVE-2024-1975
|
||||
- Resolve CVE-2024-1737
|
||||
|
||||
Loading…
Reference in New Issue
Block a user