Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
bind.20673
bind-CVE-2020-8616.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bind-CVE-2020-8616.patch of Package bind.20673
Index: bind-9.9.9-P1/lib/dns/adb.c =================================================================== --- bind-9.9.9-P1.orig/lib/dns/adb.c +++ bind-9.9.9-P1/lib/dns/adb.c @@ -402,14 +402,13 @@ static void log_quota(dns_adbentry_t *en */ #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) -#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ - != 0) -#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ - != 0) -#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) -#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) -#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) -#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) +#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) +#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) +#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) +#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) +#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) +#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) +#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) /* * These are currently used on simple unsigned ints, so they are @@ -3106,21 +3105,25 @@ dns_adb_createfind2(dns_adb_t *adb, isc_ * Listen to negative cache hints, and don't start * another query. */ - if (NCACHE_RESULT(result) || AUTH_NX(result)) + if (NCACHE_RESULT(result) || AUTH_NX(result)) { goto fetch; + } - if (!NAME_FETCH_V6(adbname)) + if (!NAME_FETCH_V6(adbname)) { wanted_fetches |= DNS_ADBFIND_INET6; + } } fetch: if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || - (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) + (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) { have_address = ISC_TRUE; - else + } else { have_address = ISC_FALSE; - if (wanted_fetches != 0 && - ! (FIND_AVOIDFETCHES(find) && have_address)) { + } + if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && + !FIND_NOFETCH(find)) + { /* * We're missing at least one address family. Either the * caller hasn't instructed us to avoid fetches, or we don't @@ -3128,8 +3131,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_ * be acceptable so we have to launch fetches. */ - if (FIND_STARTATZONE(find)) + if (FIND_STARTATZONE(find)) { start_at_zone = ISC_TRUE; + } /* * Start V4. Index: bind-9.9.9-P1/lib/dns/include/dns/adb.h =================================================================== --- bind-9.9.9-P1.orig/lib/dns/include/dns/adb.h +++ bind-9.9.9-P1/lib/dns/include/dns/adb.h @@ -211,6 +211,10 @@ struct dns_adbfind { * lame for this query. */ #define DNS_ADBFIND_OVERQUOTA 0x00000400 +/*% + * Don't perform a fetch even if there are no address records available. + */ +#define DNS_ADBFIND_NOFETCH 0x00000800 /*% * The answers to queries come back as a list of these. Index: bind-9.9.9-P1/lib/dns/resolver.c =================================================================== --- bind-9.9.9-P1.orig/lib/dns/resolver.c +++ bind-9.9.9-P1/lib/dns/resolver.c @@ -170,6 +170,14 @@ #define DEFAULT_MAX_QUERIES 50 #endif +/* + * After NS_FAIL_LIMIT attempts to fetch a name server address, + * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, + * stop trying to fetch, in order to avoid wasting resources. + */ +#define NS_FAIL_LIMIT 4 +#define NS_RR_LIMIT 5 + /* Number of hash buckets for zone counters */ #ifndef RES_DOMAIN_BUCKETS #define RES_DOMAIN_BUCKETS 523 @@ -2733,7 +2741,7 @@ sort_finds(dns_adbfindlist_t *findlist) static void findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, unsigned int options, unsigned int flags, isc_stdtime_t now, - isc_boolean_t *overquota, isc_boolean_t *need_alternate) + isc_boolean_t *overquota, isc_boolean_t *need_alternate, unsigned int *no_addresses) { dns_adbaddrinfo_t *ai; dns_adbfind_t *find; @@ -2826,7 +2834,12 @@ findname(fetchctx_t *fctx, dns_name_t *n find->result_v6 != DNS_R_NXDOMAIN) || (res->dispatches6 == NULL && find->result_v4 != DNS_R_NXDOMAIN))) + { *need_alternate = ISC_TRUE; + } + if (no_addresses != NULL) { + (*no_addresses)++; + } } else { #ifdef ENABLE_FETCHLIMIT if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { @@ -2882,6 +2895,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ #ifdef ENABLE_FETCHLIMIT isc_boolean_t all_spilled = ISC_TRUE; #endif /* ENABLE_FETCHLIMIT */ + unsigned int no_addresses = 0; FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); @@ -2955,7 +2969,9 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ result = dns_name_dup(domain, fctx->mctx, &fctx->domain); if (result != ISC_R_SUCCESS) + { return (result); + } #ifdef ENABLE_FETCHLIMIT result = fcount_incr(fctx, ISC_TRUE); if (result != ISC_R_SUCCESS) @@ -3042,10 +3058,17 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ */ result = dns_rdata_tostruct(&rdata, &ns, NULL); if (result != ISC_R_SUCCESS) + { continue; + } + if (no_addresses > NS_FAIL_LIMIT && + dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) + { + stdoptions |= DNS_ADBFIND_NOFETCH; + } findname(fctx, &ns.name, 0, stdoptions, 0, now, - &overquota, &need_alternate); + &overquota, &need_alternate, &no_addresses); #ifdef ENABLE_FETCHLIMIT if (!overquota) @@ -3056,7 +3079,9 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ dns_rdata_freestruct(&ns); } if (result != ISC_R_NOMORE) + { return (result); + } /* * Do we need to use 6 to 4? @@ -3071,7 +3096,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ if (!a->isaddress) { findname(fctx, &a->_u._n.name, a->_u._n.port, stdoptions, FCTX_ADDRINFO_FORWARDER, - now, NULL, NULL); + now, NULL, NULL, NULL); continue; } if (isc_sockaddr_pf(&a->_u.addr) != family)
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor