Compare commits
No commits in common. "c8" and "c8-beta" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -1 +1,2 @@
|
||||
SOURCES/icannbundle.pem
|
||||
SOURCES/unbound-1.16.2.tar.gz
|
||||
|
||||
@ -1 +1,2 @@
|
||||
9a2f73302a13f38dbf7cb3c5e34eb1665d2f156f SOURCES/icannbundle.pem
|
||||
9aea0e923b9d6779b5bc360094e24a4017e2bb25 SOURCES/unbound-1.16.2.tar.gz
|
||||
|
||||
@ -1,21 +0,0 @@
|
||||
-----BEGIN CERTIFICATE-----
|
||||
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
|
||||
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
|
||||
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
|
||||
DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
|
||||
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
|
||||
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
|
||||
cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
|
||||
G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
|
||||
ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
|
||||
paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
|
||||
MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
|
||||
iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
|
||||
Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
|
||||
DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
|
||||
6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
|
||||
2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
|
||||
15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
|
||||
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
|
||||
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
|
||||
-----END CERTIFICATE-----
|
||||
@ -1,9 +0,0 @@
|
||||
# Remote control config section update.
|
||||
# Previous defaults allowed any process to change settings, CVE-2024-1488
|
||||
remote-control:
|
||||
# set to an absolute path to use a unix local name pipe, certificates
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
control-interface: "/run/unbound/control"
|
||||
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
control-use-cert: "yes"
|
||||
@ -1,2 +1 @@
|
||||
. 172800 IN DNSKEY 257 3 8 AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc= ;{id = 38696 (ksk), size = 2048b}
|
||||
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
; // The root key in bind format. This can be read by most tools, including
|
||||
; // named, unbound, et. For libunbound, use ub_ctx_trustedkeys() to load this
|
||||
trusted-keys {
|
||||
"." 257 3 8 "AwEAAa96jeuknZlaeSrvyAJj6ZHv28hhOKkx3rLGXVaC6rXTsDc449/cidltpkyGwCJNnOAlFNKF2jBosZBU5eeHspaQWOmOElZsjICMQMC3aeHbGiShvZsx4wMYSjH8e7Vrhbu6irwCzVBApESjbUdpWWmEnhathWu1jo+siFUiRAAxm9qyJNg/wOZqqzL/dL/q8PkcRU5oUKEpUge71M3ej2/7CPqpdVwuMoTvoB+ZOT4YeGyxMvHmbrxlFzGOHOijtzN+u1TQNatX2XBuzZNQ1K+s2CXkPIZo7s6JgZyvaBevYtxPvYLw4z9mR7K2vaF18UYH9Z9GNUUeayffKC73PYc="; // key id = 38696
|
||||
"." 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // key id = 20326
|
||||
};
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,29 +0,0 @@
|
||||
From acc84268e4156fb9a8dd36eafaf04d064ee5895a Mon Sep 17 00:00:00 2001
|
||||
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
|
||||
Date: Thu, 25 Jul 2024 11:42:22 +0200
|
||||
Subject: [PATCH] - Add root key 38696 from 2024 for DNSSEC validation. It is
|
||||
added to the default root keys in unbound-anchor. The content can be
|
||||
inspected with `unbound-anchor -l`.
|
||||
|
||||
---
|
||||
unbound-1.20.0/smallapp/unbound-anchor.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/unbound-1.20.0/smallapp/unbound-anchor.c b/unbound-1.20.0/smallapp/unbound-anchor.c
|
||||
index 137b2e9..8738cf2 100644
|
||||
--- a/unbound-1.20.0/smallapp/unbound-anchor.c
|
||||
+++ b/unbound-1.20.0/smallapp/unbound-anchor.c
|
||||
@@ -183,7 +183,9 @@ static const char DS_TRUST_ANCHOR[] =
|
||||
/* The anchors must start on a new line with ". IN DS and end with \n"[;]
|
||||
* because the makedist script greps on the source here */
|
||||
/* anchor 20326 is from 2017 */
|
||||
-". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n";
|
||||
+". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D\n"
|
||||
+ /* anchor 38696 is from 2024 */
|
||||
+". IN DS 38696 8 2 683D2D0ACB8C9B712A1948B27F741219298D0A450D612C483AF444A4C0FB2B16\n";
|
||||
|
||||
/** verbosity for this application */
|
||||
static int verb = 0;
|
||||
--
|
||||
2.53.0
|
||||
|
||||
@ -1,249 +0,0 @@
|
||||
From 34de24d58bb5aa6fe3551512fc17cac08f65d93e Mon Sep 17 00:00:00 2001
|
||||
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
|
||||
Date: Thu, 3 Oct 2024 14:46:57 +0200
|
||||
Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
|
||||
denial of service.
|
||||
|
||||
---
|
||||
unbound-1.16.2/util/data/msgencode.c | 77 +++++++++++++++++-----------
|
||||
1 file changed, 46 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
|
||||
index fe21cfb..f9e95e6 100644
|
||||
--- a/unbound-1.16.2/util/data/msgencode.c
|
||||
+++ b/unbound-1.16.2/util/data/msgencode.c
|
||||
@@ -62,6 +62,10 @@
|
||||
#define RETVAL_TRUNC -4
|
||||
/** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
|
||||
#define RETVAL_OK 0
|
||||
+/** Max compressions we are willing to perform; more than that will result
|
||||
+ * in semi-compressed messages, or truncated even on TCP for huge messages, to
|
||||
+ * avoid locking the CPU for long */
|
||||
+#define MAX_COMPRESSION_PER_MESSAGE 120
|
||||
|
||||
/**
|
||||
* Data structure to help domain name compression in outgoing messages.
|
||||
@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
|
||||
|
||||
/** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
|
||||
static int
|
||||
-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
- struct regional* region, struct compress_tree_node** tree,
|
||||
- size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
|
||||
+compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
+ struct regional* region, struct compress_tree_node** tree,
|
||||
+ size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
|
||||
+ size_t* compress_count)
|
||||
{
|
||||
struct compress_tree_node* p;
|
||||
struct compress_tree_node** insertpt = NULL;
|
||||
if(!*owner_ptr) {
|
||||
/* compress first time dname */
|
||||
- if((p = compress_tree_lookup(tree, key->rk.dname,
|
||||
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
+ (p = compress_tree_lookup(tree, key->rk.dname,
|
||||
owner_labs, &insertpt))) {
|
||||
if(p->labs == owner_labs)
|
||||
/* avoid ptr chains, since some software is
|
||||
@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
if(!write_compressed_dname(pkt, key->rk.dname,
|
||||
owner_labs, p))
|
||||
return RETVAL_TRUNC;
|
||||
+ (*compress_count)++;
|
||||
/* check if typeclass+4 ttl + rdatalen is available */
|
||||
if(sldns_buffer_remaining(pkt) < 4+4+2)
|
||||
return RETVAL_TRUNC;
|
||||
@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
if(owner_pos <= PTR_MAX_OFFSET)
|
||||
*owner_ptr = htons(PTR_CREATE(owner_pos));
|
||||
}
|
||||
- if(!compress_tree_store(key->rk.dname, owner_labs,
|
||||
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
+ !compress_tree_store(key->rk.dname, owner_labs,
|
||||
owner_pos, region, p, insertpt))
|
||||
return RETVAL_OUTMEM;
|
||||
} else {
|
||||
@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
|
||||
/** compress any domain name to the packet, return RETVAL_* */
|
||||
static int
|
||||
-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
- struct regional* region, struct compress_tree_node** tree)
|
||||
+compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
+ struct regional* region, struct compress_tree_node** tree,
|
||||
+ size_t* compress_count)
|
||||
{
|
||||
struct compress_tree_node* p;
|
||||
struct compress_tree_node** insertpt = NULL;
|
||||
size_t pos = sldns_buffer_position(pkt);
|
||||
- if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
|
||||
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
+ (p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
|
||||
if(!write_compressed_dname(pkt, dname, labs, p))
|
||||
return RETVAL_TRUNC;
|
||||
+ (*compress_count)++;
|
||||
} else {
|
||||
if(!dname_buffer_write(pkt, dname))
|
||||
return RETVAL_TRUNC;
|
||||
}
|
||||
- if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
|
||||
+ if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
+ !compress_tree_store(dname, labs, pos, region, p, insertpt))
|
||||
return RETVAL_OUTMEM;
|
||||
return RETVAL_OK;
|
||||
}
|
||||
@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
|
||||
|
||||
/** compress domain names in rdata, return RETVAL_* */
|
||||
static int
|
||||
-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
|
||||
- struct regional* region, struct compress_tree_node** tree,
|
||||
- const sldns_rr_descriptor* desc)
|
||||
+compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
|
||||
+ struct regional* region, struct compress_tree_node** tree,
|
||||
+ const sldns_rr_descriptor* desc, size_t* compress_count)
|
||||
{
|
||||
int labs, r, rdf = 0;
|
||||
size_t dname_len, len, pos = sldns_buffer_position(pkt);
|
||||
@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
|
||||
switch(desc->_wireformat[rdf]) {
|
||||
case LDNS_RDF_TYPE_DNAME:
|
||||
labs = dname_count_size_labels(rdata, &dname_len);
|
||||
- if((r=compress_any_dname(rdata, pkt, labs, region,
|
||||
- tree)) != RETVAL_OK)
|
||||
+ if((r=compress_any_dname(rdata, pkt, labs, region,
|
||||
+ tree, compress_count)) != RETVAL_OK)
|
||||
return r;
|
||||
rdata += dname_len;
|
||||
todolen -= dname_len;
|
||||
@@ -449,7 +461,8 @@ static int
|
||||
packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
uint16_t* num_rrs, time_t timenow, struct regional* region,
|
||||
int do_data, int do_sig, struct compress_tree_node** tree,
|
||||
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
|
||||
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
|
||||
+ size_t* compress_count)
|
||||
{
|
||||
size_t i, j, owner_pos;
|
||||
int r, owner_labs;
|
||||
@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
for(i=0; i<data->count; i++) {
|
||||
/* rrset roundrobin */
|
||||
j = (i + rr_offset) % data->count;
|
||||
- if((r=compress_owner(key, pkt, region, tree,
|
||||
- owner_pos, &owner_ptr, owner_labs))
|
||||
- != RETVAL_OK)
|
||||
+ if((r=compress_owner(key, pkt, region, tree,
|
||||
+ owner_pos, &owner_ptr, owner_labs,
|
||||
+ compress_count)) != RETVAL_OK)
|
||||
return r;
|
||||
sldns_buffer_write(pkt, &key->rk.type, 2);
|
||||
sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
|
||||
@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
else sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
|
||||
if(c) {
|
||||
if((r=compress_rdata(pkt, data->rr_data[j],
|
||||
- data->rr_len[j], region, tree, c))
|
||||
- != RETVAL_OK)
|
||||
+ data->rr_len[j], region, tree, c,
|
||||
+ compress_count)) != RETVAL_OK)
|
||||
return r;
|
||||
} else {
|
||||
if(sldns_buffer_remaining(pkt) < data->rr_len[j])
|
||||
@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
|
||||
return RETVAL_TRUNC;
|
||||
sldns_buffer_write(pkt, &owner_ptr, 2);
|
||||
} else {
|
||||
- if((r=compress_any_dname(key->rk.dname,
|
||||
- pkt, owner_labs, region, tree))
|
||||
- != RETVAL_OK)
|
||||
+ if((r=compress_any_dname(key->rk.dname,
|
||||
+ pkt, owner_labs, region, tree,
|
||||
+ compress_count)) != RETVAL_OK)
|
||||
return r;
|
||||
if(sldns_buffer_remaining(pkt) <
|
||||
4+4+data->rr_len[i])
|
||||
@@ -544,7 +557,8 @@ static int
|
||||
insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
|
||||
sldns_buffer* pkt, size_t rrsets_before, time_t timenow,
|
||||
struct regional* region, struct compress_tree_node** tree,
|
||||
- sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
|
||||
+ sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
|
||||
+ size_t* compress_count)
|
||||
{
|
||||
int r;
|
||||
size_t i, setstart;
|
||||
@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
|
||||
setstart = sldns_buffer_position(pkt);
|
||||
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
|
||||
pkt, num_rrs, timenow, region, 1, 1, tree,
|
||||
- s, qtype, dnssec, rr_offset))
|
||||
+ s, qtype, dnssec, rr_offset, compress_count))
|
||||
!= RETVAL_OK) {
|
||||
/* Bad, but if due to size must set TC bit */
|
||||
/* trim off the rrset neatly. */
|
||||
@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
|
||||
setstart = sldns_buffer_position(pkt);
|
||||
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
|
||||
pkt, num_rrs, timenow, region, 1, 0, tree,
|
||||
- s, qtype, dnssec, rr_offset))
|
||||
+ s, qtype, dnssec, rr_offset, compress_count))
|
||||
!= RETVAL_OK) {
|
||||
sldns_buffer_set_position(pkt, setstart);
|
||||
return r;
|
||||
@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
|
||||
setstart = sldns_buffer_position(pkt);
|
||||
if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i],
|
||||
pkt, num_rrs, timenow, region, 0, 1, tree,
|
||||
- s, qtype, dnssec, rr_offset))
|
||||
+ s, qtype, dnssec, rr_offset, compress_count))
|
||||
!= RETVAL_OK) {
|
||||
sldns_buffer_set_position(pkt, setstart);
|
||||
return r;
|
||||
@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
struct compress_tree_node* tree = 0;
|
||||
int r;
|
||||
size_t rr_offset;
|
||||
+ size_t compress_count=0;
|
||||
|
||||
sldns_buffer_clear(buffer);
|
||||
if(udpsize < sldns_buffer_limit(buffer))
|
||||
@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
arep.rrsets = &qinfo->local_alias->rrset;
|
||||
if((r=insert_section(&arep, 1, &ancount, buffer, 0,
|
||||
timezero, region, &tree, LDNS_SECTION_ANSWER,
|
||||
- qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
|
||||
+ qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
|
||||
if(r == RETVAL_TRUNC) {
|
||||
/* create truncated message */
|
||||
sldns_buffer_write_u16_at(buffer, 6, ancount);
|
||||
@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
/* insert answer section */
|
||||
if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
|
||||
0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
|
||||
- dnssec, rr_offset)) != RETVAL_OK) {
|
||||
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
|
||||
if(r == RETVAL_TRUNC) {
|
||||
/* create truncated message */
|
||||
sldns_buffer_write_u16_at(buffer, 6, ancount);
|
||||
@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
|
||||
rep->an_numrrsets, timenow, region, &tree,
|
||||
LDNS_SECTION_AUTHORITY, qinfo->qtype,
|
||||
- dnssec, rr_offset)) != RETVAL_OK) {
|
||||
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
|
||||
if(r == RETVAL_TRUNC) {
|
||||
/* create truncated message */
|
||||
sldns_buffer_write_u16_at(buffer, 8, nscount);
|
||||
@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
|
||||
if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
|
||||
rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
|
||||
&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
|
||||
- dnssec, rr_offset)) != RETVAL_OK) {
|
||||
+ dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
|
||||
if(r == RETVAL_TRUNC) {
|
||||
/* no need to set TC bit, this is the additional */
|
||||
sldns_buffer_write_u16_at(buffer, 10, arcount);
|
||||
--
|
||||
2.47.0
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,305 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
|
||||
new file mode 100644
|
||||
index 0000000..2b046a8
|
||||
--- /dev/null
|
||||
+++ b/unbound-1.16.2/testdata/iter_ghost_ns_childapex.rpl
|
||||
@@ -0,0 +1,299 @@
|
||||
+; config options
|
||||
+server:
|
||||
+ target-fetch-policy: "0 0 0 0 0"
|
||||
+ qname-minimisation: no
|
||||
+ minimal-responses: yes
|
||||
+ log-servfail: yes
|
||||
+ module-config: "iterator"
|
||||
+
|
||||
+stub-zone:
|
||||
+ name: "."
|
||||
+ stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
+CONFIG_END
|
||||
+
|
||||
+SCENARIO_BEGIN Test for ghost domain with a child apex NS query.
|
||||
+
|
||||
+; K.ROOT-SERVERS.NET.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 193.0.14.129
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+. IN NS
|
||||
+SECTION ANSWER
|
||||
+. IN NS K.ROOT-SERVERS.NET.
|
||||
+SECTION ADDITIONAL
|
||||
+K.ROOT-SERVERS.NET. IN A 193.0.14.129
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+tld. IN NS ns.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.tld
|
||||
+RANGE_BEGIN 0 15
|
||||
+ ADDRESS 1.2.3.5
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+tld. IN NS ns.tld
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+mid.tld. 5 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 5 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.tld
|
||||
+RANGE_BEGIN 20 100
|
||||
+ ADDRESS 1.2.3.5
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+tld. IN NS ns.tld
|
||||
+SECTION ADDITIONAL
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.tld. IN A 1.2.3.5
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR AA NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.mid.tld.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 1.2.3.4
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+mid.tld. 86400 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 86400 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.mid.tld. IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.mid.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+mid.tld. 3600 IN SOA ns.mid.tld. host.mid.tld. 20301 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode subdomain
|
||||
+ADJUST copy_id copy_query
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+sub.mid.tld. IN NS
|
||||
+SECTION AUTHORITY
|
||||
+sub.mid.tld. 3600 IN NS ns.sub.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.sub.mid.tld. 3600 IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+; ns.sub.mid.tld.
|
||||
+RANGE_BEGIN 0 100
|
||||
+ ADDRESS 1.2.3.6
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR NOERROR
|
||||
+SECTION QUESTION
|
||||
+sub.mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+sub.mid.tld. IN NS ns.sub.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.sub.mid.tld. IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+ns.sub.mid.tld. IN A 1.2.3.6
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+ns.sub.mid.tld. IN AAAA
|
||||
+SECTION AUTHORITY
|
||||
+sub.mid.tld. 3600 IN SOA ns.sub.mid.tld. host.sub.mid.tld. 20301 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+a.sub.mid.tld. 3600 IN A 10.20.30.40
|
||||
+ENTRY_END
|
||||
+
|
||||
+ENTRY_BEGIN
|
||||
+MATCH opcode qtype qname
|
||||
+ADJUST copy_id
|
||||
+REPLY QR AA NOERROR
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+b.sub.mid.tld. 3600 IN A 10.20.30.41
|
||||
+ENTRY_END
|
||||
+RANGE_END
|
||||
+
|
||||
+STEP 1 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 2 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NOERROR
|
||||
+SECTION QUESTION
|
||||
+a.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+a.sub.mid.tld. 3600 IN A 10.20.30.40
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 10 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 11 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NOERROR
|
||||
+SECTION QUESTION
|
||||
+mid.tld. IN NS
|
||||
+SECTION ANSWER
|
||||
+mid.tld. 86400 IN NS ns.mid.tld.
|
||||
+SECTION ADDITIONAL
|
||||
+ns.mid.tld. 86400 IN A 1.2.3.4
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 20 TIME_PASSES ELAPSE 10
|
||||
+; The authority for .tld switches to NXDOMAIN for mid.tld.
|
||||
+
|
||||
+STEP 30 QUERY
|
||||
+ENTRY_BEGIN
|
||||
+REPLY RD NOERROR
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+ENTRY_END
|
||||
+
|
||||
+STEP 31 CHECK_ANSWER
|
||||
+ENTRY_BEGIN
|
||||
+MATCH all
|
||||
+REPLY QR RD RA NXDOMAIN
|
||||
+SECTION QUESTION
|
||||
+b.sub.mid.tld. IN A
|
||||
+SECTION ANSWER
|
||||
+SECTION AUTHORITY
|
||||
+tld. 3600 IN SOA ns.tld. host.tld. 20201 3600 1800 604800 3600
|
||||
+ENTRY_END
|
||||
+
|
||||
+SCENARIO_END
|
||||
@ -1,36 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/services/cache/rrset.c b/unbound-1.16.2/services/cache/rrset.c
|
||||
index 4e3d08b..b2c357f 100644
|
||||
--- a/unbound-1.16.2/services/cache/rrset.c
|
||||
+++ b/unbound-1.16.2/services/cache/rrset.c
|
||||
@@ -143,6 +143,16 @@ need_to_update_rrset(void* nd, void* cd, time_t timenow, int equal, int ns)
|
||||
if(equal && cached->ttl >= timenow &&
|
||||
cached->security == sec_status_bogus)
|
||||
return 0;
|
||||
+ /* ghost-domain: never let an NS overwrite extend lifetime
|
||||
+ * past the entry it replaces, regardless of trust. */
|
||||
+ if(ns && !TTL_IS_EXPIRED(cached->ttl, timenow) &&
|
||||
+ newd->ttl > cached->ttl) {
|
||||
+ size_t i;
|
||||
+ newd->ttl = cached->ttl;
|
||||
+ for(i=0; i<(newd->count+newd->rrsig_count); i++)
|
||||
+ if(newd->rr_ttl[i] > newd->ttl)
|
||||
+ newd->rr_ttl[i] = newd->ttl;
|
||||
+ }
|
||||
return 1;
|
||||
}
|
||||
/* o item in cache has expired */
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.h b/unbound-1.16.2/util/data/msgparse.h
|
||||
index 0c458e6..f1319ff 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.h
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.h
|
||||
@@ -92,6 +92,10 @@ extern time_t SERVE_EXPIRED_REPLY_TTL;
|
||||
/** If we serve the original TTL or decrementing TTLs */
|
||||
extern int SERVE_ORIGINAL_TTL;
|
||||
|
||||
+/** Check if TTL is expired. 0 TTL is considered expired.
|
||||
+ * Used mainly to identify parts of the code that do this comparison. */
|
||||
+#define TTL_IS_EXPIRED(ttl, now) ((ttl) <= (now))
|
||||
+
|
||||
/**
|
||||
* Data stored in scratch pad memory during parsing.
|
||||
* Stores the data that will enter into the msgreply and packet result.
|
||||
@ -1,64 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
|
||||
index 7a51441..0ffdb3d 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.c
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.c
|
||||
@@ -50,6 +50,8 @@
|
||||
#include "sldns/parseutil.h"
|
||||
#include "sldns/wire2str.h"
|
||||
|
||||
+#define MAX_PARSED_EDNS_OPTIONS 100
|
||||
+
|
||||
/** smart comparison of (compressed, valid) dnames from packet */
|
||||
static int
|
||||
smart_compare(sldns_buffer* pkt, uint8_t* dnow,
|
||||
@@ -957,7 +959,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
|
||||
struct regional* region)
|
||||
{
|
||||
- int nsid_seen = 0, padding_seen = 0;
|
||||
+ int i = 0, nsid_seen = 0, padding_seen = 0;
|
||||
/* To respond with a Keepalive option, the client connection must have
|
||||
* received one message with a TCP Keepalive EDNS option, and that
|
||||
* option must have 0 length data. Subsequent messages sent on that
|
||||
@@ -977,7 +979,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
|
||||
/* while still more options, and have code+len to read */
|
||||
/* ignores partial content (i.e. rdata len 3) */
|
||||
- while(rdata_len >= 4) {
|
||||
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
|
||||
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
|
||||
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
|
||||
rdata_ptr += 4;
|
||||
@@ -1054,6 +1056,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
}
|
||||
rdata_ptr += opt_len;
|
||||
rdata_len -= opt_len;
|
||||
+ i++;
|
||||
}
|
||||
return LDNS_RCODE_NOERROR;
|
||||
}
|
||||
@@ -1068,6 +1071,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
struct rrset_parse* found_prev = 0;
|
||||
size_t rdata_len;
|
||||
uint8_t* rdata_ptr;
|
||||
+ int i = 0;
|
||||
/* since the class encodes the UDP size, we cannot use hash table to
|
||||
* find the EDNS OPT record. Scan the packet. */
|
||||
while(rrset) {
|
||||
@@ -1125,7 +1129,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
|
||||
/* while still more options, and have code+len to read */
|
||||
/* ignores partial content (i.e. rdata len 3) */
|
||||
- while(rdata_len >= 4) {
|
||||
+ while(rdata_len >= 4 && i < MAX_PARSED_EDNS_OPTIONS) {
|
||||
uint16_t opt_code = sldns_read_uint16(rdata_ptr);
|
||||
uint16_t opt_len = sldns_read_uint16(rdata_ptr+2);
|
||||
rdata_ptr += 4;
|
||||
@@ -1140,6 +1144,7 @@ parse_extract_edns_from_response_msg(struct msg_parse* msg,
|
||||
}
|
||||
rdata_ptr += opt_len;
|
||||
rdata_len -= opt_len;
|
||||
+ i++;
|
||||
}
|
||||
/* ignore rrsigs */
|
||||
return LDNS_RCODE_NOERROR;
|
||||
@ -1,51 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/services/mesh.c b/unbound-1.16.2/services/mesh.c
|
||||
index 30bcf7c..0f5a2a3 100644
|
||||
--- a/unbound-1.16.2/services/mesh.c
|
||||
+++ b/unbound-1.16.2/services/mesh.c
|
||||
@@ -338,12 +338,14 @@ int mesh_make_new_space(struct mesh_area* mesh, sldns_buffer* qbuf)
|
||||
if(mesh->num_reply_states < mesh->max_reply_states)
|
||||
return 1;
|
||||
/* try to kick out a jostle-list item */
|
||||
- if(m && m->reply_list && m->list_select == mesh_jostle_list) {
|
||||
+ if(m && m->list_select == mesh_jostle_list) {
|
||||
/* how old is it? */
|
||||
struct timeval age;
|
||||
- timeval_subtract(&age, mesh->env->now_tv,
|
||||
- &m->reply_list->start_time);
|
||||
- if(timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
+ if(m->has_first_reply_time)
|
||||
+ timeval_subtract(&age, mesh->env->now_tv,
|
||||
+ &m->first_reply_time);
|
||||
+ if(!m->has_first_reply_time ||
|
||||
+ timeval_smaller(&mesh->jostle_max, &age)) {
|
||||
/* its a goner */
|
||||
log_nametypeclass(VERB_ALGO, "query jostled out to "
|
||||
"make space for a new one",
|
||||
@@ -1690,6 +1692,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
|
||||
r->qid = qid;
|
||||
r->qflags = qflags;
|
||||
r->start_time = *s->s.env->now_tv;
|
||||
+ if(s->reply_list == NULL && !s->has_first_reply_time) {
|
||||
+ s->first_reply_time = r->start_time;
|
||||
+ s->has_first_reply_time = 1;
|
||||
+ }
|
||||
r->next = s->reply_list;
|
||||
r->qname = regional_alloc_init(s->s.region, qinfo->qname,
|
||||
s->s.qinfo.qname_len);
|
||||
diff --git a/unbound-1.16.2/services/mesh.h b/unbound-1.16.2/services/mesh.h
|
||||
index 3be9b63..8194994 100644
|
||||
--- a/unbound-1.16.2/services/mesh.h
|
||||
+++ b/unbound-1.16.2/services/mesh.h
|
||||
@@ -174,6 +174,12 @@ struct mesh_state {
|
||||
struct module_qstate s;
|
||||
/** the list of replies to clients for the results */
|
||||
struct mesh_reply* reply_list;
|
||||
+ /** if it has a first reply time */
|
||||
+ int has_first_reply_time;
|
||||
+ /** wall-clock time the first client reply was attached;
|
||||
+ * used by mesh_make_new_space() so duplicate retransmits
|
||||
+ * cannot reset jostle aging. */
|
||||
+ struct timeval first_reply_time;
|
||||
/** the list of callbacks for the results */
|
||||
struct mesh_cb* cb_list;
|
||||
/** set of superstates (that want this state's result)
|
||||
@ -1,34 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgparse.c b/unbound-1.16.2/util/data/msgparse.c
|
||||
index 5bb69d6..7a51441 100644
|
||||
--- a/unbound-1.16.2/util/data/msgparse.c
|
||||
+++ b/unbound-1.16.2/util/data/msgparse.c
|
||||
@@ -957,6 +957,7 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
struct edns_data* edns, struct config_file* cfg, struct comm_point* c,
|
||||
struct regional* region)
|
||||
{
|
||||
+ int nsid_seen = 0, padding_seen = 0;
|
||||
/* To respond with a Keepalive option, the client connection must have
|
||||
* received one message with a TCP Keepalive EDNS option, and that
|
||||
* option must have 0 length data. Subsequent messages sent on that
|
||||
@@ -987,8 +988,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
/* handle parse time edns options here */
|
||||
switch(opt_code) {
|
||||
case LDNS_EDNS_NSID:
|
||||
- if (!cfg || !cfg->nsid)
|
||||
+ if (!cfg || !cfg->nsid || nsid_seen)
|
||||
break;
|
||||
+ nsid_seen = 1;
|
||||
if(!edns_opt_list_append(&edns->opt_list_out,
|
||||
LDNS_EDNS_NSID, cfg->nsid_len,
|
||||
cfg->nsid, region)) {
|
||||
@@ -1030,8 +1032,9 @@ parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len,
|
||||
|
||||
case LDNS_EDNS_PADDING:
|
||||
if(!cfg || !cfg->pad_responses ||
|
||||
- !c || c->type != comm_tcp ||!c->ssl)
|
||||
+ !c || c->type != comm_tcp ||!c->ssl || padding_seen)
|
||||
break;
|
||||
+ padding_seen = 1;
|
||||
if(!edns_opt_list_append(&edns->opt_list_out,
|
||||
LDNS_EDNS_PADDING,
|
||||
0, NULL, region)) {
|
||||
@ -1,17 +0,0 @@
|
||||
diff --git a/unbound-1.24.2/validator/val_utils.c b/unbound-1.24.2/validator/val_utils.c
|
||||
index 549264d..4495695 100644
|
||||
--- a/unbound-1.24.2/validator/val_utils.c
|
||||
+++ b/unbound-1.24.2/validator/val_utils.c
|
||||
@@ -1066,10 +1066,10 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
|
||||
if(query_dname_compare(name,
|
||||
orig->rrsets[i]->rk.dname) == 0)
|
||||
chase->rrsets[chase->an_numrrsets
|
||||
- +orig->ns_numrrsets+chase->ar_numrrsets++]
|
||||
+ +chase->ns_numrrsets+chase->ar_numrrsets++]
|
||||
= orig->rrsets[i];
|
||||
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
|
||||
- chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
|
||||
+ chase->rrsets[chase->an_numrrsets+chase->ns_numrrsets+
|
||||
chase->ar_numrrsets++] = orig->rrsets[i];
|
||||
}
|
||||
}
|
||||
@ -1,20 +0,0 @@
|
||||
diff --git a/unbound-1.16.2/util/data/msgencode.c b/unbound-1.16.2/util/data/msgencode.c
|
||||
index f9e95e6..f60b359 100644
|
||||
--- a/unbound-1.16.2/util/data/msgencode.c
|
||||
+++ b/unbound-1.16.2/util/data/msgencode.c
|
||||
@@ -352,7 +352,6 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
|
||||
if(!write_compressed_dname(pkt, dname, labs, p))
|
||||
return RETVAL_TRUNC;
|
||||
- (*compress_count)++;
|
||||
} else {
|
||||
if(!dname_buffer_write(pkt, dname))
|
||||
return RETVAL_TRUNC;
|
||||
@@ -360,6 +359,7 @@ compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
|
||||
if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
|
||||
!compress_tree_store(dname, labs, pos, region, p, insertpt))
|
||||
return RETVAL_OUTMEM;
|
||||
+ (*compress_count)++;
|
||||
return RETVAL_OK;
|
||||
}
|
||||
|
||||
@ -989,7 +989,6 @@ remote-control:
|
||||
|
||||
# Set to no and use an absolute path as control-interface to use
|
||||
# a unix local named pipe for unbound-control.
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
# control-use-cert: yes
|
||||
|
||||
# what interfaces are listened to for remote control.
|
||||
@ -998,11 +997,14 @@ remote-control:
|
||||
# are not used for that, so key and cert files need not be present.
|
||||
# control-interface: 127.0.0.1
|
||||
# control-interface: ::1
|
||||
# moved to /etc/unbound/conf.d/remote-control.conf
|
||||
|
||||
# port number for remote control operations.
|
||||
# control-port: 8953
|
||||
|
||||
# for localhost, you can disable use of TLS by setting this to "no"
|
||||
# For local sockets this option is ignored, and TLS is not used.
|
||||
control-use-cert: "no"
|
||||
|
||||
# Unbound server key file.
|
||||
server-key-file: "/etc/unbound/unbound_server.key"
|
||||
|
||||
|
||||
@ -34,7 +34,7 @@
|
||||
Summary: Validating, recursive, and caching DNS(SEC) resolver
|
||||
Name: unbound
|
||||
Version: 1.16.2
|
||||
Release: 5.12%{?extra_version:.%{extra_version}}%{?dist}
|
||||
Release: 5%{?extra_version:.%{extra_version}}%{?dist}
|
||||
License: BSD
|
||||
Url: https://www.unbound.net/
|
||||
Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
|
||||
@ -55,7 +55,6 @@ Source15: unbound-anchor.timer
|
||||
Source16: unbound-munin.README
|
||||
Source17: unbound-anchor.service
|
||||
Source18: https://nlnetlabs.nl/downloads/%{name}/%{name}-%{version}%{?extra_version}.tar.gz.asc
|
||||
Source21: remote-control.conf
|
||||
|
||||
# Reverts ABI change done in version 1.8.0 (bz#2027735)
|
||||
# Makes possible backward binary compatibility with a new features
|
||||
@ -63,36 +62,6 @@ Patch1: unbound-1.15-soversion2-compat.patch
|
||||
Patch2: unbound-1.15-source-compat.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/137719522a8ea5b380fbb6206d2466f402f5b554
|
||||
Patch3: unbound-1.16-CVE-2022-3204.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2023-50387_CVE-2023-50868.diff
|
||||
Patch4: unbound-1.16-CVE-2023-50387-CVE-2023-50868.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
|
||||
Patch5: unbound-1.21-CVE-2024-8508.patch
|
||||
# The patch for CVE-2025-5994 requires certain changes fixing bugs in subnet module
|
||||
# that is why we have to backport these commits. They have their respective tests
|
||||
# backported with them.
|
||||
# https://github.com/NLnetLabs/unbound/commit/0f08cc6d5577ad4747749c55229e16df8711ee32
|
||||
# https://github.com/NLnetLabs/unbound/commit/6d0812b56731af130e8bc7e1572388934beb9b3b
|
||||
# https://github.com/NLnetLabs/unbound/commit/be626f7c5330dc414a582a04b537ea79d5c452fb
|
||||
# https://github.com/NLnetLabs/unbound/commit/5bf82f246481098a6473f296b21fc1229d276c0f
|
||||
# https://github.com/NLnetLabs/unbound/commit/a1150078f29e14b36c8e4d9d05a263a5e6abbc5b
|
||||
Patch6: unbound-1.23.1-CVE-2025-5994.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/f094f4ea3c943c5b5b2b6fa8bee0e7a8f3cfdc51
|
||||
Patch7: unbound-1.20-unbound-anchor-key-38696.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42944.diff
|
||||
Patch8: unbound-1.25.1-CVE-2026-42944.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42959.diff
|
||||
Patch9: unbound-1.25.1-CVE-2026-42959.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-40622.diff
|
||||
Patch10: unbound-1.25.1-CVE-2026-40622.patch
|
||||
# https://github.com/NLnetLabs/unbound/commit/b5f21f41658f65d6143df6a3208e8ccf1a01604d
|
||||
Patch11: unbound-1.25.1-CVE-2026-40622-test.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-44390.diff
|
||||
Patch12: unbound-1.25.1-CVE-2026-44390.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-41292.diff
|
||||
Patch13: unbound-1.25.1-CVE-2026-41292.patch
|
||||
# https://nlnetlabs.nl/downloads/unbound/patch_CVE-2026-42534.diff
|
||||
Patch14: unbound-1.25.1-CVE-2026-42534.patch
|
||||
|
||||
|
||||
BuildRequires: gdb
|
||||
BuildRequires: gcc, make
|
||||
@ -195,17 +164,7 @@ pushd %{pkgname}
|
||||
%patch1 -p2 -b .solib2-compat
|
||||
%patch2 -p1 -b .srccompat
|
||||
%patch3 -p2 -b .CVE-2022-3204
|
||||
%patch4 -p2 -b .CVE-2023-50387-CVE-2023-50868
|
||||
%patch5 -p2 -b .CVE-2024-8508
|
||||
%patch6 -p2 -b .CVE-2025-5994
|
||||
%patch7 -p2 -b .dnssec-ta-2024
|
||||
%patch8 -p2 -b .CVE-2026-42944
|
||||
%patch9 -p2 -b .CVE-2026-42959
|
||||
%patch10 -p2 -b .CVE-2026-40622
|
||||
%patch11 -p2 -b .CVE-2026-40622-test
|
||||
%patch12 -p2 -b .CVE-2026-44390
|
||||
%patch13 -p2 -b .CVE-2026-41292
|
||||
%patch14 -p2 -b .CVE-2026-42534
|
||||
|
||||
|
||||
# copy common doc files - after here, since it may be patched
|
||||
cp -pr doc pythonmod libunbound ../
|
||||
@ -324,7 +283,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/unbound/{keys.d,conf.d,local.d}
|
||||
install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/unbound/keys.d/
|
||||
install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/unbound/local.d/
|
||||
install -p -m 0644 %{SOURCE21} %{buildroot}%{_sysconfdir}/unbound/conf.d/
|
||||
|
||||
# Link unbound-control-setup.8 manpage to unbound-control.8
|
||||
echo ".so man8/unbound-control.8" > %{buildroot}/%{_mandir}/man8/unbound-control-setup.8
|
||||
@ -472,42 +430,6 @@ popd
|
||||
%verify(not md5 size mtime) %{_sharedstatedir}/%{name}/root.key
|
||||
|
||||
%changelog
|
||||
* Tue Jun 23 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.12
|
||||
- Fix CVE-2026-40622 (RHEL-184832)
|
||||
- Fix CVE-2026-44390 (RHEL-186680)
|
||||
- Fix CVE-2026-41292 (RHEL-187346)
|
||||
- Fix CVE-2026-42534 (RHEL-187081)
|
||||
|
||||
* Mon May 25 2026 Fedor Vorobev <fvorobev@redhat.com> - 1.16.2-5.11
|
||||
- Fix CVE-2026-42944 (RHEL‑177909)
|
||||
- Fix CVE-2026-42959 (RHEL-177809)
|
||||
|
||||
* Tue Nov 11 2025 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.10
|
||||
- Add new root key 38696 (RHEL-131172)
|
||||
- Update unbound-anchor built-in dnssec key
|
||||
|
||||
* Thu Jul 24 2025 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.9
|
||||
- Fix RebirthDay Attack (CVE-2025-5994)
|
||||
- Resolves: RHEL-104123
|
||||
|
||||
* Tue Nov 12 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.8
|
||||
- Prevent unbounded name compression (CVE-2024-8508)
|
||||
|
||||
* Tue May 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.7
|
||||
- Rebuild to propagate to CentOS Stream (RHEL-25500)
|
||||
|
||||
* Mon Mar 11 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.6
|
||||
- Ensure group access correction reaches also updated configs (CVE-2024-1488)
|
||||
|
||||
* Wed Feb 28 2024 Petr Menšík <pemensik@redhat.com> - 1.16.2-5.3
|
||||
- Ensure only unbound group can change configuration (CVE-2024-1488)
|
||||
|
||||
* Fri Feb 16 2024 Tomas Korbar <tkorbar@redhat.com> - 1.16.2-5.1
|
||||
- Fix KeyTrap - Extreme CPU consumption in DNSSEC validator CVE-2023-50387
|
||||
- Fix Preparing an NSEC3 closest encloser proof can exhaust CPU resources CVE-2023-50868
|
||||
- Resolves: RHEL-25428
|
||||
- Resolves: RHEL-25423
|
||||
|
||||
* Sat Oct 15 2022 Petr Menšík <pemensik@redhat.com> - 1.16.2-5
|
||||
- Stop creating wrong devel manual pages (#2135322)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user