File bind-CVE-2022-3094.patch of Package bind

Overview Repositories Revisions Requests Users Attributes Meta

File bind-CVE-2022-3094.patch of Package bind

Index: bind-9.16.6/bin/named/bind9.xsl
===================================================================
--- bind-9.16.6.orig/bin/named/bind9.xsl
+++ bind-9.16.6/bin/named/bind9.xsl
@@ -12,7 +12,9 @@
 
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
   <xsl:output method="html" indent="yes" version="4.0"/>
-  <xsl:template match="statistics[@version=&quot;3.11&quot;]">
+  
+  
+  <xsl:template match="statistics[@version=&quot;3.11.1&quot;]">
     <html>
       <head>
         <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
Index: bind-9.16.6/bin/named/bind9.xsl.h
===================================================================
--- bind-9.16.6.orig/bin/named/bind9.xsl.h
+++ bind-9.16.6/bin/named/bind9.xsl.h
@@ -20,7 +20,11 @@ static char xslmsg[] =
 	"<xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" "
 	"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
 	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
-	" <xsl:template match=\"statistics[@version=&quot;3.11&quot;]\">\n"
+	" \n"
+	" \n"
+	" <xsl:template match=\"statistics[@version=&quot;3.11.1&quot;]\">\n"
 	" <html>\n"
 	" <head>\n"
 	" <script type=\"text/javascript\" "
Index: bind-9.16.6/bin/named/statschannel.c
===================================================================
--- bind-9.16.6.orig/bin/named/statschannel.c
+++ bind-9.16.6/bin/named/statschannel.c
@@ -335,6 +335,7 @@ init_desc(void) {
 	SET_NSSTATDESC(reclimitdropped,
 		       "queries dropped due to recursive client limit",
 		       "RecLimitDropped");
+	SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
 
 	INSIST(i == ns_statscounter_max);
 
@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint
 					      "href=\"/bind9.xsl\""));
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
-					 ISC_XMLCHAR "3.11"));
+					 ISC_XMLCHAR "3.11.1"));
 
 	/* Set common fields for statistics dump */
 	dumparg.type = isc_statsformat_xml;
@@ -2875,7 +2876,7 @@ generatejson(named_server_t *server, siz
 	/*
 	 * These statistics are included no matter which URL we use.
 	 */
-	obj = json_object_new_string("1.5");
+	obj = json_object_new_string("1.5.1");
 	CHECKMEM(obj);
 	json_object_object_add(bindstats, "json-stats-version", obj);
 
Index: bind-9.16.6/doc/arm/reference.rst
===================================================================
--- bind-9.16.6.orig/doc/arm/reference.rst
+++ bind-9.16.6/doc/arm/reference.rst
@@ -6468,6 +6468,11 @@ Name Server Statistics Counters
 ``UpdateBadPrereq``
     This indicates the number of dynamic updates rejected due to a prerequisite failure.
 
+``UpdateQuota``
+    This indicates the number of times a dynamic update or update
+    forwarding request was rejected because the number of pending
+    requests exceeded the update quota.
+
 ``RateDropped``
     This indicates the number of responses dropped due to rate limits.
 
Index: bind-9.16.6/lib/ns/include/ns/server.h
===================================================================
--- bind-9.16.6.orig/lib/ns/include/ns/server.h
+++ bind-9.16.6/lib/ns/include/ns/server.h
@@ -84,6 +84,7 @@ struct ns_server {
 	isc_quota_t recursionquota;
 	isc_quota_t tcpquota;
 	isc_quota_t xfroutquota;
+	isc_quota_t updquota;
 
 	/*% Test options and other configurables */
 	uint32_t options;
Index: bind-9.16.6/lib/ns/include/ns/stats.h
===================================================================
--- bind-9.16.6.orig/lib/ns/include/ns/stats.h
+++ bind-9.16.6/lib/ns/include/ns/stats.h
@@ -105,7 +105,9 @@ enum { ns_statscounter_requestv4 = 0,
 
        ns_statscounter_reclimitdropped = 66,
 
-       ns_statscounter_max = 67,
+       ns_statscounter_updatequota = 67,
+
+       ns_statscounter_max = 68,
 };
 
 void
Index: bind-9.16.6/lib/ns/server.c
===================================================================
--- bind-9.16.6.orig/lib/ns/server.c
+++ bind-9.16.6/lib/ns/server.c
@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_mat
 	isc_quota_init(&sctx->xfroutquota, 10);
 	isc_quota_init(&sctx->tcpquota, 10);
 	isc_quota_init(&sctx->recursionquota, 100);
+	isc_quota_init(&sctx->updquota, 100);
 
 	CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
 
@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) {
 			isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
 		}
 
+		isc_quota_destroy(&sctx->updquota);
 		isc_quota_destroy(&sctx->recursionquota);
 		isc_quota_destroy(&sctx->tcpquota);
 		isc_quota_destroy(&sctx->xfroutquota);
Index: bind-9.16.6/lib/ns/update.c
===================================================================
--- bind-9.16.6.orig/lib/ns/update.c
+++ bind-9.16.6/lib/ns/update.c
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, d
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
 
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		ns_client_drop(client, result);
+		isc_nmhandle_unref(client->handle);
+		return (DNS_R_DROP);
+	}
+
 	event = (update_event_t *)isc_event_allocate(
 		client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
 		sizeof(*event));
@@ -1668,12 +1681,19 @@ failure:
 		       dns_zone_gettype(zone) == dns_zone_mirror);
 		inc_stats(client, zone, ns_statscounter_updaterej);
 	}
+
 	/*
 	 * We failed without having sent an update event to the zone.
 	 * We are still in the client task context, so we can
 	 * simply give an error response without switching tasks.
 	 */
-	respond(client, result);
+	if (result == DNS_R_DROP) {
+		ns_client_drop(client, result);
+		isc_nmhandle_unref(client->handle);
+	} else {
+		respond(client, result);
+	}
+
 	if (zone != NULL) {
 		dns_zone_detach(&zone);
 	}
@@ -3478,6 +3498,7 @@ updatedone_action(isc_task_t *task, isc_
 	}
 	client->nupdates--;
 	respond(client, uev->result);
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_unref(client->handle);
 }
@@ -3495,6 +3516,8 @@ forward_fail(isc_task_t *task, isc_event
 	INSIST(client->nupdates > 0);
 	client->nupdates--;
 	respond(client, DNS_R_SERVFAIL);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_unref(client->handle);
 }
@@ -3531,6 +3554,8 @@ forward_done(isc_task_t *task, isc_event
 	client->nupdates--;
 	ns_client_sendraw(client, uev->answer);
 	dns_message_destroy(&uev->answer);
+
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
 	isc_event_free(&event);
 	isc_nmhandle_unref(client->handle);
 }
@@ -3565,6 +3590,17 @@ send_forward_event(ns_client_t *client,
 	update_event_t *event = NULL;
 	isc_task_t *zonetask = NULL;
 
+	result = isc_quota_attach(&client->manager->sctx->updquota,
+				  &(isc_quota_t *){ NULL });
+	if (result != ISC_R_SUCCESS) {
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
+			   "update failed: too many DNS UPDATEs queued (%s)",
+			   isc_result_totext(result));
+		ns_stats_increment(client->manager->sctx->nsstats,
+				   ns_statscounter_updatequota);
+		return (DNS_R_DROP);
+	}
+
 	event = (update_event_t *)isc_event_allocate(
 		client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
 		sizeof(*event));

Places

File bind-CVE-2022-3094.patch of Package bind

Places