diff options
author | Kai Kang <kai.kang@windriver.com> | 2017-07-12 09:25:05 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-07-17 14:01:39 +0100 |
commit | 39f74e11fda240c39135c5f12ed24cc8f0364c72 (patch) | |
tree | 8cc55d435d41368d4e1169dd7f868689039be6cf /meta/recipes-connectivity/bind | |
parent | e6c05f57a5ee2eb74f69b8e9367cfd9b36f023a8 (diff) | |
download | poky-39f74e11fda240c39135c5f12ed24cc8f0364c72.tar.gz |
bind: 9.10.3-P3 -> 9.10.5-P3
Upgrade bind from 9.10.3-P3 to 9.10.5-P3
* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory
(From OE-Core rev: 9ee6a0a6599d081767b63382a576e67aed12cf4d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/bind')
13 files changed, 61 insertions, 2443 deletions
diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch index 805cbb3315..1e23c0f56b 100644 --- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch +++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch | |||
@@ -7,15 +7,19 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> | |||
7 | Update context for version 9.10.3-P2. | 7 | Update context for version 9.10.3-P2. |
8 | 8 | ||
9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | 9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
10 | |||
11 | Update context for version 9.10.5-P3. | ||
12 | |||
13 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
10 | --- | 14 | --- |
11 | configure.in | 23 +++-------------------- | 15 | configure.in | 23 +++-------------------- |
12 | 1 file changed, 3 insertions(+), 20 deletions(-) | 16 | 1 file changed, 3 insertions(+), 20 deletions(-) |
13 | 17 | ||
14 | diff --git a/configure.in b/configure.in | 18 | diff --git a/configure.in b/configure.in |
15 | index 0db826d..75819eb 100644 | 19 | index 4da73a4..6f2a754 100644 |
16 | --- a/configure.in | 20 | --- a/configure.in |
17 | +++ b/configure.in | 21 | +++ b/configure.in |
18 | @@ -2107,26 +2107,9 @@ case "$use_libxml2" in | 22 | @@ -2282,26 +2282,9 @@ case "$use_libxml2" in |
19 | DST_LIBXML2_INC="" | 23 | DST_LIBXML2_INC="" |
20 | ;; | 24 | ;; |
21 | auto|yes) | 25 | auto|yes) |
@@ -25,7 +29,7 @@ index 0db826d..75819eb 100644 | |||
25 | - libxml2_cflags=`xml2-config --cflags` | 29 | - libxml2_cflags=`xml2-config --cflags` |
26 | - ;; | 30 | - ;; |
27 | - *) | 31 | - *) |
28 | - if test "$use_libxml2" = "yes" ; then | 32 | - if test "yes" = "$use_libxml2" ; then |
29 | - AC_MSG_RESULT(no) | 33 | - AC_MSG_RESULT(no) |
30 | - AC_MSG_ERROR(required libxml2 version not available) | 34 | - AC_MSG_ERROR(required libxml2 version not available) |
31 | - else | 35 | - else |
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch deleted file mode 100644 index 2149bd180d..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch +++ /dev/null | |||
@@ -1,154 +0,0 @@ | |||
1 | From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Thu, 18 Feb 2016 12:11:27 +1100 | ||
4 | Subject: [PATCH] 4318. [security] Malformed control messages can | ||
5 | trigger assertions in named and rndc. (CVE-2016-1285) | ||
6 | [RT #41666] | ||
7 | |||
8 | (cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) | ||
9 | |||
10 | CVE: CVE-2016-1285 | ||
11 | Upstream-Status: Backport | ||
12 | [Removed doc/arm/notes.xml changes from upstream patch] | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | CHANGES | 3 +++ | ||
17 | bin/named/control.c | 2 +- | ||
18 | bin/named/controlconf.c | 2 +- | ||
19 | bin/rndc/rndc.c | 8 ++++---- | ||
20 | doc/arm/notes.xml | 11 +++++++++++ | ||
21 | lib/isccc/cc.c | 14 +++++++------- | ||
22 | 6 files changed, 27 insertions(+), 13 deletions(-) | ||
23 | |||
24 | diff --git a/CHANGES b/CHANGES | ||
25 | index b9bd9ef..2c727d5 100644 | ||
26 | --- a/CHANGES | ||
27 | +++ b/CHANGES | ||
28 | @@ -1,3 +1,6 @@ | ||
29 | +4318. [security] Malformed control messages can trigger assertions | ||
30 | + in named and rndc. (CVE-2016-1285) [RT #41666] | ||
31 | + | ||
32 | --- 9.10.3-P3 released --- | ||
33 | |||
34 | 4288. [bug] Fixed a regression in resolver.c:possibly_mark() | ||
35 | diff --git a/bin/named/control.c b/bin/named/control.c | ||
36 | index 8554335..81340ca 100644 | ||
37 | --- a/bin/named/control.c | ||
38 | +++ b/bin/named/control.c | ||
39 | @@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { | ||
40 | #endif | ||
41 | |||
42 | data = isccc_alist_lookup(message, "_data"); | ||
43 | - if (data == NULL) { | ||
44 | + if (!isccc_alist_alistp(data)) { | ||
45 | /* | ||
46 | * No data section. | ||
47 | */ | ||
48 | diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c | ||
49 | index 765afdd..a39ab8b 100644 | ||
50 | --- a/bin/named/controlconf.c | ||
51 | +++ b/bin/named/controlconf.c | ||
52 | @@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { | ||
53 | * Limit exposure to replay attacks. | ||
54 | */ | ||
55 | _ctrl = isccc_alist_lookup(request, "_ctrl"); | ||
56 | - if (_ctrl == NULL) { | ||
57 | + if (!isccc_alist_alistp(_ctrl)) { | ||
58 | log_invalid(&conn->ccmsg, ISC_R_FAILURE); | ||
59 | goto cleanup_request; | ||
60 | } | ||
61 | diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c | ||
62 | index cb17050..b6e05c8 100644 | ||
63 | --- a/bin/rndc/rndc.c | ||
64 | +++ b/bin/rndc/rndc.c | ||
65 | @@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { | ||
66 | isccc_cc_fromwire(&source, &response, algorithm, &secret)); | ||
67 | |||
68 | data = isccc_alist_lookup(response, "_data"); | ||
69 | - if (data == NULL) | ||
70 | - fatal("no data section in response"); | ||
71 | + if (!isccc_alist_alistp(data)) | ||
72 | + fatal("bad or missing data section in response"); | ||
73 | result = isccc_cc_lookupstring(data, "err", &errormsg); | ||
74 | if (result == ISC_R_SUCCESS) { | ||
75 | failed = ISC_TRUE; | ||
76 | @@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { | ||
77 | isccc_cc_fromwire(&source, &response, algorithm, &secret)); | ||
78 | |||
79 | _ctrl = isccc_alist_lookup(response, "_ctrl"); | ||
80 | - if (_ctrl == NULL) | ||
81 | - fatal("_ctrl section missing"); | ||
82 | + if (!isccc_alist_alistp(_ctrl)) | ||
83 | + fatal("bad or missing ctrl section in response"); | ||
84 | nonce = 0; | ||
85 | if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) | ||
86 | nonce = 0; | ||
87 | diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c | ||
88 | index 47a3b74..2bb961e 100644 | ||
89 | --- a/lib/isccc/cc.c | ||
90 | +++ b/lib/isccc/cc.c | ||
91 | @@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, | ||
92 | * Extract digest. | ||
93 | */ | ||
94 | _auth = isccc_alist_lookup(alist, "_auth"); | ||
95 | - if (_auth == NULL) | ||
96 | + if (!isccc_alist_alistp(_auth)) | ||
97 | return (ISC_R_FAILURE); | ||
98 | if (algorithm == ISCCC_ALG_HMACMD5) | ||
99 | hmac = isccc_alist_lookup(_auth, "hmd5"); | ||
100 | else | ||
101 | hmac = isccc_alist_lookup(_auth, "hsha"); | ||
102 | - if (hmac == NULL) | ||
103 | + if (!isccc_sexpr_binaryp(hmac)) | ||
104 | return (ISC_R_FAILURE); | ||
105 | /* | ||
106 | * Compute digest. | ||
107 | @@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, | ||
108 | REQUIRE(ackp != NULL && *ackp == NULL); | ||
109 | |||
110 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
111 | - if (_ctrl == NULL || | ||
112 | + if (!isccc_alist_alistp(_ctrl) || | ||
113 | isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || | ||
114 | isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) | ||
115 | return (ISC_R_FAILURE); | ||
116 | @@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) | ||
117 | isccc_sexpr_t *_ctrl; | ||
118 | |||
119 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
120 | - if (_ctrl == NULL) | ||
121 | + if (!isccc_alist_alistp(_ctrl)) | ||
122 | return (ISC_FALSE); | ||
123 | if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) | ||
124 | return (ISC_TRUE); | ||
125 | @@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) | ||
126 | isccc_sexpr_t *_ctrl; | ||
127 | |||
128 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
129 | - if (_ctrl == NULL) | ||
130 | + if (!isccc_alist_alistp(_ctrl)) | ||
131 | return (ISC_FALSE); | ||
132 | if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) | ||
133 | return (ISC_TRUE); | ||
134 | @@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, | ||
135 | |||
136 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
137 | _data = isccc_alist_lookup(message, "_data"); | ||
138 | - if (_ctrl == NULL || _data == NULL || | ||
139 | + if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || | ||
140 | isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || | ||
141 | isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) | ||
142 | return (ISC_R_FAILURE); | ||
143 | @@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, | ||
144 | isccc_sexpr_t *_ctrl; | ||
145 | |||
146 | _ctrl = isccc_alist_lookup(message, "_ctrl"); | ||
147 | - if (_ctrl == NULL || | ||
148 | + if (!isccc_alist_alistp(_ctrl) || | ||
149 | isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || | ||
150 | isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) | ||
151 | return (ISC_R_FAILURE); | ||
152 | -- | ||
153 | 1.9.1 | ||
154 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch deleted file mode 100644 index ae5cc48d9c..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch +++ /dev/null | |||
@@ -1,79 +0,0 @@ | |||
1 | From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mukund Sivaraman <muks@isc.org> | ||
3 | Date: Mon, 22 Feb 2016 12:22:43 +0530 | ||
4 | Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling | ||
5 | (CVE-2016-1286) (#41753) | ||
6 | |||
7 | (cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) | ||
8 | |||
9 | CVE: CVE-2016-1286 | ||
10 | Upstream-Status: Backport | ||
11 | |||
12 | [Removed doc/arm/notes.xml changes from upstream patch.] | ||
13 | |||
14 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
15 | --- | ||
16 | diff -ruN a/CHANGES b/CHANGES | ||
17 | --- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 | ||
18 | +++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 | ||
19 | @@ -1,3 +1,7 @@ | ||
20 | +4319. [security] Fix resolver assertion failure due to improper | ||
21 | + DNAME handling when parsing fetch reply messages. | ||
22 | + (CVE-2016-1286) [RT #41753] | ||
23 | + | ||
24 | 4318. [security] Malformed control messages can trigger assertions | ||
25 | in named and rndc. (CVE-2016-1285) [RT #41666] | ||
26 | |||
27 | diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
28 | --- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 | ||
29 | +++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 | ||
30 | @@ -6967,21 +6967,26 @@ | ||
31 | isc_boolean_t found_dname = ISC_FALSE; | ||
32 | dns_name_t *dname_name; | ||
33 | |||
34 | + /* | ||
35 | + * Only pass DNAME or RRSIG(DNAME). | ||
36 | + */ | ||
37 | + if (rdataset->type != dns_rdatatype_dname && | ||
38 | + (rdataset->type != dns_rdatatype_rrsig || | ||
39 | + rdataset->covers != dns_rdatatype_dname)) | ||
40 | + continue; | ||
41 | + | ||
42 | + /* | ||
43 | + * If we're not chaining, then the DNAME and | ||
44 | + * its signature should not be external. | ||
45 | + */ | ||
46 | + if (!chaining && external) { | ||
47 | + log_formerr(fctx, "external DNAME"); | ||
48 | + return (DNS_R_FORMERR); | ||
49 | + } | ||
50 | + | ||
51 | found = ISC_FALSE; | ||
52 | aflag = 0; | ||
53 | if (rdataset->type == dns_rdatatype_dname) { | ||
54 | - /* | ||
55 | - * We're looking for something else, | ||
56 | - * but we found a DNAME. | ||
57 | - * | ||
58 | - * If we're not chaining, then the | ||
59 | - * DNAME should not be external. | ||
60 | - */ | ||
61 | - if (!chaining && external) { | ||
62 | - log_formerr(fctx, | ||
63 | - "external DNAME"); | ||
64 | - return (DNS_R_FORMERR); | ||
65 | - } | ||
66 | found = ISC_TRUE; | ||
67 | want_chaining = ISC_TRUE; | ||
68 | POST(want_chaining); | ||
69 | @@ -7010,9 +7015,7 @@ | ||
70 | &fctx->domain)) { | ||
71 | return (DNS_R_SERVFAIL); | ||
72 | } | ||
73 | - } else if (rdataset->type == dns_rdatatype_rrsig | ||
74 | - && rdataset->covers == | ||
75 | - dns_rdatatype_dname) { | ||
76 | + } else { | ||
77 | /* | ||
78 | * We've found a signature that | ||
79 | * covers the DNAME. | ||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch deleted file mode 100644 index 5f5cb0d340..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch +++ /dev/null | |||
@@ -1,317 +0,0 @@ | |||
1 | From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Mon, 29 Feb 2016 07:16:48 +1100 | ||
4 | Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion | ||
5 | failure due to improper DNAME handling when parsing | ||
6 | fetch reply messages. (CVE-2016-1286) [RT #41753] | ||
7 | |||
8 | CVE: CVE-2016-1286 | ||
9 | Upstream-Status: Backport | ||
10 | |||
11 | (cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) | ||
12 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
13 | --- | ||
14 | lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- | ||
15 | 1 file changed, 93 insertions(+), 99 deletions(-) | ||
16 | |||
17 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
18 | index 70aba87..41e9df4 100644 | ||
19 | --- a/lib/dns/resolver.c | ||
20 | +++ b/lib/dns/resolver.c | ||
21 | @@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { | ||
22 | } | ||
23 | |||
24 | static inline isc_result_t | ||
25 | -dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, | ||
26 | - dns_name_t *oname, dns_fixedname_t *fixeddname) | ||
27 | +dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, | ||
28 | + unsigned int nlabels, dns_fixedname_t *fixeddname) | ||
29 | { | ||
30 | isc_result_t result; | ||
31 | dns_rdata_t rdata = DNS_RDATA_INIT; | ||
32 | - unsigned int nlabels; | ||
33 | - int order; | ||
34 | - dns_namereln_t namereln; | ||
35 | dns_rdata_dname_t dname; | ||
36 | dns_fixedname_t prefix; | ||
37 | |||
38 | @@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, | ||
39 | if (result != ISC_R_SUCCESS) | ||
40 | return (result); | ||
41 | |||
42 | - /* | ||
43 | - * Get the prefix of qname. | ||
44 | - */ | ||
45 | - namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); | ||
46 | - if (namereln != dns_namereln_subdomain) { | ||
47 | - char qbuf[DNS_NAME_FORMATSIZE]; | ||
48 | - char obuf[DNS_NAME_FORMATSIZE]; | ||
49 | - | ||
50 | - dns_rdata_freestruct(&dname); | ||
51 | - dns_name_format(qname, qbuf, sizeof(qbuf)); | ||
52 | - dns_name_format(oname, obuf, sizeof(obuf)); | ||
53 | - log_formerr(fctx, "unrelated DNAME in answer: " | ||
54 | - "%s is not in %s", qbuf, obuf); | ||
55 | - return (DNS_R_FORMERR); | ||
56 | - } | ||
57 | dns_fixedname_init(&prefix); | ||
58 | dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); | ||
59 | dns_fixedname_init(fixeddname); | ||
60 | @@ -6736,13 +6718,13 @@ static isc_result_t | ||
61 | answer_response(fetchctx_t *fctx) { | ||
62 | isc_result_t result; | ||
63 | dns_message_t *message; | ||
64 | - dns_name_t *name, *qname, tname, *ns_name; | ||
65 | + dns_name_t *name, *dname, *qname, tname, *ns_name; | ||
66 | dns_rdataset_t *rdataset, *ns_rdataset; | ||
67 | isc_boolean_t done, external, chaining, aa, found, want_chaining; | ||
68 | isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; | ||
69 | unsigned int aflag; | ||
70 | dns_rdatatype_t type; | ||
71 | - dns_fixedname_t dname, fqname; | ||
72 | + dns_fixedname_t fdname, fqname; | ||
73 | dns_view_t *view; | ||
74 | |||
75 | FCTXTRACE("answer_response"); | ||
76 | @@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) { | ||
77 | view = fctx->res->view; | ||
78 | result = dns_message_firstname(message, DNS_SECTION_ANSWER); | ||
79 | while (!done && result == ISC_R_SUCCESS) { | ||
80 | + dns_namereln_t namereln; | ||
81 | + int order; | ||
82 | + unsigned int nlabels; | ||
83 | + | ||
84 | name = NULL; | ||
85 | dns_message_currentname(message, DNS_SECTION_ANSWER, &name); | ||
86 | external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); | ||
87 | - if (dns_name_equal(name, qname)) { | ||
88 | + namereln = dns_name_fullcompare(qname, name, &order, &nlabels); | ||
89 | + if (namereln == dns_namereln_equal) { | ||
90 | wanted_chaining = ISC_FALSE; | ||
91 | for (rdataset = ISC_LIST_HEAD(name->list); | ||
92 | rdataset != NULL; | ||
93 | @@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) { | ||
94 | */ | ||
95 | INSIST(!external); | ||
96 | if (aflag == | ||
97 | - DNS_RDATASETATTR_ANSWER) | ||
98 | + DNS_RDATASETATTR_ANSWER) { | ||
99 | have_answer = ISC_TRUE; | ||
100 | - name->attributes |= | ||
101 | - DNS_NAMEATTR_ANSWER; | ||
102 | + name->attributes |= | ||
103 | + DNS_NAMEATTR_ANSWER; | ||
104 | + } | ||
105 | rdataset->attributes |= aflag; | ||
106 | if (aa) | ||
107 | rdataset->trust = | ||
108 | @@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) { | ||
109 | if (wanted_chaining) | ||
110 | chaining = ISC_TRUE; | ||
111 | } else { | ||
112 | + dns_rdataset_t *dnameset = NULL; | ||
113 | + | ||
114 | /* | ||
115 | * Look for a DNAME (or its SIG). Anything else is | ||
116 | * ignored. | ||
117 | @@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) { | ||
118 | wanted_chaining = ISC_FALSE; | ||
119 | for (rdataset = ISC_LIST_HEAD(name->list); | ||
120 | rdataset != NULL; | ||
121 | - rdataset = ISC_LIST_NEXT(rdataset, link)) { | ||
122 | - isc_boolean_t found_dname = ISC_FALSE; | ||
123 | - dns_name_t *dname_name; | ||
124 | - | ||
125 | + rdataset = ISC_LIST_NEXT(rdataset, link)) | ||
126 | + { | ||
127 | /* | ||
128 | * Only pass DNAME or RRSIG(DNAME). | ||
129 | */ | ||
130 | @@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) { | ||
131 | * its signature should not be external. | ||
132 | */ | ||
133 | if (!chaining && external) { | ||
134 | - log_formerr(fctx, "external DNAME"); | ||
135 | + char qbuf[DNS_NAME_FORMATSIZE]; | ||
136 | + char obuf[DNS_NAME_FORMATSIZE]; | ||
137 | + | ||
138 | + dns_name_format(name, qbuf, | ||
139 | + sizeof(qbuf)); | ||
140 | + dns_name_format(&fctx->domain, obuf, | ||
141 | + sizeof(obuf)); | ||
142 | + log_formerr(fctx, "external DNAME or " | ||
143 | + "RRSIG covering DNAME " | ||
144 | + "in answer: %s is " | ||
145 | + "not in %s", qbuf, obuf); | ||
146 | + return (DNS_R_FORMERR); | ||
147 | + } | ||
148 | + | ||
149 | + if (namereln != dns_namereln_subdomain) { | ||
150 | + char qbuf[DNS_NAME_FORMATSIZE]; | ||
151 | + char obuf[DNS_NAME_FORMATSIZE]; | ||
152 | + | ||
153 | + dns_name_format(qname, qbuf, | ||
154 | + sizeof(qbuf)); | ||
155 | + dns_name_format(name, obuf, | ||
156 | + sizeof(obuf)); | ||
157 | + log_formerr(fctx, "unrelated DNAME " | ||
158 | + "in answer: %s is " | ||
159 | + "not in %s", qbuf, obuf); | ||
160 | return (DNS_R_FORMERR); | ||
161 | } | ||
162 | |||
163 | - found = ISC_FALSE; | ||
164 | aflag = 0; | ||
165 | if (rdataset->type == dns_rdatatype_dname) { | ||
166 | - found = ISC_TRUE; | ||
167 | want_chaining = ISC_TRUE; | ||
168 | POST(want_chaining); | ||
169 | aflag = DNS_RDATASETATTR_ANSWER; | ||
170 | - result = dname_target(fctx, rdataset, | ||
171 | - qname, name, | ||
172 | - &dname); | ||
173 | + result = dname_target(rdataset, qname, | ||
174 | + nlabels, &fdname); | ||
175 | if (result == ISC_R_NOSPACE) { | ||
176 | /* | ||
177 | * We can't construct the | ||
178 | @@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) { | ||
179 | } else if (result != ISC_R_SUCCESS) | ||
180 | return (result); | ||
181 | else | ||
182 | - found_dname = ISC_TRUE; | ||
183 | + dnameset = rdataset; | ||
184 | |||
185 | - dname_name = dns_fixedname_name(&dname); | ||
186 | + dname = dns_fixedname_name(&fdname); | ||
187 | if (!is_answertarget_allowed(view, | ||
188 | - qname, | ||
189 | - rdataset->type, | ||
190 | - dname_name, | ||
191 | - &fctx->domain)) { | ||
192 | + qname, rdataset->type, | ||
193 | + dname, &fctx->domain)) { | ||
194 | return (DNS_R_SERVFAIL); | ||
195 | } | ||
196 | } else { | ||
197 | @@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) { | ||
198 | * We've found a signature that | ||
199 | * covers the DNAME. | ||
200 | */ | ||
201 | - found = ISC_TRUE; | ||
202 | aflag = DNS_RDATASETATTR_ANSWERSIG; | ||
203 | } | ||
204 | |||
205 | - if (found) { | ||
206 | + /* | ||
207 | + * We've found an answer to our | ||
208 | + * question. | ||
209 | + */ | ||
210 | + name->attributes |= DNS_NAMEATTR_CACHE; | ||
211 | + rdataset->attributes |= DNS_RDATASETATTR_CACHE; | ||
212 | + rdataset->trust = dns_trust_answer; | ||
213 | + if (!chaining) { | ||
214 | /* | ||
215 | - * We've found an answer to our | ||
216 | - * question. | ||
217 | + * This data is "the" answer to | ||
218 | + * our question only if we're | ||
219 | + * not chaining. | ||
220 | */ | ||
221 | - name->attributes |= | ||
222 | - DNS_NAMEATTR_CACHE; | ||
223 | - rdataset->attributes |= | ||
224 | - DNS_RDATASETATTR_CACHE; | ||
225 | - rdataset->trust = dns_trust_answer; | ||
226 | - if (!chaining) { | ||
227 | - /* | ||
228 | - * This data is "the" answer | ||
229 | - * to our question only if | ||
230 | - * we're not chaining. | ||
231 | - */ | ||
232 | - INSIST(!external); | ||
233 | - if (aflag == | ||
234 | - DNS_RDATASETATTR_ANSWER) | ||
235 | - have_answer = ISC_TRUE; | ||
236 | + INSIST(!external); | ||
237 | + if (aflag == DNS_RDATASETATTR_ANSWER) { | ||
238 | + have_answer = ISC_TRUE; | ||
239 | name->attributes |= | ||
240 | DNS_NAMEATTR_ANSWER; | ||
241 | - rdataset->attributes |= aflag; | ||
242 | - if (aa) | ||
243 | - rdataset->trust = | ||
244 | - dns_trust_authanswer; | ||
245 | - } else if (external) { | ||
246 | - rdataset->attributes |= | ||
247 | - DNS_RDATASETATTR_EXTERNAL; | ||
248 | - } | ||
249 | - | ||
250 | - /* | ||
251 | - * DNAME chaining. | ||
252 | - */ | ||
253 | - if (found_dname) { | ||
254 | - /* | ||
255 | - * Copy the dname into the | ||
256 | - * qname fixed name. | ||
257 | - * | ||
258 | - * Although we check for | ||
259 | - * failure of the copy | ||
260 | - * operation, in practice it | ||
261 | - * should never fail since | ||
262 | - * we already know that the | ||
263 | - * result fits in a fixedname. | ||
264 | - */ | ||
265 | - dns_fixedname_init(&fqname); | ||
266 | - result = dns_name_copy( | ||
267 | - dns_fixedname_name(&dname), | ||
268 | - dns_fixedname_name(&fqname), | ||
269 | - NULL); | ||
270 | - if (result != ISC_R_SUCCESS) | ||
271 | - return (result); | ||
272 | - wanted_chaining = ISC_TRUE; | ||
273 | - name->attributes |= | ||
274 | - DNS_NAMEATTR_CHAINING; | ||
275 | - rdataset->attributes |= | ||
276 | - DNS_RDATASETATTR_CHAINING; | ||
277 | - qname = dns_fixedname_name( | ||
278 | - &fqname); | ||
279 | } | ||
280 | + rdataset->attributes |= aflag; | ||
281 | + if (aa) | ||
282 | + rdataset->trust = | ||
283 | + dns_trust_authanswer; | ||
284 | + } else if (external) { | ||
285 | + rdataset->attributes |= | ||
286 | + DNS_RDATASETATTR_EXTERNAL; | ||
287 | } | ||
288 | } | ||
289 | + | ||
290 | + /* | ||
291 | + * DNAME chaining. | ||
292 | + */ | ||
293 | + if (dnameset != NULL) { | ||
294 | + /* | ||
295 | + * Copy the dname into the qname fixed name. | ||
296 | + * | ||
297 | + * Although we check for failure of the copy | ||
298 | + * operation, in practice it should never fail | ||
299 | + * since we already know that the result fits | ||
300 | + * in a fixedname. | ||
301 | + */ | ||
302 | + dns_fixedname_init(&fqname); | ||
303 | + qname = dns_fixedname_name(&fqname); | ||
304 | + result = dns_name_copy(dname, qname, NULL); | ||
305 | + if (result != ISC_R_SUCCESS) | ||
306 | + return (result); | ||
307 | + wanted_chaining = ISC_TRUE; | ||
308 | + name->attributes |= DNS_NAMEATTR_CHAINING; | ||
309 | + dnameset->attributes |= | ||
310 | + DNS_RDATASETATTR_CHAINING; | ||
311 | + } | ||
312 | if (wanted_chaining) | ||
313 | chaining = ISC_TRUE; | ||
314 | } | ||
315 | -- | ||
316 | 1.9.1 | ||
317 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch deleted file mode 100644 index 1b84d46b78..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch +++ /dev/null | |||
@@ -1,247 +0,0 @@ | |||
1 | CVE-2016-2088 | ||
2 | |||
3 | Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the | ||
4 | v9_10_3_patch branch. | ||
5 | |||
6 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088 | ||
7 | https://kb.isc.org/article/AA-01351 | ||
8 | |||
9 | CVE: CVE-2016-2088 | ||
10 | Upstream-Status: Backport | ||
11 | Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> | ||
12 | |||
13 | |||
14 | Original commit message from Mark Andrews <marka@isc.org> below: | ||
15 | |||
16 | 4322. [security] Duplicate EDNS COOKIE options in a response could | ||
17 | trigger an assertion failure. (CVE-2016-2088) | ||
18 | [RT #41809] | ||
19 | |||
20 | (cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) | ||
21 | (cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) | ||
22 | --- | ||
23 | CHANGES | 4 ++++ | ||
24 | bin/dig/dighost.c | 9 +++++++++ | ||
25 | bin/named/client.c | 33 +++++++++++++++++++++++---------- | ||
26 | doc/arm/notes.xml | 7 +++++++ | ||
27 | lib/dns/resolver.c | 14 +++++++++++++- | ||
28 | 5 files changed, 56 insertions(+), 11 deletions(-) | ||
29 | |||
30 | diff --git a/CHANGES b/CHANGES | ||
31 | index c5b5d2b..d2e3360 100644 | ||
32 | --- a/CHANGES | ||
33 | +++ b/CHANGES | ||
34 | @@ -1,3 +1,7 @@ | ||
35 | +4322. [security] Duplicate EDNS COOKIE options in a response could | ||
36 | + trigger an assertion failure. (CVE-2016-2088) | ||
37 | + [RT #41809] | ||
38 | + | ||
39 | 4319. [security] Fix resolver assertion failure due to improper | ||
40 | DNAME handling when parsing fetch reply messages. | ||
41 | (CVE-2016-1286) [RT #41753] | ||
42 | diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c | ||
43 | index ca82f8e..340904f 100644 | ||
44 | --- a/bin/dig/dighost.c | ||
45 | +++ b/bin/dig/dighost.c | ||
46 | @@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { | ||
47 | isc_buffer_t optbuf; | ||
48 | isc_uint16_t optcode, optlen; | ||
49 | dns_rdataset_t *opt = msg->opt; | ||
50 | + isc_boolean_t seen_cookie = ISC_FALSE; | ||
51 | |||
52 | result = dns_rdataset_first(opt); | ||
53 | if (result == ISC_R_SUCCESS) { | ||
54 | @@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { | ||
55 | optlen = isc_buffer_getuint16(&optbuf); | ||
56 | switch (optcode) { | ||
57 | case DNS_OPT_COOKIE: | ||
58 | + /* | ||
59 | + * Only process the first cookie option. | ||
60 | + */ | ||
61 | + if (seen_cookie) { | ||
62 | + isc_buffer_forward(&optbuf, optlen); | ||
63 | + break; | ||
64 | + } | ||
65 | process_sit(l, msg, &optbuf, optlen); | ||
66 | + seen_cookie = ISC_TRUE; | ||
67 | break; | ||
68 | default: | ||
69 | isc_buffer_forward(&optbuf, optlen); | ||
70 | diff --git a/bin/named/client.c b/bin/named/client.c | ||
71 | index 683305c..0d7331a 100644 | ||
72 | --- a/bin/named/client.c | ||
73 | +++ b/bin/named/client.c | ||
74 | @@ -120,7 +120,10 @@ | ||
75 | */ | ||
76 | #endif | ||
77 | |||
78 | -#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ | ||
79 | +#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ | ||
80 | + | ||
81 | +#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) | ||
82 | +#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) | ||
83 | |||
84 | /*% nameserver client manager structure */ | ||
85 | struct ns_clientmgr { | ||
86 | @@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, | ||
87 | { | ||
88 | char nsid[BUFSIZ], *nsidp; | ||
89 | #ifdef ISC_PLATFORM_USESIT | ||
90 | - unsigned char sit[SIT_SIZE]; | ||
91 | + unsigned char sit[COOKIE_SIZE]; | ||
92 | #endif | ||
93 | isc_result_t result; | ||
94 | dns_view_t *view; | ||
95 | @@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, | ||
96 | flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; | ||
97 | |||
98 | /* Set EDNS options if applicable */ | ||
99 | - if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && | ||
100 | + if (WANTNSID(client) && | ||
101 | (ns_g_server->server_id != NULL || | ||
102 | ns_g_server->server_usehostname)) { | ||
103 | if (ns_g_server->server_usehostname) { | ||
104 | @@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, | ||
105 | |||
106 | INSIST(count < DNS_EDNSOPTIONS); | ||
107 | ednsopts[count].code = DNS_OPT_COOKIE; | ||
108 | - ednsopts[count].length = SIT_SIZE; | ||
109 | + ednsopts[count].length = COOKIE_SIZE; | ||
110 | ednsopts[count].value = sit; | ||
111 | count++; | ||
112 | } | ||
113 | @@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, | ||
114 | |||
115 | static void | ||
116 | process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { | ||
117 | - unsigned char dbuf[SIT_SIZE]; | ||
118 | + unsigned char dbuf[COOKIE_SIZE]; | ||
119 | unsigned char *old; | ||
120 | isc_stdtime_t now; | ||
121 | isc_uint32_t when; | ||
122 | isc_uint32_t nonce; | ||
123 | isc_buffer_t db; | ||
124 | |||
125 | + /* | ||
126 | + * If we have already seen a ECS option skip this ECS option. | ||
127 | + */ | ||
128 | + if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { | ||
129 | + isc_buffer_forward(buf, optlen); | ||
130 | + return; | ||
131 | + } | ||
132 | client->attributes |= NS_CLIENTATTR_WANTSIT; | ||
133 | |||
134 | isc_stats_increment(ns_g_server->nsstats, | ||
135 | dns_nsstatscounter_sitopt); | ||
136 | |||
137 | - if (optlen != SIT_SIZE) { | ||
138 | + if (optlen != COOKIE_SIZE) { | ||
139 | /* | ||
140 | * Not our token. | ||
141 | */ | ||
142 | @@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { | ||
143 | isc_buffer_init(&db, dbuf, sizeof(dbuf)); | ||
144 | compute_sit(client, when, nonce, &db); | ||
145 | |||
146 | - if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) { | ||
147 | + if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { | ||
148 | isc_stats_increment(ns_g_server->nsstats, | ||
149 | dns_nsstatscounter_sitnomatch); | ||
150 | return; | ||
151 | } | ||
152 | isc_stats_increment(ns_g_server->nsstats, | ||
153 | dns_nsstatscounter_sitmatch); | ||
154 | - | ||
155 | client->attributes |= NS_CLIENTATTR_HAVESIT; | ||
156 | } | ||
157 | #endif | ||
158 | @@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { | ||
159 | optlen = isc_buffer_getuint16(&optbuf); | ||
160 | switch (optcode) { | ||
161 | case DNS_OPT_NSID: | ||
162 | - isc_stats_increment(ns_g_server->nsstats, | ||
163 | + if (!WANTNSID(client)) | ||
164 | + isc_stats_increment( | ||
165 | + ns_g_server->nsstats, | ||
166 | dns_nsstatscounter_nsidopt); | ||
167 | client->attributes |= NS_CLIENTATTR_WANTNSID; | ||
168 | isc_buffer_forward(&optbuf, optlen); | ||
169 | @@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { | ||
170 | break; | ||
171 | #endif | ||
172 | case DNS_OPT_EXPIRE: | ||
173 | - isc_stats_increment(ns_g_server->nsstats, | ||
174 | + if (!WANTEXPIRE(client)) | ||
175 | + isc_stats_increment( | ||
176 | + ns_g_server->nsstats, | ||
177 | dns_nsstatscounter_expireopt); | ||
178 | client->attributes |= NS_CLIENTATTR_WANTEXPIRE; | ||
179 | isc_buffer_forward(&optbuf, optlen); | ||
180 | diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml | ||
181 | index ebf4f55..095eb5b 100644 | ||
182 | --- a/doc/arm/notes.xml | ||
183 | +++ b/doc/arm/notes.xml | ||
184 | @@ -51,6 +51,13 @@ | ||
185 | <title>Security Fixes</title> | ||
186 | <itemizedlist> | ||
187 | <listitem> | ||
188 | + <para> | ||
189 | + Duplicate EDNS COOKIE options in a response could trigger | ||
190 | + an assertion failure. This flaw is disclosed in CVE-2016-2088. | ||
191 | + [RT #41809] | ||
192 | + </para> | ||
193 | + </listitem> | ||
194 | + <listitem> | ||
195 | <para> | ||
196 | Specific APL data could trigger an INSIST. This flaw | ||
197 | was discovered by Brian Mitchell and is disclosed in | ||
198 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
199 | index a797e3f..ba1ae23 100644 | ||
200 | --- a/lib/dns/resolver.c | ||
201 | +++ b/lib/dns/resolver.c | ||
202 | @@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { | ||
203 | unsigned char *sit; | ||
204 | dns_adbaddrinfo_t *addrinfo; | ||
205 | unsigned char cookie[8]; | ||
206 | + isc_boolean_t seen_cookie = ISC_FALSE; | ||
207 | #endif | ||
208 | + isc_boolean_t seen_nsid = ISC_FALSE; | ||
209 | |||
210 | result = dns_rdataset_first(opt); | ||
211 | if (result == ISC_R_SUCCESS) { | ||
212 | @@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { | ||
213 | INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); | ||
214 | switch (optcode) { | ||
215 | case DNS_OPT_NSID: | ||
216 | - if (query->options & DNS_FETCHOPT_WANTNSID) | ||
217 | + if (!seen_nsid && | ||
218 | + query->options & DNS_FETCHOPT_WANTNSID) | ||
219 | log_nsid(&optbuf, optlen, query, | ||
220 | ISC_LOG_DEBUG(3), | ||
221 | query->fctx->res->mctx); | ||
222 | isc_buffer_forward(&optbuf, optlen); | ||
223 | + seen_nsid = ISC_TRUE; | ||
224 | break; | ||
225 | #ifdef ISC_PLATFORM_USESIT | ||
226 | case DNS_OPT_COOKIE: | ||
227 | + /* | ||
228 | + * Only process the first cookie option. | ||
229 | + */ | ||
230 | + if (seen_cookie) { | ||
231 | + isc_buffer_forward(&optbuf, optlen); | ||
232 | + break; | ||
233 | + } | ||
234 | sit = isc_buffer_current(&optbuf); | ||
235 | compute_cc(query, cookie, sizeof(cookie)); | ||
236 | INSIST(query->fctx->rmessage->sitbad == 0 && | ||
237 | @@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { | ||
238 | isc_buffer_forward(&optbuf, optlen); | ||
239 | inc_stats(query->fctx->res, | ||
240 | dns_resstatscounter_sitin); | ||
241 | + seen_cookie = ISC_TRUE; | ||
242 | break; | ||
243 | #endif | ||
244 | default: | ||
245 | -- | ||
246 | 2.1.4 | ||
247 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch deleted file mode 100644 index 5393063c56..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch +++ /dev/null | |||
@@ -1,90 +0,0 @@ | |||
1 | From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Wed, 12 Oct 2016 19:52:59 +0900 | ||
4 | Subject: [PATCH] | ||
5 | 4406. [security] getrrsetbyname with a non absolute name could | ||
6 | trigger an infinite recursion bug in lwresd | ||
7 | and named with lwres configured if when combined | ||
8 | with a search list entry the resulting name is | ||
9 | too long. (CVE-2016-2775) [RT #42694] | ||
10 | |||
11 | Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the | ||
12 | v9.11.0_patch branch. | ||
13 | |||
14 | CVE: CVE-2016-2775 | ||
15 | Upstream-Status: Backport | ||
16 | |||
17 | Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
18 | |||
19 | --- | ||
20 | CHANGES | 6 ++++++ | ||
21 | bin/named/lwdgrbn.c | 16 ++++++++++------ | ||
22 | bin/tests/system/lwresd/lwtest.c | 9 ++++++++- | ||
23 | 3 files changed, 24 insertions(+), 7 deletions(-) | ||
24 | |||
25 | diff --git a/CHANGES b/CHANGES | ||
26 | index d2e3360..d0a9d12 100644 | ||
27 | --- a/CHANGES | ||
28 | +++ b/CHANGES | ||
29 | @@ -1,3 +1,9 @@ | ||
30 | +4406. [security] getrrsetbyname with a non absolute name could | ||
31 | + trigger an infinite recursion bug in lwresd | ||
32 | + and named with lwres configured if when combined | ||
33 | + with a search list entry the resulting name is | ||
34 | + too long. (CVE-2016-2775) [RT #42694] | ||
35 | + | ||
36 | 4322. [security] Duplicate EDNS COOKIE options in a response could | ||
37 | trigger an assertion failure. (CVE-2016-2088) | ||
38 | [RT #41809] | ||
39 | diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c | ||
40 | index 3e7b15b..e1e9adc 100644 | ||
41 | --- a/bin/named/lwdgrbn.c | ||
42 | +++ b/bin/named/lwdgrbn.c | ||
43 | @@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { | ||
44 | INSIST(client->lookup == NULL); | ||
45 | |||
46 | dns_fixedname_init(&absname); | ||
47 | - result = ns_lwsearchctx_current(&client->searchctx, | ||
48 | - dns_fixedname_name(&absname)); | ||
49 | + | ||
50 | /* | ||
51 | - * This will return failure if relative name + suffix is too long. | ||
52 | - * In this case, just go on to the next entry in the search path. | ||
53 | + * Perform search across all search domains until success | ||
54 | + * is returned. Return in case of failure. | ||
55 | */ | ||
56 | - if (result != ISC_R_SUCCESS) | ||
57 | - start_lookup(client); | ||
58 | + while (ns_lwsearchctx_current(&client->searchctx, | ||
59 | + dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { | ||
60 | + if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { | ||
61 | + ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); | ||
62 | + return; | ||
63 | + } | ||
64 | + } | ||
65 | |||
66 | result = dns_lookup_create(cm->mctx, | ||
67 | dns_fixedname_name(&absname), | ||
68 | diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c | ||
69 | index ad9b551..3eb4a66 100644 | ||
70 | --- a/bin/tests/system/lwresd/lwtest.c | ||
71 | +++ b/bin/tests/system/lwresd/lwtest.c | ||
72 | @@ -768,7 +768,14 @@ main(void) { | ||
73 | test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); | ||
74 | test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); | ||
75 | test_getrrsetbyname("", 1, 1, 0, 0, 0); | ||
76 | - | ||
77 | + test_getrrsetbyname("123456789.123456789.123456789.123456789." | ||
78 | + "123456789.123456789.123456789.123456789." | ||
79 | + "123456789.123456789.123456789.123456789." | ||
80 | + "123456789.123456789.123456789.123456789." | ||
81 | + "123456789.123456789.123456789.123456789." | ||
82 | + "123456789.123456789.123456789.123456789." | ||
83 | + "123456789", 1, 1, 0, 0, 0); | ||
84 | + | ||
85 | if (fails == 0) | ||
86 | printf("I:ok\n"); | ||
87 | return (fails); | ||
88 | -- | ||
89 | 2.7.4 | ||
90 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch deleted file mode 100644 index 738bf60058..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch +++ /dev/null | |||
@@ -1,123 +0,0 @@ | |||
1 | From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Wed, 12 Oct 2016 20:36:52 +0900 | ||
4 | Subject: [PATCH] | ||
5 | 4467. [security] It was possible to trigger an assertion when | ||
6 | rendering a message. (CVE-2016-2776) [RT #43139] | ||
7 | |||
8 | Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the | ||
9 | v9.11.0_patch branch. | ||
10 | |||
11 | CVE: CVE-2016-2776 | ||
12 | Upstream-Status: Backport | ||
13 | |||
14 | Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
15 | |||
16 | --- | ||
17 | CHANGES | 3 +++ | ||
18 | lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- | ||
19 | 2 files changed, 34 insertions(+), 11 deletions(-) | ||
20 | |||
21 | diff --git a/CHANGES b/CHANGES | ||
22 | index d0a9d12..5c8c61a 100644 | ||
23 | --- a/CHANGES | ||
24 | +++ b/CHANGES | ||
25 | @@ -1,3 +1,6 @@ | ||
26 | +4467. [security] It was possible to trigger an assertion when | ||
27 | + rendering a message. (CVE-2016-2776) [RT #43139] | ||
28 | + | ||
29 | 4406. [security] getrrsetbyname with a non absolute name could | ||
30 | trigger an infinite recursion bug in lwresd | ||
31 | and named with lwres configured if when combined | ||
32 | diff --git a/lib/dns/message.c b/lib/dns/message.c | ||
33 | index 6b5b4bb..b74dc81 100644 | ||
34 | --- a/lib/dns/message.c | ||
35 | +++ b/lib/dns/message.c | ||
36 | @@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, | ||
37 | if (r.length < DNS_MESSAGE_HEADERLEN) | ||
38 | return (ISC_R_NOSPACE); | ||
39 | |||
40 | - if (r.length < msg->reserved) | ||
41 | + if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) | ||
42 | return (ISC_R_NOSPACE); | ||
43 | |||
44 | /* | ||
45 | @@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options, | ||
46 | |||
47 | return (ISC_TRUE); | ||
48 | } | ||
49 | - | ||
50 | #endif | ||
51 | + | ||
52 | +static isc_result_t | ||
53 | +renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, | ||
54 | + dns_compress_t *cctx, isc_buffer_t *target, | ||
55 | + unsigned int reserved, unsigned int options, unsigned int *countp) | ||
56 | +{ | ||
57 | + isc_result_t result; | ||
58 | + | ||
59 | + /* | ||
60 | + * Shrink the space in the buffer by the reserved amount. | ||
61 | + */ | ||
62 | + if (target->length - target->used < reserved) | ||
63 | + return (ISC_R_NOSPACE); | ||
64 | + | ||
65 | + target->length -= reserved; | ||
66 | + result = dns_rdataset_towire(rdataset, owner_name, | ||
67 | + cctx, target, options, countp); | ||
68 | + target->length += reserved; | ||
69 | + | ||
70 | + return (result); | ||
71 | +} | ||
72 | + | ||
73 | isc_result_t | ||
74 | dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, | ||
75 | unsigned int options) | ||
76 | @@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, | ||
77 | /* | ||
78 | * Shrink the space in the buffer by the reserved amount. | ||
79 | */ | ||
80 | + if (msg->buffer->length - msg->buffer->used < msg->reserved) | ||
81 | + return (ISC_R_NOSPACE); | ||
82 | msg->buffer->length -= msg->reserved; | ||
83 | |||
84 | total = 0; | ||
85 | @@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) { | ||
86 | * Render. | ||
87 | */ | ||
88 | count = 0; | ||
89 | - result = dns_rdataset_towire(msg->opt, dns_rootname, | ||
90 | - msg->cctx, msg->buffer, 0, | ||
91 | - &count); | ||
92 | + result = renderset(msg->opt, dns_rootname, msg->cctx, | ||
93 | + msg->buffer, msg->reserved, 0, &count); | ||
94 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
95 | if (result != ISC_R_SUCCESS) | ||
96 | return (result); | ||
97 | @@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) { | ||
98 | if (result != ISC_R_SUCCESS) | ||
99 | return (result); | ||
100 | count = 0; | ||
101 | - result = dns_rdataset_towire(msg->tsig, msg->tsigname, | ||
102 | - msg->cctx, msg->buffer, 0, | ||
103 | - &count); | ||
104 | + result = renderset(msg->tsig, msg->tsigname, msg->cctx, | ||
105 | + msg->buffer, msg->reserved, 0, &count); | ||
106 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
107 | if (result != ISC_R_SUCCESS) | ||
108 | return (result); | ||
109 | @@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) { | ||
110 | * the owner name of a SIG(0) is irrelevant, and will not | ||
111 | * be set in a message being rendered. | ||
112 | */ | ||
113 | - result = dns_rdataset_towire(msg->sig0, dns_rootname, | ||
114 | - msg->cctx, msg->buffer, 0, | ||
115 | - &count); | ||
116 | + result = renderset(msg->sig0, dns_rootname, msg->cctx, | ||
117 | + msg->buffer, msg->reserved, 0, &count); | ||
118 | msg->counts[DNS_SECTION_ADDITIONAL] += count; | ||
119 | if (result != ISC_R_SUCCESS) | ||
120 | return (result); | ||
121 | -- | ||
122 | 2.7.4 | ||
123 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch deleted file mode 100644 index 75bc211cb6..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch +++ /dev/null | |||
@@ -1,1090 +0,0 @@ | |||
1 | From 1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Wed, 2 Nov 2016 17:31:27 +1100 | ||
4 | Subject: [PATCH] 4504. [security] Allow the maximum number of records in a | ||
5 | zone to be specified. This provides a control for issues raised in | ||
6 | CVE-2016-6170. [RT #42143] | ||
7 | |||
8 | (cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e) | ||
9 | |||
10 | Upstream-Status: Backport | ||
11 | [https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f] | ||
12 | |||
13 | CVE: CVE-2016-6170 | ||
14 | |||
15 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
16 | --- | ||
17 | CHANGES | 4 + | ||
18 | bin/named/config.c | 1 + | ||
19 | bin/named/named.conf.docbook | 3 + | ||
20 | bin/named/update.c | 16 +++ | ||
21 | bin/named/zoneconf.c | 7 ++ | ||
22 | bin/tests/system/nsupdate/clean.sh | 1 + | ||
23 | bin/tests/system/nsupdate/ns3/named.conf | 7 ++ | ||
24 | bin/tests/system/nsupdate/ns3/too-big.test.db.in | 10 ++ | ||
25 | bin/tests/system/nsupdate/setup.sh | 2 + | ||
26 | bin/tests/system/nsupdate/tests.sh | 15 +++ | ||
27 | bin/tests/system/xfer/clean.sh | 1 + | ||
28 | bin/tests/system/xfer/ns1/axfr-too-big.db | 10 ++ | ||
29 | bin/tests/system/xfer/ns1/ixfr-too-big.db.in | 13 +++ | ||
30 | bin/tests/system/xfer/ns1/named.conf | 11 ++ | ||
31 | bin/tests/system/xfer/ns6/named.conf | 14 +++ | ||
32 | bin/tests/system/xfer/setup.sh | 2 + | ||
33 | bin/tests/system/xfer/tests.sh | 26 +++++ | ||
34 | doc/arm/Bv9ARM-book.xml | 21 ++++ | ||
35 | doc/arm/notes.xml | 9 ++ | ||
36 | lib/bind9/check.c | 2 + | ||
37 | lib/dns/db.c | 13 +++ | ||
38 | lib/dns/ecdb.c | 3 +- | ||
39 | lib/dns/include/dns/db.h | 20 ++++ | ||
40 | lib/dns/include/dns/rdataslab.h | 13 +++ | ||
41 | lib/dns/include/dns/result.h | 6 +- | ||
42 | lib/dns/include/dns/zone.h | 28 ++++- | ||
43 | lib/dns/rbtdb.c | 127 +++++++++++++++++++++-- | ||
44 | lib/dns/rdataslab.c | 13 +++ | ||
45 | lib/dns/result.c | 9 +- | ||
46 | lib/dns/sdb.c | 3 +- | ||
47 | lib/dns/sdlz.c | 3 +- | ||
48 | lib/dns/xfrin.c | 22 +++- | ||
49 | lib/dns/zone.c | 23 +++- | ||
50 | lib/isccfg/namedconf.c | 1 + | ||
51 | 34 files changed, 444 insertions(+), 15 deletions(-) | ||
52 | create mode 100644 bin/tests/system/nsupdate/ns3/too-big.test.db.in | ||
53 | create mode 100644 bin/tests/system/xfer/ns1/axfr-too-big.db | ||
54 | create mode 100644 bin/tests/system/xfer/ns1/ixfr-too-big.db.in | ||
55 | |||
56 | diff --git a/CHANGES b/CHANGES | ||
57 | index 41cfce5..97d2e60 100644 | ||
58 | --- a/CHANGES | ||
59 | +++ b/CHANGES | ||
60 | @@ -1,3 +1,7 @@ | ||
61 | +4504. [security] Allow the maximum number of records in a zone to | ||
62 | + be specified. This provides a control for issues | ||
63 | + raised in CVE-2016-6170. [RT #42143] | ||
64 | + | ||
65 | 4489. [security] It was possible to trigger assertions when processing | ||
66 | a response. (CVE-2016-8864) [RT #43465] | ||
67 | |||
68 | diff --git a/bin/named/config.c b/bin/named/config.c | ||
69 | index f06348c..c24e334 100644 | ||
70 | --- a/bin/named/config.c | ||
71 | +++ b/bin/named/config.c | ||
72 | @@ -209,6 +209,7 @@ options {\n\ | ||
73 | max-transfer-time-out 120;\n\ | ||
74 | max-transfer-idle-in 60;\n\ | ||
75 | max-transfer-idle-out 60;\n\ | ||
76 | + max-records 0;\n\ | ||
77 | max-retry-time 1209600; /* 2 weeks */\n\ | ||
78 | min-retry-time 500;\n\ | ||
79 | max-refresh-time 2419200; /* 4 weeks */\n\ | ||
80 | diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook | ||
81 | index 4c99a61..c2d173a 100644 | ||
82 | --- a/bin/named/named.conf.docbook | ||
83 | +++ b/bin/named/named.conf.docbook | ||
84 | @@ -338,6 +338,7 @@ options { | ||
85 | }; | ||
86 | |||
87 | max-journal-size <replaceable>size_no_default</replaceable>; | ||
88 | + max-records <replaceable>integer</replaceable>; | ||
89 | max-transfer-time-in <replaceable>integer</replaceable>; | ||
90 | max-transfer-time-out <replaceable>integer</replaceable>; | ||
91 | max-transfer-idle-in <replaceable>integer</replaceable>; | ||
92 | @@ -527,6 +528,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> | ||
93 | }; | ||
94 | |||
95 | max-journal-size <replaceable>size_no_default</replaceable>; | ||
96 | + max-records <replaceable>integer</replaceable>; | ||
97 | max-transfer-time-in <replaceable>integer</replaceable>; | ||
98 | max-transfer-time-out <replaceable>integer</replaceable>; | ||
99 | max-transfer-idle-in <replaceable>integer</replaceable>; | ||
100 | @@ -624,6 +626,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> | ||
101 | }; | ||
102 | |||
103 | max-journal-size <replaceable>size_no_default</replaceable>; | ||
104 | + max-records <replaceable>integer</replaceable>; | ||
105 | max-transfer-time-in <replaceable>integer</replaceable>; | ||
106 | max-transfer-time-out <replaceable>integer</replaceable>; | ||
107 | max-transfer-idle-in <replaceable>integer</replaceable>; | ||
108 | diff --git a/bin/named/update.c b/bin/named/update.c | ||
109 | index 83b1a05..cc2a611 100644 | ||
110 | --- a/bin/named/update.c | ||
111 | +++ b/bin/named/update.c | ||
112 | @@ -2455,6 +2455,8 @@ update_action(isc_task_t *task, isc_event_t *event) { | ||
113 | isc_boolean_t had_dnskey; | ||
114 | dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); | ||
115 | dns_ttl_t maxttl = 0; | ||
116 | + isc_uint32_t maxrecords; | ||
117 | + isc_uint64_t records; | ||
118 | |||
119 | INSIST(event->ev_type == DNS_EVENT_UPDATE); | ||
120 | |||
121 | @@ -3138,6 +3140,20 @@ update_action(isc_task_t *task, isc_event_t *event) { | ||
122 | } | ||
123 | } | ||
124 | |||
125 | + maxrecords = dns_zone_getmaxrecords(zone); | ||
126 | + if (maxrecords != 0U) { | ||
127 | + result = dns_db_getsize(db, ver, &records, NULL); | ||
128 | + if (result == ISC_R_SUCCESS && records > maxrecords) { | ||
129 | + update_log(client, zone, ISC_LOG_ERROR, | ||
130 | + "records in zone (%" | ||
131 | + ISC_PRINT_QUADFORMAT | ||
132 | + "u) exceeds max-records (%u)", | ||
133 | + records, maxrecords); | ||
134 | + result = DNS_R_TOOMANYRECORDS; | ||
135 | + goto failure; | ||
136 | + } | ||
137 | + } | ||
138 | + | ||
139 | journalfile = dns_zone_getjournal(zone); | ||
140 | if (journalfile != NULL) { | ||
141 | update_log(client, zone, LOGLEVEL_DEBUG, | ||
142 | diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c | ||
143 | index 4ee3dfe..14dd8ce 100644 | ||
144 | --- a/bin/named/zoneconf.c | ||
145 | +++ b/bin/named/zoneconf.c | ||
146 | @@ -978,6 +978,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, | ||
147 | dns_zone_setmaxttl(raw, maxttl); | ||
148 | } | ||
149 | |||
150 | + obj = NULL; | ||
151 | + result = ns_config_get(maps, "max-records", &obj); | ||
152 | + INSIST(result == ISC_R_SUCCESS && obj != NULL); | ||
153 | + dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj)); | ||
154 | + if (zone != mayberaw) | ||
155 | + dns_zone_setmaxrecords(zone, 0); | ||
156 | + | ||
157 | if (raw != NULL && filename != NULL) { | ||
158 | #define SIGNED ".signed" | ||
159 | size_t signedlen = strlen(filename) + sizeof(SIGNED); | ||
160 | diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh | ||
161 | index aaefc02..ea25545 100644 | ||
162 | --- a/bin/tests/system/nsupdate/clean.sh | ||
163 | +++ b/bin/tests/system/nsupdate/clean.sh | ||
164 | @@ -32,6 +32,7 @@ rm -f ns3/example.db.jnl ns3/example.db | ||
165 | rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test. | ||
166 | rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test. | ||
167 | rm -f ns3/K* | ||
168 | +rm -f ns3/too-big.test.db | ||
169 | rm -f dig.out.* | ||
170 | rm -f jp.out.ns3.* | ||
171 | rm -f Kxxx.* | ||
172 | diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf | ||
173 | index 2abd522..68ff27a 100644 | ||
174 | --- a/bin/tests/system/nsupdate/ns3/named.conf | ||
175 | +++ b/bin/tests/system/nsupdate/ns3/named.conf | ||
176 | @@ -60,3 +60,10 @@ zone "dnskey.test" { | ||
177 | allow-update { any; }; | ||
178 | file "dnskey.test.db.signed"; | ||
179 | }; | ||
180 | + | ||
181 | +zone "too-big.test" { | ||
182 | + type master; | ||
183 | + allow-update { any; }; | ||
184 | + max-records 3; | ||
185 | + file "too-big.test.db"; | ||
186 | +}; | ||
187 | diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in | ||
188 | new file mode 100644 | ||
189 | index 0000000..7ff1e4a | ||
190 | --- /dev/null | ||
191 | +++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in | ||
192 | @@ -0,0 +1,10 @@ | ||
193 | +; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") | ||
194 | +; | ||
195 | +; This Source Code Form is subject to the terms of the Mozilla Public | ||
196 | +; License, v. 2.0. If a copy of the MPL was not distributed with this | ||
197 | +; file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
198 | + | ||
199 | +$TTL 10 | ||
200 | +too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600 | ||
201 | +too-big.test. IN NS too-big.test. | ||
202 | +too-big.test. IN A 10.53.0.3 | ||
203 | diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh | ||
204 | index 828255e..43c4094 100644 | ||
205 | --- a/bin/tests/system/nsupdate/setup.sh | ||
206 | +++ b/bin/tests/system/nsupdate/setup.sh | ||
207 | @@ -27,12 +27,14 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE | ||
208 | rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk | ||
209 | rm -f ns2/update.bk ns2/update.alt.bk | ||
210 | rm -f ns3/example.db.jnl | ||
211 | +rm -f ns3/too-big.test.db.jnl | ||
212 | |||
213 | cp -f ns1/example1.db ns1/example.db | ||
214 | sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db | ||
215 | sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db | ||
216 | sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db | ||
217 | cp -f ns3/example.db.in ns3/example.db | ||
218 | +cp -f ns3/too-big.test.db.in ns3/too-big.test.db | ||
219 | |||
220 | # update_test.pl has its own zone file because it | ||
221 | # requires a specific NS record set. | ||
222 | diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh | ||
223 | index 78d501e..0a6bbd3 100755 | ||
224 | --- a/bin/tests/system/nsupdate/tests.sh | ||
225 | +++ b/bin/tests/system/nsupdate/tests.sh | ||
226 | @@ -581,5 +581,20 @@ if [ $ret -ne 0 ]; then | ||
227 | status=1 | ||
228 | fi | ||
229 | |||
230 | +n=`expr $n + 1` | ||
231 | +echo "I:check that adding too many records is blocked ($n)" | ||
232 | +ret=0 | ||
233 | +$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1 | ||
234 | +server 10.53.0.3 5300 | ||
235 | +zone too-big.test. | ||
236 | +update add r1.too-big.test 3600 IN TXT r1.too-big.test | ||
237 | +send | ||
238 | +EOF | ||
239 | +grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1 | ||
240 | +DIG +tcp @10.53.0.3 -p 5300 r1.too-big.test TXT > dig.out.ns3.test$n | ||
241 | +grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 | ||
242 | +grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 | ||
243 | +[ $ret = 0 ] || { echo I:failed; status=1; } | ||
244 | + | ||
245 | echo "I:exit status: $status" | ||
246 | exit $status | ||
247 | diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh | ||
248 | index 48aa159..da62a33 100644 | ||
249 | --- a/bin/tests/system/xfer/clean.sh | ||
250 | +++ b/bin/tests/system/xfer/clean.sh | ||
251 | @@ -36,3 +36,4 @@ rm -f ns7/*.db ns7/*.bk ns7/*.jnl | ||
252 | rm -f */named.memstats | ||
253 | rm -f */named.run | ||
254 | rm -f */ans.run | ||
255 | +rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl | ||
256 | diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db | ||
257 | new file mode 100644 | ||
258 | index 0000000..d43760d | ||
259 | --- /dev/null | ||
260 | +++ b/bin/tests/system/xfer/ns1/axfr-too-big.db | ||
261 | @@ -0,0 +1,10 @@ | ||
262 | +; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") | ||
263 | +; | ||
264 | +; This Source Code Form is subject to the terms of the Mozilla Public | ||
265 | +; License, v. 2.0. If a copy of the MPL was not distributed with this | ||
266 | +; file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
267 | + | ||
268 | +$TTL 3600 | ||
269 | +@ IN SOA . . 0 0 0 0 0 | ||
270 | +@ IN NS . | ||
271 | +$GENERATE 1-29 host$ A 1.2.3.$ | ||
272 | diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in | ||
273 | new file mode 100644 | ||
274 | index 0000000..318bb77 | ||
275 | --- /dev/null | ||
276 | +++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in | ||
277 | @@ -0,0 +1,13 @@ | ||
278 | +; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") | ||
279 | +; | ||
280 | +; This Source Code Form is subject to the terms of the Mozilla Public | ||
281 | +; License, v. 2.0. If a copy of the MPL was not distributed with this | ||
282 | +; file, You can obtain one at http://mozilla.org/MPL/2.0/. | ||
283 | + | ||
284 | +$TTL 3600 | ||
285 | +@ IN SOA . . 0 0 0 0 0 | ||
286 | +@ IN NS ns1 | ||
287 | +@ IN NS ns6 | ||
288 | +ns1 IN A 10.53.0.1 | ||
289 | +ns6 IN A 10.53.0.6 | ||
290 | +$GENERATE 1-25 host$ A 1.2.3.$ | ||
291 | diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf | ||
292 | index 07dad85..1d29292 100644 | ||
293 | --- a/bin/tests/system/xfer/ns1/named.conf | ||
294 | +++ b/bin/tests/system/xfer/ns1/named.conf | ||
295 | @@ -44,3 +44,14 @@ zone "slave" { | ||
296 | type master; | ||
297 | file "slave.db"; | ||
298 | }; | ||
299 | + | ||
300 | +zone "axfr-too-big" { | ||
301 | + type master; | ||
302 | + file "axfr-too-big.db"; | ||
303 | +}; | ||
304 | + | ||
305 | +zone "ixfr-too-big" { | ||
306 | + type master; | ||
307 | + allow-update { any; }; | ||
308 | + file "ixfr-too-big.db"; | ||
309 | +}; | ||
310 | diff --git a/bin/tests/system/xfer/ns6/named.conf b/bin/tests/system/xfer/ns6/named.conf | ||
311 | index c9421b1..a12a92c 100644 | ||
312 | --- a/bin/tests/system/xfer/ns6/named.conf | ||
313 | +++ b/bin/tests/system/xfer/ns6/named.conf | ||
314 | @@ -52,3 +52,17 @@ zone "slave" { | ||
315 | masters { 10.53.0.1; }; | ||
316 | file "slave.bk"; | ||
317 | }; | ||
318 | + | ||
319 | +zone "axfr-too-big" { | ||
320 | + type slave; | ||
321 | + max-records 30; | ||
322 | + masters { 10.53.0.1; }; | ||
323 | + file "axfr-too-big.bk"; | ||
324 | +}; | ||
325 | + | ||
326 | +zone "ixfr-too-big" { | ||
327 | + type slave; | ||
328 | + max-records 30; | ||
329 | + masters { 10.53.0.1; }; | ||
330 | + file "ixfr-too-big.bk"; | ||
331 | +}; | ||
332 | diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh | ||
333 | index 56ca901..c55abf8 100644 | ||
334 | --- a/bin/tests/system/xfer/setup.sh | ||
335 | +++ b/bin/tests/system/xfer/setup.sh | ||
336 | @@ -33,3 +33,5 @@ cp -f ns4/named.conf.base ns4/named.conf | ||
337 | |||
338 | cp ns2/slave.db.in ns2/slave.db | ||
339 | touch -t 200101010000 ns2/slave.db | ||
340 | + | ||
341 | +cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db | ||
342 | diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh | ||
343 | index 67b2a1a..fe33f0a 100644 | ||
344 | --- a/bin/tests/system/xfer/tests.sh | ||
345 | +++ b/bin/tests/system/xfer/tests.sh | ||
346 | @@ -368,5 +368,31 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && { | ||
347 | status=1 | ||
348 | } | ||
349 | |||
350 | +n=`expr $n + 1` | ||
351 | +echo "I:test that a zone with too many records is rejected (AXFR) ($n)" | ||
352 | +tmp=0 | ||
353 | +grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 | ||
354 | +if test $tmp != 0 ; then echo "I:failed"; fi | ||
355 | +status=`expr $status + $tmp` | ||
356 | + | ||
357 | +n=`expr $n + 1` | ||
358 | +echo "I:test that a zone with too many records is rejected (IXFR) ($n)" | ||
359 | +tmp=0 | ||
360 | +grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1 | ||
361 | +$NSUPDATE << EOF | ||
362 | +zone ixfr-too-big | ||
363 | +server 10.53.0.1 5300 | ||
364 | +update add the-31st-record.ixfr-too-big 0 TXT this is it | ||
365 | +send | ||
366 | +EOF | ||
367 | +for i in 1 2 3 4 5 6 7 8 | ||
368 | +do | ||
369 | + grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break | ||
370 | + sleep 1 | ||
371 | +done | ||
372 | +grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 | ||
373 | +if test $tmp != 0 ; then echo "I:failed"; fi | ||
374 | +status=`expr $status + $tmp` | ||
375 | + | ||
376 | echo "I:exit status: $status" | ||
377 | exit $status | ||
378 | diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml | ||
379 | index 848b582..0369505 100644 | ||
380 | --- a/doc/arm/Bv9ARM-book.xml | ||
381 | +++ b/doc/arm/Bv9ARM-book.xml | ||
382 | @@ -4858,6 +4858,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] | ||
383 | <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional> | ||
384 | <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional> | ||
385 | <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional> | ||
386 | + <optional> max-records <replaceable>number</replaceable>; </optional> | ||
387 | <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional> | ||
388 | <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional> | ||
389 | <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional> | ||
390 | @@ -8164,6 +8165,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; | ||
391 | </varlistentry> | ||
392 | |||
393 | <varlistentry> | ||
394 | + <term><command>max-records</command></term> | ||
395 | + <listitem> | ||
396 | + <para> | ||
397 | + The maximum number of records permitted in a zone. | ||
398 | + The default is zero which means unlimited. | ||
399 | + </para> | ||
400 | + </listitem> | ||
401 | + </varlistentry> | ||
402 | + | ||
403 | + <varlistentry> | ||
404 | <term><command>host-statistics-max</command></term> | ||
405 | <listitem> | ||
406 | <para> | ||
407 | @@ -12056,6 +12067,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea | ||
408 | </varlistentry> | ||
409 | |||
410 | <varlistentry> | ||
411 | + <term><command>max-records</command></term> | ||
412 | + <listitem> | ||
413 | + <para> | ||
414 | + See the description of | ||
415 | + <command>max-records</command> in <xref linkend="server_resource_limits"/>. | ||
416 | + </para> | ||
417 | + </listitem> | ||
418 | + </varlistentry> | ||
419 | + | ||
420 | + <varlistentry> | ||
421 | <term><command>max-transfer-time-in</command></term> | ||
422 | <listitem> | ||
423 | <para> | ||
424 | diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml | ||
425 | index 095eb5b..36495e7 100644 | ||
426 | --- a/doc/arm/notes.xml | ||
427 | +++ b/doc/arm/notes.xml | ||
428 | @@ -52,6 +52,15 @@ | ||
429 | <itemizedlist> | ||
430 | <listitem> | ||
431 | <para> | ||
432 | + Added the ability to specify the maximum number of records | ||
433 | + permitted in a zone (max-records #;). This provides a mechanism | ||
434 | + to block overly large zone transfers, which is a potential risk | ||
435 | + with slave zones from other parties, as described in CVE-2016-6170. | ||
436 | + [RT #42143] | ||
437 | + </para> | ||
438 | + </listitem> | ||
439 | + <listitem> | ||
440 | + <para> | ||
441 | Duplicate EDNS COOKIE options in a response could trigger | ||
442 | an assertion failure. This flaw is disclosed in CVE-2016-2088. | ||
443 | [RT #41809] | ||
444 | diff --git a/lib/bind9/check.c b/lib/bind9/check.c | ||
445 | index b8c05dd..edb7534 100644 | ||
446 | --- a/lib/bind9/check.c | ||
447 | +++ b/lib/bind9/check.c | ||
448 | @@ -1510,6 +1510,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, | ||
449 | REDIRECTZONE }, | ||
450 | { "masters", SLAVEZONE | STUBZONE | REDIRECTZONE }, | ||
451 | { "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE }, | ||
452 | + { "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE | | ||
453 | + STATICSTUBZONE | REDIRECTZONE }, | ||
454 | { "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE }, | ||
455 | { "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE }, | ||
456 | { "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE }, | ||
457 | diff --git a/lib/dns/db.c b/lib/dns/db.c | ||
458 | index 7e4f357..ced94a5 100644 | ||
459 | --- a/lib/dns/db.c | ||
460 | +++ b/lib/dns/db.c | ||
461 | @@ -999,6 +999,19 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, | ||
462 | } | ||
463 | |||
464 | isc_result_t | ||
465 | +dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, | ||
466 | + isc_uint64_t *bytes) | ||
467 | +{ | ||
468 | + REQUIRE(DNS_DB_VALID(db)); | ||
469 | + REQUIRE(dns_db_iszone(db) == ISC_TRUE); | ||
470 | + | ||
471 | + if (db->methods->getsize != NULL) | ||
472 | + return ((db->methods->getsize)(db, version, records, bytes)); | ||
473 | + | ||
474 | + return (ISC_R_NOTFOUND); | ||
475 | +} | ||
476 | + | ||
477 | +isc_result_t | ||
478 | dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, | ||
479 | isc_stdtime_t resign) | ||
480 | { | ||
481 | diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c | ||
482 | index 553a339..b5d04d2 100644 | ||
483 | --- a/lib/dns/ecdb.c | ||
484 | +++ b/lib/dns/ecdb.c | ||
485 | @@ -587,7 +587,8 @@ static dns_dbmethods_t ecdb_methods = { | ||
486 | NULL, /* findnodeext */ | ||
487 | NULL, /* findext */ | ||
488 | NULL, /* setcachestats */ | ||
489 | - NULL /* hashsize */ | ||
490 | + NULL, /* hashsize */ | ||
491 | + NULL /* getsize */ | ||
492 | }; | ||
493 | |||
494 | static isc_result_t | ||
495 | diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h | ||
496 | index a4a4482..aff42d6 100644 | ||
497 | --- a/lib/dns/include/dns/db.h | ||
498 | +++ b/lib/dns/include/dns/db.h | ||
499 | @@ -195,6 +195,8 @@ typedef struct dns_dbmethods { | ||
500 | dns_rdataset_t *sigrdataset); | ||
501 | isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats); | ||
502 | unsigned int (*hashsize)(dns_db_t *db); | ||
503 | + isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version, | ||
504 | + isc_uint64_t *records, isc_uint64_t *bytes); | ||
505 | } dns_dbmethods_t; | ||
506 | |||
507 | typedef isc_result_t | ||
508 | @@ -1485,6 +1487,24 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, | ||
509 | */ | ||
510 | |||
511 | isc_result_t | ||
512 | +dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, | ||
513 | + isc_uint64_t *bytes); | ||
514 | +/*%< | ||
515 | + * Get the number of records in the given version of the database as well | ||
516 | + * as the number bytes used to store those records. | ||
517 | + * | ||
518 | + * Requires: | ||
519 | + * \li 'db' is a valid zone database. | ||
520 | + * \li 'version' is NULL or a valid version. | ||
521 | + * \li 'records' is NULL or a pointer to return the record count in. | ||
522 | + * \li 'bytes' is NULL or a pointer to return the byte count in. | ||
523 | + * | ||
524 | + * Returns: | ||
525 | + * \li #ISC_R_SUCCESS | ||
526 | + * \li #ISC_R_NOTIMPLEMENTED | ||
527 | + */ | ||
528 | + | ||
529 | +isc_result_t | ||
530 | dns_db_findnsec3node(dns_db_t *db, dns_name_t *name, | ||
531 | isc_boolean_t create, dns_dbnode_t **nodep); | ||
532 | /*%< | ||
533 | diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h | ||
534 | index 3ac44b8..2e1e759 100644 | ||
535 | --- a/lib/dns/include/dns/rdataslab.h | ||
536 | +++ b/lib/dns/include/dns/rdataslab.h | ||
537 | @@ -104,6 +104,7 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen, | ||
538 | * Ensures: | ||
539 | *\li 'rdataset' is associated and points to a valid rdataest. | ||
540 | */ | ||
541 | + | ||
542 | unsigned int | ||
543 | dns_rdataslab_size(unsigned char *slab, unsigned int reservelen); | ||
544 | /*%< | ||
545 | @@ -116,6 +117,18 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen); | ||
546 | *\li The number of bytes in the slab, including the reservelen. | ||
547 | */ | ||
548 | |||
549 | +unsigned int | ||
550 | +dns_rdataslab_count(unsigned char *slab, unsigned int reservelen); | ||
551 | +/*%< | ||
552 | + * Return the number of records in the rdataslab | ||
553 | + * | ||
554 | + * Requires: | ||
555 | + *\li 'slab' points to a slab. | ||
556 | + * | ||
557 | + * Returns: | ||
558 | + *\li The number of records in the slab. | ||
559 | + */ | ||
560 | + | ||
561 | isc_result_t | ||
562 | dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, | ||
563 | unsigned int reservelen, isc_mem_t *mctx, | ||
564 | diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h | ||
565 | index 7d11c2b..93d1fd5 100644 | ||
566 | --- a/lib/dns/include/dns/result.h | ||
567 | +++ b/lib/dns/include/dns/result.h | ||
568 | @@ -157,8 +157,12 @@ | ||
569 | #define DNS_R_BADCDS (ISC_RESULTCLASS_DNS + 111) | ||
570 | #define DNS_R_BADCDNSKEY (ISC_RESULTCLASS_DNS + 112) | ||
571 | #define DNS_R_OPTERR (ISC_RESULTCLASS_DNS + 113) | ||
572 | +#define DNS_R_BADDNSTAP (ISC_RESULTCLASS_DNS + 114) | ||
573 | +#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115) | ||
574 | +#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116) | ||
575 | +#define DNS_R_TOOMANYRECORDS (ISC_RESULTCLASS_DNS + 117) | ||
576 | |||
577 | -#define DNS_R_NRESULTS 114 /*%< Number of results */ | ||
578 | +#define DNS_R_NRESULTS 118 /*%< Number of results */ | ||
579 | |||
580 | /* | ||
581 | * DNS wire format rcodes. | ||
582 | diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h | ||
583 | index a9367f1..227540b 100644 | ||
584 | --- a/lib/dns/include/dns/zone.h | ||
585 | +++ b/lib/dns/include/dns/zone.h | ||
586 | @@ -296,6 +296,32 @@ dns_zone_getfile(dns_zone_t *zone); | ||
587 | */ | ||
588 | |||
589 | void | ||
590 | +dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t records); | ||
591 | +/*%< | ||
592 | + * Sets the maximim number of records permitted in a zone. | ||
593 | + * 0 implies unlimited. | ||
594 | + * | ||
595 | + * Requires: | ||
596 | + *\li 'zone' to be valid initialised zone. | ||
597 | + * | ||
598 | + * Returns: | ||
599 | + *\li void | ||
600 | + */ | ||
601 | + | ||
602 | +isc_uint32_t | ||
603 | +dns_zone_getmaxrecords(dns_zone_t *zone); | ||
604 | +/*%< | ||
605 | + * Gets the maximim number of records permitted in a zone. | ||
606 | + * 0 implies unlimited. | ||
607 | + * | ||
608 | + * Requires: | ||
609 | + *\li 'zone' to be valid initialised zone. | ||
610 | + * | ||
611 | + * Returns: | ||
612 | + *\li isc_uint32_t maxrecords. | ||
613 | + */ | ||
614 | + | ||
615 | +void | ||
616 | dns_zone_setmaxttl(dns_zone_t *zone, isc_uint32_t maxttl); | ||
617 | /*%< | ||
618 | * Sets the max ttl of the zone. | ||
619 | @@ -316,7 +342,7 @@ dns_zone_getmaxttl(dns_zone_t *zone); | ||
620 | *\li 'zone' to be valid initialised zone. | ||
621 | * | ||
622 | * Returns: | ||
623 | - *\li isc_uint32_t maxttl. | ||
624 | + *\li dns_ttl_t maxttl. | ||
625 | */ | ||
626 | |||
627 | isc_result_t | ||
628 | diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c | ||
629 | index 62becfc..72d722f 100644 | ||
630 | --- a/lib/dns/rbtdb.c | ||
631 | +++ b/lib/dns/rbtdb.c | ||
632 | @@ -209,6 +209,7 @@ typedef isc_uint64_t rbtdb_serial_t; | ||
633 | #define free_rbtdb_callback free_rbtdb_callback64 | ||
634 | #define free_rdataset free_rdataset64 | ||
635 | #define getnsec3parameters getnsec3parameters64 | ||
636 | +#define getsize getsize64 | ||
637 | #define getoriginnode getoriginnode64 | ||
638 | #define getrrsetstats getrrsetstats64 | ||
639 | #define getsigningtime getsigningtime64 | ||
640 | @@ -589,6 +590,13 @@ typedef struct rbtdb_version { | ||
641 | isc_uint16_t iterations; | ||
642 | isc_uint8_t salt_length; | ||
643 | unsigned char salt[DNS_NSEC3_SALTSIZE]; | ||
644 | + | ||
645 | + /* | ||
646 | + * records and bytes are covered by rwlock. | ||
647 | + */ | ||
648 | + isc_rwlock_t rwlock; | ||
649 | + isc_uint64_t records; | ||
650 | + isc_uint64_t bytes; | ||
651 | } rbtdb_version_t; | ||
652 | |||
653 | typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t; | ||
654 | @@ -1130,6 +1138,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { | ||
655 | INSIST(refs == 0); | ||
656 | UNLINK(rbtdb->open_versions, rbtdb->current_version, link); | ||
657 | isc_refcount_destroy(&rbtdb->current_version->references); | ||
658 | + isc_rwlock_destroy(&rbtdb->current_version->rwlock); | ||
659 | isc_mem_put(rbtdb->common.mctx, rbtdb->current_version, | ||
660 | sizeof(rbtdb_version_t)); | ||
661 | } | ||
662 | @@ -1383,6 +1392,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial, | ||
663 | |||
664 | static isc_result_t | ||
665 | newversion(dns_db_t *db, dns_dbversion_t **versionp) { | ||
666 | + isc_result_t result; | ||
667 | dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; | ||
668 | rbtdb_version_t *version; | ||
669 | |||
670 | @@ -1415,13 +1425,28 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) { | ||
671 | version->salt_length = 0; | ||
672 | memset(version->salt, 0, sizeof(version->salt)); | ||
673 | } | ||
674 | - rbtdb->next_serial++; | ||
675 | - rbtdb->future_version = version; | ||
676 | - } | ||
677 | + result = isc_rwlock_init(&version->rwlock, 0, 0); | ||
678 | + if (result != ISC_R_SUCCESS) { | ||
679 | + isc_refcount_destroy(&version->references); | ||
680 | + isc_mem_put(rbtdb->common.mctx, version, | ||
681 | + sizeof(*version)); | ||
682 | + version = NULL; | ||
683 | + } else { | ||
684 | + RWLOCK(&rbtdb->current_version->rwlock, | ||
685 | + isc_rwlocktype_read); | ||
686 | + version->records = rbtdb->current_version->records; | ||
687 | + version->bytes = rbtdb->current_version->bytes; | ||
688 | + RWUNLOCK(&rbtdb->current_version->rwlock, | ||
689 | + isc_rwlocktype_read); | ||
690 | + rbtdb->next_serial++; | ||
691 | + rbtdb->future_version = version; | ||
692 | + } | ||
693 | + } else | ||
694 | + result = ISC_R_NOMEMORY; | ||
695 | RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); | ||
696 | |||
697 | if (version == NULL) | ||
698 | - return (ISC_R_NOMEMORY); | ||
699 | + return (result); | ||
700 | |||
701 | *versionp = version; | ||
702 | |||
703 | @@ -2681,6 +2706,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { | ||
704 | |||
705 | if (cleanup_version != NULL) { | ||
706 | INSIST(EMPTY(cleanup_version->changed_list)); | ||
707 | + isc_rwlock_destroy(&cleanup_version->rwlock); | ||
708 | isc_mem_put(rbtdb->common.mctx, cleanup_version, | ||
709 | sizeof(*cleanup_version)); | ||
710 | } | ||
711 | @@ -6254,6 +6280,26 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, | ||
712 | else | ||
713 | rbtnode->data = newheader; | ||
714 | newheader->next = topheader->next; | ||
715 | + if (rbtversion != NULL) | ||
716 | + RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write); | ||
717 | + if (rbtversion != NULL && !header_nx) { | ||
718 | + rbtversion->records -= | ||
719 | + dns_rdataslab_count((unsigned char *)header, | ||
720 | + sizeof(*header)); | ||
721 | + rbtversion->bytes -= | ||
722 | + dns_rdataslab_size((unsigned char *)header, | ||
723 | + sizeof(*header)); | ||
724 | + } | ||
725 | + if (rbtversion != NULL && !newheader_nx) { | ||
726 | + rbtversion->records += | ||
727 | + dns_rdataslab_count((unsigned char *)newheader, | ||
728 | + sizeof(*newheader)); | ||
729 | + rbtversion->bytes += | ||
730 | + dns_rdataslab_size((unsigned char *)newheader, | ||
731 | + sizeof(*newheader)); | ||
732 | + } | ||
733 | + if (rbtversion != NULL) | ||
734 | + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); | ||
735 | if (loading) { | ||
736 | /* | ||
737 | * There are no other references to 'header' when | ||
738 | @@ -6355,6 +6401,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, | ||
739 | newheader->down = NULL; | ||
740 | rbtnode->data = newheader; | ||
741 | } | ||
742 | + if (rbtversion != NULL && !newheader_nx) { | ||
743 | + RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write); | ||
744 | + rbtversion->records += | ||
745 | + dns_rdataslab_count((unsigned char *)newheader, | ||
746 | + sizeof(*newheader)); | ||
747 | + rbtversion->bytes += | ||
748 | + dns_rdataslab_size((unsigned char *)newheader, | ||
749 | + sizeof(*newheader)); | ||
750 | + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); | ||
751 | + } | ||
752 | idx = newheader->node->locknum; | ||
753 | if (IS_CACHE(rbtdb)) { | ||
754 | ISC_LIST_PREPEND(rbtdb->rdatasets[idx], | ||
755 | @@ -6811,6 +6867,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
756 | */ | ||
757 | newheader->additional_auth = NULL; | ||
758 | newheader->additional_glue = NULL; | ||
759 | + rbtversion->records += | ||
760 | + dns_rdataslab_count((unsigned char *)newheader, | ||
761 | + sizeof(*newheader)); | ||
762 | + rbtversion->bytes += | ||
763 | + dns_rdataslab_size((unsigned char *)newheader, | ||
764 | + sizeof(*newheader)); | ||
765 | } else if (result == DNS_R_NXRRSET) { | ||
766 | /* | ||
767 | * This subtraction would remove all of the rdata; | ||
768 | @@ -6846,6 +6908,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, | ||
769 | * topheader. | ||
770 | */ | ||
771 | INSIST(rbtversion->serial >= topheader->serial); | ||
772 | + rbtversion->records -= | ||
773 | + dns_rdataslab_count((unsigned char *)header, | ||
774 | + sizeof(*header)); | ||
775 | + rbtversion->bytes -= | ||
776 | + dns_rdataslab_size((unsigned char *)header, | ||
777 | + sizeof(*header)); | ||
778 | if (topheader_prev != NULL) | ||
779 | topheader_prev->next = newheader; | ||
780 | else | ||
781 | @@ -7172,6 +7240,7 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, | ||
782 | unsigned char *limit = ((unsigned char *) base) + filesize; | ||
783 | unsigned char *p; | ||
784 | size_t size; | ||
785 | + unsigned int count; | ||
786 | |||
787 | REQUIRE(rbtnode != NULL); | ||
788 | |||
789 | @@ -7179,6 +7248,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, | ||
790 | p = (unsigned char *) header; | ||
791 | |||
792 | size = dns_rdataslab_size(p, sizeof(*header)); | ||
793 | + count = dns_rdataslab_count(p, sizeof(*header));; | ||
794 | + rbtdb->current_version->records += count; | ||
795 | + rbtdb->current_version->bytes += size; | ||
796 | isc_crc64_update(crc, p, size); | ||
797 | #ifdef DEBUG | ||
798 | hexdump("hashing header", p, sizeof(rdatasetheader_t)); | ||
799 | @@ -7777,6 +7849,33 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, | ||
800 | } | ||
801 | |||
802 | static isc_result_t | ||
803 | +getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, | ||
804 | + isc_uint64_t *bytes) | ||
805 | +{ | ||
806 | + dns_rbtdb_t *rbtdb; | ||
807 | + isc_result_t result = ISC_R_SUCCESS; | ||
808 | + rbtdb_version_t *rbtversion = version; | ||
809 | + | ||
810 | + rbtdb = (dns_rbtdb_t *)db; | ||
811 | + | ||
812 | + REQUIRE(VALID_RBTDB(rbtdb)); | ||
813 | + INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb); | ||
814 | + | ||
815 | + if (rbtversion == NULL) | ||
816 | + rbtversion = rbtdb->current_version; | ||
817 | + | ||
818 | + RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read); | ||
819 | + if (records != NULL) | ||
820 | + *records = rbtversion->records; | ||
821 | + | ||
822 | + if (bytes != NULL) | ||
823 | + *bytes = rbtversion->bytes; | ||
824 | + RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read); | ||
825 | + | ||
826 | + return (result); | ||
827 | +} | ||
828 | + | ||
829 | +static isc_result_t | ||
830 | setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { | ||
831 | dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; | ||
832 | isc_stdtime_t oldresign; | ||
833 | @@ -7972,7 +8071,8 @@ static dns_dbmethods_t zone_methods = { | ||
834 | NULL, | ||
835 | NULL, | ||
836 | NULL, | ||
837 | - hashsize | ||
838 | + hashsize, | ||
839 | + getsize | ||
840 | }; | ||
841 | |||
842 | static dns_dbmethods_t cache_methods = { | ||
843 | @@ -8018,7 +8118,8 @@ static dns_dbmethods_t cache_methods = { | ||
844 | NULL, | ||
845 | NULL, | ||
846 | setcachestats, | ||
847 | - hashsize | ||
848 | + hashsize, | ||
849 | + NULL | ||
850 | }; | ||
851 | |||
852 | isc_result_t | ||
853 | @@ -8310,6 +8411,20 @@ dns_rbtdb_create | ||
854 | rbtdb->current_version->salt_length = 0; | ||
855 | memset(rbtdb->current_version->salt, 0, | ||
856 | sizeof(rbtdb->current_version->salt)); | ||
857 | + result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0); | ||
858 | + if (result != ISC_R_SUCCESS) { | ||
859 | + isc_refcount_destroy(&rbtdb->current_version->references); | ||
860 | + isc_mem_put(mctx, rbtdb->current_version, | ||
861 | + sizeof(*rbtdb->current_version)); | ||
862 | + rbtdb->current_version = NULL; | ||
863 | + isc_refcount_decrement(&rbtdb->references, NULL); | ||
864 | + isc_refcount_destroy(&rbtdb->references); | ||
865 | + free_rbtdb(rbtdb, ISC_FALSE, NULL); | ||
866 | + return (result); | ||
867 | + } | ||
868 | + | ||
869 | + rbtdb->current_version->records = 0; | ||
870 | + rbtdb->current_version->bytes = 0; | ||
871 | rbtdb->future_version = NULL; | ||
872 | ISC_LIST_INIT(rbtdb->open_versions); | ||
873 | /* | ||
874 | diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c | ||
875 | index e29dc84..63e3728 100644 | ||
876 | --- a/lib/dns/rdataslab.c | ||
877 | +++ b/lib/dns/rdataslab.c | ||
878 | @@ -523,6 +523,19 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) { | ||
879 | return ((unsigned int)(current - slab)); | ||
880 | } | ||
881 | |||
882 | +unsigned int | ||
883 | +dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) { | ||
884 | + unsigned int count; | ||
885 | + unsigned char *current; | ||
886 | + | ||
887 | + REQUIRE(slab != NULL); | ||
888 | + | ||
889 | + current = slab + reservelen; | ||
890 | + count = *current++ * 256; | ||
891 | + count += *current++; | ||
892 | + return (count); | ||
893 | +} | ||
894 | + | ||
895 | /* | ||
896 | * Make the dns_rdata_t 'rdata' refer to the slab item | ||
897 | * beginning at '*current', which is part of a slab of type | ||
898 | diff --git a/lib/dns/result.c b/lib/dns/result.c | ||
899 | index 7be4f57..a621909 100644 | ||
900 | --- a/lib/dns/result.c | ||
901 | +++ b/lib/dns/result.c | ||
902 | @@ -167,11 +167,16 @@ static const char *text[DNS_R_NRESULTS] = { | ||
903 | "covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */ | ||
904 | "bad CDS", /*%< 111 DNS_R_BADCSD */ | ||
905 | "bad CDNSKEY", /*%< 112 DNS_R_BADCDNSKEY */ | ||
906 | - "malformed OPT option" /*%< 113 DNS_R_OPTERR */ | ||
907 | + "malformed OPT option", /*%< 113 DNS_R_OPTERR */ | ||
908 | + "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP */ | ||
909 | + | ||
910 | + "TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */ | ||
911 | + "SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */ | ||
912 | + "too many records", /*%< 117 DNS_R_TOOMANYRECORDS */ | ||
913 | }; | ||
914 | |||
915 | static const char *rcode_text[DNS_R_NRCODERESULTS] = { | ||
916 | - "NOERROR", /*%< 0 DNS_R_NOEROR */ | ||
917 | + "NOERROR", /*%< 0 DNS_R_NOERROR */ | ||
918 | "FORMERR", /*%< 1 DNS_R_FORMERR */ | ||
919 | "SERVFAIL", /*%< 2 DNS_R_SERVFAIL */ | ||
920 | "NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */ | ||
921 | diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c | ||
922 | index abfeeb0..19397e0 100644 | ||
923 | --- a/lib/dns/sdb.c | ||
924 | +++ b/lib/dns/sdb.c | ||
925 | @@ -1298,7 +1298,8 @@ static dns_dbmethods_t sdb_methods = { | ||
926 | findnodeext, | ||
927 | findext, | ||
928 | NULL, /* setcachestats */ | ||
929 | - NULL /* hashsize */ | ||
930 | + NULL, /* hashsize */ | ||
931 | + NULL /* getsize */ | ||
932 | }; | ||
933 | |||
934 | static isc_result_t | ||
935 | diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c | ||
936 | index b1198a4..0e3163d 100644 | ||
937 | --- a/lib/dns/sdlz.c | ||
938 | +++ b/lib/dns/sdlz.c | ||
939 | @@ -1269,7 +1269,8 @@ static dns_dbmethods_t sdlzdb_methods = { | ||
940 | findnodeext, | ||
941 | findext, | ||
942 | NULL, /* setcachestats */ | ||
943 | - NULL /* hashsize */ | ||
944 | + NULL, /* hashsize */ | ||
945 | + NULL /* getsize */ | ||
946 | }; | ||
947 | |||
948 | /* | ||
949 | diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c | ||
950 | index 2a6c1b4..ac566e1 100644 | ||
951 | --- a/lib/dns/xfrin.c | ||
952 | +++ b/lib/dns/xfrin.c | ||
953 | @@ -149,6 +149,9 @@ struct dns_xfrin_ctx { | ||
954 | unsigned int nrecs; /*%< Number of records recvd */ | ||
955 | isc_uint64_t nbytes; /*%< Number of bytes received */ | ||
956 | |||
957 | + unsigned int maxrecords; /*%< The maximum number of | ||
958 | + records set for the zone */ | ||
959 | + | ||
960 | isc_time_t start; /*%< Start time of the transfer */ | ||
961 | isc_time_t end; /*%< End time of the transfer */ | ||
962 | |||
963 | @@ -309,10 +312,18 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, | ||
964 | static isc_result_t | ||
965 | axfr_apply(dns_xfrin_ctx_t *xfr) { | ||
966 | isc_result_t result; | ||
967 | + isc_uint64_t records; | ||
968 | |||
969 | CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private)); | ||
970 | xfr->difflen = 0; | ||
971 | dns_diff_clear(&xfr->diff); | ||
972 | + if (xfr->maxrecords != 0U) { | ||
973 | + result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL); | ||
974 | + if (result == ISC_R_SUCCESS && records > xfr->maxrecords) { | ||
975 | + result = DNS_R_TOOMANYRECORDS; | ||
976 | + goto failure; | ||
977 | + } | ||
978 | + } | ||
979 | result = ISC_R_SUCCESS; | ||
980 | failure: | ||
981 | return (result); | ||
982 | @@ -396,6 +407,7 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, | ||
983 | static isc_result_t | ||
984 | ixfr_apply(dns_xfrin_ctx_t *xfr) { | ||
985 | isc_result_t result; | ||
986 | + isc_uint64_t records; | ||
987 | |||
988 | if (xfr->ver == NULL) { | ||
989 | CHECK(dns_db_newversion(xfr->db, &xfr->ver)); | ||
990 | @@ -403,6 +415,13 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) { | ||
991 | CHECK(dns_journal_begin_transaction(xfr->ixfr.journal)); | ||
992 | } | ||
993 | CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver)); | ||
994 | + if (xfr->maxrecords != 0U) { | ||
995 | + result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL); | ||
996 | + if (result == ISC_R_SUCCESS && records > xfr->maxrecords) { | ||
997 | + result = DNS_R_TOOMANYRECORDS; | ||
998 | + goto failure; | ||
999 | + } | ||
1000 | + } | ||
1001 | if (xfr->ixfr.journal != NULL) { | ||
1002 | result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff); | ||
1003 | if (result != ISC_R_SUCCESS) | ||
1004 | @@ -759,7 +778,7 @@ xfrin_reset(dns_xfrin_ctx_t *xfr) { | ||
1005 | |||
1006 | static void | ||
1007 | xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) { | ||
1008 | - if (result != DNS_R_UPTODATE) { | ||
1009 | + if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) { | ||
1010 | xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s", | ||
1011 | msg, isc_result_totext(result)); | ||
1012 | if (xfr->is_ixfr) | ||
1013 | @@ -852,6 +871,7 @@ xfrin_create(isc_mem_t *mctx, | ||
1014 | xfr->nmsg = 0; | ||
1015 | xfr->nrecs = 0; | ||
1016 | xfr->nbytes = 0; | ||
1017 | + xfr->maxrecords = dns_zone_getmaxrecords(zone); | ||
1018 | isc_time_now(&xfr->start); | ||
1019 | |||
1020 | xfr->tsigkey = NULL; | ||
1021 | diff --git a/lib/dns/zone.c b/lib/dns/zone.c | ||
1022 | index 90e558d..2b0d8e4 100644 | ||
1023 | --- a/lib/dns/zone.c | ||
1024 | +++ b/lib/dns/zone.c | ||
1025 | @@ -253,6 +253,8 @@ struct dns_zone { | ||
1026 | isc_uint32_t maxretry; | ||
1027 | isc_uint32_t minretry; | ||
1028 | |||
1029 | + isc_uint32_t maxrecords; | ||
1030 | + | ||
1031 | isc_sockaddr_t *masters; | ||
1032 | isc_dscp_t *masterdscps; | ||
1033 | dns_name_t **masterkeynames; | ||
1034 | @@ -10088,6 +10090,20 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) { | ||
1035 | zone->maxretry = val; | ||
1036 | } | ||
1037 | |||
1038 | +isc_uint32_t | ||
1039 | +dns_zone_getmaxrecords(dns_zone_t *zone) { | ||
1040 | + REQUIRE(DNS_ZONE_VALID(zone)); | ||
1041 | + | ||
1042 | + return (zone->maxrecords); | ||
1043 | +} | ||
1044 | + | ||
1045 | +void | ||
1046 | +dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t val) { | ||
1047 | + REQUIRE(DNS_ZONE_VALID(zone)); | ||
1048 | + | ||
1049 | + zone->maxrecords = val; | ||
1050 | +} | ||
1051 | + | ||
1052 | static isc_boolean_t | ||
1053 | notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name, | ||
1054 | isc_sockaddr_t *addr, dns_tsigkey_t *key) | ||
1055 | @@ -14431,7 +14447,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { | ||
1056 | DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); | ||
1057 | |||
1058 | TIME_NOW(&now); | ||
1059 | - switch (result) { | ||
1060 | + switch (xfrresult) { | ||
1061 | case ISC_R_SUCCESS: | ||
1062 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); | ||
1063 | /*FALLTHROUGH*/ | ||
1064 | @@ -14558,6 +14574,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { | ||
1065 | DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR); | ||
1066 | goto same_master; | ||
1067 | |||
1068 | + case DNS_R_TOOMANYRECORDS: | ||
1069 | + DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); | ||
1070 | + inc_stats(zone, dns_zonestatscounter_xfrfail); | ||
1071 | + break; | ||
1072 | + | ||
1073 | default: | ||
1074 | next_master: | ||
1075 | /* | ||
1076 | diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c | ||
1077 | index 780ab46..e7ff1cc 100644 | ||
1078 | --- a/lib/isccfg/namedconf.c | ||
1079 | +++ b/lib/isccfg/namedconf.c | ||
1080 | @@ -1679,6 +1679,7 @@ zone_clauses[] = { | ||
1081 | { "masterfile-format", &cfg_type_masterformat, 0 }, | ||
1082 | { "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE }, | ||
1083 | { "max-journal-size", &cfg_type_sizenodefault, 0 }, | ||
1084 | + { "max-records", &cfg_type_uint32, 0 }, | ||
1085 | { "max-refresh-time", &cfg_type_uint32, 0 }, | ||
1086 | { "max-retry-time", &cfg_type_uint32, 0 }, | ||
1087 | { "max-transfer-idle-in", &cfg_type_uint32, 0 }, | ||
1088 | -- | ||
1089 | 2.7.4 | ||
1090 | |||
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch deleted file mode 100644 index b52d6800ff..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch +++ /dev/null | |||
@@ -1,219 +0,0 @@ | |||
1 | From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Mark Andrews <marka@isc.org> | ||
3 | Date: Fri, 21 Oct 2016 14:55:10 +1100 | ||
4 | Subject: [PATCH] 4489. [security] It was possible to trigger assertions when | ||
5 | processing a response. (CVE-2016-8864) [RT #43465] | ||
6 | |||
7 | (cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca) | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | [https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8] | ||
11 | |||
12 | CVE: CVE-2016-8864 | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | CHANGES | 3 +++ | ||
17 | lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++----------------- | ||
18 | 2 files changed, 50 insertions(+), 22 deletions(-) | ||
19 | |||
20 | diff --git a/CHANGES b/CHANGES | ||
21 | index 5c8c61a..41cfce5 100644 | ||
22 | --- a/CHANGES | ||
23 | +++ b/CHANGES | ||
24 | @@ -1,3 +1,6 @@ | ||
25 | +4489. [security] It was possible to trigger assertions when processing | ||
26 | + a response. (CVE-2016-8864) [RT #43465] | ||
27 | + | ||
28 | 4467. [security] It was possible to trigger an assertion when | ||
29 | rendering a message. (CVE-2016-2776) [RT #43139] | ||
30 | |||
31 | diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c | ||
32 | index ba1ae23..13c8b44 100644 | ||
33 | --- a/lib/dns/resolver.c | ||
34 | +++ b/lib/dns/resolver.c | ||
35 | @@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, | ||
36 | valarg->addrinfo = addrinfo; | ||
37 | |||
38 | if (!ISC_LIST_EMPTY(fctx->validators)) | ||
39 | - INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); | ||
40 | + valoptions |= DNS_VALIDATOR_DEFER; | ||
41 | + else | ||
42 | + valoptions &= ~DNS_VALIDATOR_DEFER; | ||
43 | |||
44 | result = dns_validator_create(fctx->res->view, name, type, rdataset, | ||
45 | sigrdataset, fctx->rmessage, | ||
46 | @@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, | ||
47 | rdataset, | ||
48 | sigrdataset, | ||
49 | valoptions, task); | ||
50 | - /* | ||
51 | - * Defer any further validations. | ||
52 | - * This prevents multiple validators | ||
53 | - * from manipulating fctx->rmessage | ||
54 | - * simultaneously. | ||
55 | - */ | ||
56 | - valoptions |= DNS_VALIDATOR_DEFER; | ||
57 | } | ||
58 | } else if (CHAINING(rdataset)) { | ||
59 | if (rdataset->type == dns_rdatatype_cname) | ||
60 | @@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, | ||
61 | eresult == DNS_R_NCACHENXRRSET); | ||
62 | } | ||
63 | event->result = eresult; | ||
64 | + if (adbp != NULL && *adbp != NULL) { | ||
65 | + if (anodep != NULL && *anodep != NULL) | ||
66 | + dns_db_detachnode(*adbp, anodep); | ||
67 | + dns_db_detach(adbp); | ||
68 | + } | ||
69 | dns_db_attach(fctx->cache, adbp); | ||
70 | dns_db_transfernode(fctx->cache, &node, anodep); | ||
71 | clone_results(fctx); | ||
72 | @@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, | ||
73 | fctx->attributes |= FCTX_ATTR_HAVEANSWER; | ||
74 | if (event != NULL) { | ||
75 | event->result = eresult; | ||
76 | + if (adbp != NULL && *adbp != NULL) { | ||
77 | + if (anodep != NULL && *anodep != NULL) | ||
78 | + dns_db_detachnode(*adbp, anodep); | ||
79 | + dns_db_detach(adbp); | ||
80 | + } | ||
81 | dns_db_attach(fctx->cache, adbp); | ||
82 | dns_db_transfernode(fctx->cache, &node, anodep); | ||
83 | clone_results(fctx); | ||
84 | @@ -6718,13 +6723,15 @@ static isc_result_t | ||
85 | answer_response(fetchctx_t *fctx) { | ||
86 | isc_result_t result; | ||
87 | dns_message_t *message; | ||
88 | - dns_name_t *name, *dname, *qname, tname, *ns_name; | ||
89 | + dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; | ||
90 | + dns_name_t *cname = NULL; | ||
91 | dns_rdataset_t *rdataset, *ns_rdataset; | ||
92 | isc_boolean_t done, external, chaining, aa, found, want_chaining; | ||
93 | - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; | ||
94 | + isc_boolean_t have_answer, found_cname, found_dname, found_type; | ||
95 | + isc_boolean_t wanted_chaining; | ||
96 | unsigned int aflag; | ||
97 | dns_rdatatype_t type; | ||
98 | - dns_fixedname_t fdname, fqname; | ||
99 | + dns_fixedname_t fdname, fqname, fqdname; | ||
100 | dns_view_t *view; | ||
101 | |||
102 | FCTXTRACE("answer_response"); | ||
103 | @@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) { | ||
104 | |||
105 | done = ISC_FALSE; | ||
106 | found_cname = ISC_FALSE; | ||
107 | + found_dname = ISC_FALSE; | ||
108 | found_type = ISC_FALSE; | ||
109 | chaining = ISC_FALSE; | ||
110 | have_answer = ISC_FALSE; | ||
111 | @@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) { | ||
112 | aa = ISC_TRUE; | ||
113 | else | ||
114 | aa = ISC_FALSE; | ||
115 | - qname = &fctx->name; | ||
116 | + dqname = qname = &fctx->name; | ||
117 | type = fctx->type; | ||
118 | view = fctx->res->view; | ||
119 | + dns_fixedname_init(&fqdname); | ||
120 | result = dns_message_firstname(message, DNS_SECTION_ANSWER); | ||
121 | while (!done && result == ISC_R_SUCCESS) { | ||
122 | - dns_namereln_t namereln; | ||
123 | + dns_namereln_t namereln, dnamereln; | ||
124 | int order; | ||
125 | unsigned int nlabels; | ||
126 | |||
127 | @@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) { | ||
128 | dns_message_currentname(message, DNS_SECTION_ANSWER, &name); | ||
129 | external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); | ||
130 | namereln = dns_name_fullcompare(qname, name, &order, &nlabels); | ||
131 | + dnamereln = dns_name_fullcompare(dqname, name, &order, | ||
132 | + &nlabels); | ||
133 | if (namereln == dns_namereln_equal) { | ||
134 | wanted_chaining = ISC_FALSE; | ||
135 | for (rdataset = ISC_LIST_HEAD(name->list); | ||
136 | @@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) { | ||
137 | } | ||
138 | } else if (rdataset->type == dns_rdatatype_rrsig | ||
139 | && rdataset->covers == | ||
140 | - dns_rdatatype_cname | ||
141 | + dns_rdatatype_cname | ||
142 | && !found_type) { | ||
143 | /* | ||
144 | * We're looking for something else, | ||
145 | @@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) { | ||
146 | * a CNAME or DNAME). | ||
147 | */ | ||
148 | INSIST(!external); | ||
149 | - if (aflag == | ||
150 | - DNS_RDATASETATTR_ANSWER) { | ||
151 | + if ((rdataset->type != | ||
152 | + dns_rdatatype_cname) || | ||
153 | + !found_dname || | ||
154 | + (aflag == | ||
155 | + DNS_RDATASETATTR_ANSWER)) | ||
156 | + { | ||
157 | have_answer = ISC_TRUE; | ||
158 | + if (rdataset->type == | ||
159 | + dns_rdatatype_cname) | ||
160 | + cname = name; | ||
161 | name->attributes |= | ||
162 | - DNS_NAMEATTR_ANSWER; | ||
163 | + DNS_NAMEATTR_ANSWER; | ||
164 | } | ||
165 | rdataset->attributes |= aflag; | ||
166 | if (aa) | ||
167 | @@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) { | ||
168 | return (DNS_R_FORMERR); | ||
169 | } | ||
170 | |||
171 | - if (namereln != dns_namereln_subdomain) { | ||
172 | + if (dnamereln != dns_namereln_subdomain) { | ||
173 | char qbuf[DNS_NAME_FORMATSIZE]; | ||
174 | char obuf[DNS_NAME_FORMATSIZE]; | ||
175 | |||
176 | - dns_name_format(qname, qbuf, | ||
177 | + dns_name_format(dqname, qbuf, | ||
178 | sizeof(qbuf)); | ||
179 | dns_name_format(name, obuf, | ||
180 | sizeof(obuf)); | ||
181 | @@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) { | ||
182 | want_chaining = ISC_TRUE; | ||
183 | POST(want_chaining); | ||
184 | aflag = DNS_RDATASETATTR_ANSWER; | ||
185 | - result = dname_target(rdataset, qname, | ||
186 | + result = dname_target(rdataset, dqname, | ||
187 | nlabels, &fdname); | ||
188 | if (result == ISC_R_NOSPACE) { | ||
189 | /* | ||
190 | @@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) { | ||
191 | |||
192 | dname = dns_fixedname_name(&fdname); | ||
193 | if (!is_answertarget_allowed(view, | ||
194 | - qname, rdataset->type, | ||
195 | - dname, &fctx->domain)) { | ||
196 | + dqname, rdataset->type, | ||
197 | + dname, &fctx->domain)) | ||
198 | + { | ||
199 | return (DNS_R_SERVFAIL); | ||
200 | } | ||
201 | + dqname = dns_fixedname_name(&fqdname); | ||
202 | + dns_name_copy(dname, dqname, NULL); | ||
203 | } else { | ||
204 | /* | ||
205 | * We've found a signature that | ||
206 | @@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) { | ||
207 | INSIST(!external); | ||
208 | if (aflag == DNS_RDATASETATTR_ANSWER) { | ||
209 | have_answer = ISC_TRUE; | ||
210 | + found_dname = ISC_TRUE; | ||
211 | + if (cname != NULL) | ||
212 | + cname->attributes &= | ||
213 | + ~DNS_NAMEATTR_ANSWER; | ||
214 | name->attributes |= | ||
215 | DNS_NAMEATTR_ANSWER; | ||
216 | } | ||
217 | -- | ||
218 | 2.7.4 | ||
219 | |||
diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch index 096d5d84fc..8bc4ea30f8 100644 --- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch +++ b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch | |||
@@ -17,24 +17,28 @@ problem. | |||
17 | Upstream-Status: Pending | 17 | Upstream-Status: Pending |
18 | 18 | ||
19 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> | 19 | Signed-off-by: Robert Yang <liezhi.yang@windriver.com> |
20 | |||
21 | Update context(trailing whitespace) for version 9.10.5-P3. | ||
22 | |||
23 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
20 | --- | 24 | --- |
21 | bin/confgen/Makefile.in | 4 ++-- | 25 | bin/confgen/Makefile.in | 4 ++-- |
22 | 1 file changed, 2 insertions(+), 2 deletions(-) | 26 | 1 file changed, 2 insertions(+), 2 deletions(-) |
23 | 27 | ||
24 | diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in | 28 | diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in |
25 | index 8b3e5aa..4868a24 100644 | 29 | index dca272f..02becce 100644 |
26 | --- a/bin/confgen/Makefile.in | 30 | --- a/bin/confgen/Makefile.in |
27 | +++ b/bin/confgen/Makefile.in | 31 | +++ b/bin/confgen/Makefile.in |
28 | @@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c | 32 | @@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c |
29 | ddns-confgen.@O@: ddns-confgen.c | 33 | ddns-confgen.@O@: ddns-confgen.c |
30 | ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c | 34 | ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c |
31 | 35 | ||
32 | -rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} | 36 | -rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} |
33 | +rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) | 37 | +rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) |
34 | export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ | 38 | export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ |
35 | ${FINALBUILDCMD} | 39 | ${FINALBUILDCMD} |
36 | 40 | ||
37 | -ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} | 41 | -ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} |
38 | +ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) | 42 | +ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) |
39 | export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ | 43 | export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ |
40 | ${FINALBUILDCMD} | 44 | ${FINALBUILDCMD} |
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff deleted file mode 100644 index 2930796b6a..0000000000 --- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff +++ /dev/null | |||
@@ -1,104 +0,0 @@ | |||
1 | bind: port a patch to fix a build failure | ||
2 | |||
3 | mips1 does not support ll and sc instructions, and lead to below error, now | ||
4 | we port a patch from debian to fix it | ||
5 | [http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz] | ||
6 | |||
7 | | {standard input}: Assembler messages: | ||
8 | | {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)' | ||
9 | | {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)' | ||
10 | |||
11 | Upstream-Status: Pending | ||
12 | |||
13 | Signed-off-by: Roy Li <rongqing.li@windriver.com> | ||
14 | |||
15 | --- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h | ||
16 | +++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h | ||
17 | @@ -31,18 +31,20 @@ | ||
18 | isc_atomic_xadd(isc_int32_t *p, int val) { | ||
19 | isc_int32_t orig; | ||
20 | |||
21 | - /* add is a cheat, since MIPS has no mov instruction */ | ||
22 | - __asm__ volatile ( | ||
23 | - "1:" | ||
24 | - "ll $3, %1\n" | ||
25 | - "add %0, $0, $3\n" | ||
26 | - "add $3, $3, %2\n" | ||
27 | - "sc $3, %1\n" | ||
28 | - "beq $3, 0, 1b" | ||
29 | - : "=&r"(orig) | ||
30 | - : "m"(*p), "r"(val) | ||
31 | - : "memory", "$3" | ||
32 | - ); | ||
33 | + __asm__ __volatile__ ( | ||
34 | + " .set push \n" | ||
35 | + " .set mips2 \n" | ||
36 | + " .set noreorder \n" | ||
37 | + " .set noat \n" | ||
38 | + "1: ll $1, %1 \n" | ||
39 | + " addu %0, $1, %2 \n" | ||
40 | + " sc %0, %1 \n" | ||
41 | + " beqz %0, 1b \n" | ||
42 | + " move %0, $1 \n" | ||
43 | + " .set pop \n" | ||
44 | + : "=&r" (orig), "+R" (*p) | ||
45 | + : "r" (val) | ||
46 | + : "memory"); | ||
47 | |||
48 | return (orig); | ||
49 | } | ||
50 | @@ -52,16 +54,7 @@ | ||
51 | */ | ||
52 | static inline void | ||
53 | isc_atomic_store(isc_int32_t *p, isc_int32_t val) { | ||
54 | - __asm__ volatile ( | ||
55 | - "1:" | ||
56 | - "ll $3, %0\n" | ||
57 | - "add $3, $0, %1\n" | ||
58 | - "sc $3, %0\n" | ||
59 | - "beq $3, 0, 1b" | ||
60 | - : | ||
61 | - : "m"(*p), "r"(val) | ||
62 | - : "memory", "$3" | ||
63 | - ); | ||
64 | + *p = val; | ||
65 | } | ||
66 | |||
67 | /* | ||
68 | @@ -72,20 +65,23 @@ | ||
69 | static inline isc_int32_t | ||
70 | isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { | ||
71 | isc_int32_t orig; | ||
72 | + isc_int32_t tmp; | ||
73 | |||
74 | - __asm__ volatile( | ||
75 | - "1:" | ||
76 | - "ll $3, %1\n" | ||
77 | - "add %0, $0, $3\n" | ||
78 | - "bne $3, %2, 2f\n" | ||
79 | - "add $3, $0, %3\n" | ||
80 | - "sc $3, %1\n" | ||
81 | - "beq $3, 0, 1b\n" | ||
82 | - "2:" | ||
83 | - : "=&r"(orig) | ||
84 | - : "m"(*p), "r"(cmpval), "r"(val) | ||
85 | - : "memory", "$3" | ||
86 | - ); | ||
87 | + __asm__ __volatile__ ( | ||
88 | + " .set push \n" | ||
89 | + " .set mips2 \n" | ||
90 | + " .set noreorder \n" | ||
91 | + " .set noat \n" | ||
92 | + "1: ll $1, %1 \n" | ||
93 | + " bne $1, %3, 2f \n" | ||
94 | + " move %2, %4 \n" | ||
95 | + " sc %2, %1 \n" | ||
96 | + " beqz %2, 1b \n" | ||
97 | + "2: move %0, $1 \n" | ||
98 | + " .set pop \n" | ||
99 | + : "=&r"(orig), "+R" (*p), "=r" (tmp) | ||
100 | + : "r"(cmpval), "r"(val) | ||
101 | + : "memory"); | ||
102 | |||
103 | return (orig); | ||
104 | } | ||
diff --git a/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch new file mode 100644 index 0000000000..9829f15881 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch | |||
@@ -0,0 +1,36 @@ | |||
1 | Use python3 rather default python which maybe links to python2 for oe. And add | ||
2 | option for setup.py to install files to right directory. | ||
3 | |||
4 | Upstream-Status: Inappropriate [OE specific] | ||
5 | |||
6 | Signed-off-by: Kai Kang <kai.kang@windriver.com> | ||
7 | --- | ||
8 | diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in | ||
9 | index a43a3c1..2e727f2 100644 | ||
10 | --- a/bin/python/Makefile.in | ||
11 | +++ b/bin/python/Makefile.in | ||
12 | @@ -55,9 +55,9 @@ install:: ${TARGETS} installdirs | ||
13 | ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 | ||
14 | if test -n "${PYTHON}" ; then \ | ||
15 | if test -n "${DESTDIR}" ; then \ | ||
16 | - ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} ; \ | ||
17 | + ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \ | ||
18 | else \ | ||
19 | - ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} ; \ | ||
20 | + ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \ | ||
21 | fi \ | ||
22 | fi | ||
23 | |||
24 | diff --git a/configure.in b/configure.in | ||
25 | index 314bb90..867923e 100644 | ||
26 | --- a/configure.in | ||
27 | +++ b/configure.in | ||
28 | @@ -227,7 +227,7 @@ AC_ARG_WITH(python, | ||
29 | [ --with-python=PATH specify path to python interpreter], | ||
30 | use_python="$withval", use_python="unspec") | ||
31 | |||
32 | -python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7" | ||
33 | +python="python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7" | ||
34 | |||
35 | testargparse='try: import argparse | ||
36 | except: exit(1)' | ||
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb index 7eb79b0ea0..e6e1e8d068 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb | |||
@@ -3,14 +3,13 @@ HOMEPAGE = "http://www.isc.org/sw/bind/" | |||
3 | SECTION = "console/network" | 3 | SECTION = "console/network" |
4 | 4 | ||
5 | LICENSE = "ISC & BSD" | 5 | LICENSE = "ISC & BSD" |
6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" | 6 | LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43" |
7 | 7 | ||
8 | DEPENDS = "openssl libcap" | 8 | DEPENDS = "openssl libcap" |
9 | 9 | ||
10 | SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | 10 | SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ |
11 | file://conf.patch \ | 11 | file://conf.patch \ |
12 | file://make-etc-initd-bind-stop-work.patch \ | 12 | file://make-etc-initd-bind-stop-work.patch \ |
13 | file://mips1-not-support-opcode.diff \ | ||
14 | file://dont-test-on-host.patch \ | 13 | file://dont-test-on-host.patch \ |
15 | file://generate-rndc-key.sh \ | 14 | file://generate-rndc-key.sh \ |
16 | file://named.service \ | 15 | file://named.service \ |
@@ -21,21 +20,14 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ | |||
21 | file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ | 20 | file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ |
22 | file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ | 21 | file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ |
23 | file://0001-lib-dns-gen.c-fix-too-long-error.patch \ | 22 | file://0001-lib-dns-gen.c-fix-too-long-error.patch \ |
24 | file://CVE-2016-1285.patch \ | 23 | file://use-python3-and-fix-install-lib-path.patch \ |
25 | file://CVE-2016-1286_1.patch \ | ||
26 | file://CVE-2016-1286_2.patch \ | ||
27 | file://CVE-2016-2088.patch \ | ||
28 | file://CVE-2016-2775.patch \ | ||
29 | file://CVE-2016-2776.patch \ | ||
30 | file://CVE-2016-8864.patch \ | ||
31 | file://CVE-2016-6170.patch \ | ||
32 | " | 24 | " |
33 | 25 | ||
34 | UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/" | 26 | UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/" |
35 | UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/" | 27 | UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/" |
36 | 28 | ||
37 | SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" | 29 | SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83" |
38 | SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83" | 30 | SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a" |
39 | 31 | ||
40 | ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" | 32 | ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" |
41 | EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ | 33 | EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ |
@@ -44,7 +36,10 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ | |||
44 | --sysconfdir=${sysconfdir}/bind \ | 36 | --sysconfdir=${sysconfdir}/bind \ |
45 | --with-openssl=${STAGING_LIBDIR}/.. \ | 37 | --with-openssl=${STAGING_LIBDIR}/.. \ |
46 | " | 38 | " |
47 | inherit autotools update-rc.d systemd useradd pkgconfig | 39 | |
40 | inherit autotools update-rc.d systemd useradd pkgconfig python3-dir | ||
41 | |||
42 | export PYTHON_SITEPACKAGES_DIR | ||
48 | 43 | ||
49 | # PACKAGECONFIGs readline and libedit should NOT be set at same time | 44 | # PACKAGECONFIGs readline and libedit should NOT be set at same time |
50 | PACKAGECONFIG ?= "readline" | 45 | PACKAGECONFIG ?= "readline" |
@@ -70,7 +65,7 @@ RDEPENDS_${PN}-dev = "" | |||
70 | PACKAGE_BEFORE_PN += "${PN}-utils" | 65 | PACKAGE_BEFORE_PN += "${PN}-utils" |
71 | FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" | 66 | FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" |
72 | FILES_${PN}-dev += "${bindir}/isc-config.h" | 67 | FILES_${PN}-dev += "${bindir}/isc-config.h" |
73 | FILES_${PN} += "${sbindir}/generate-rndc-key.sh" | 68 | FILES_${PN} += "${sbindir}/generate-rndc-key.sh ${PYTHON_SITEPACKAGES_DIR}" |
74 | 69 | ||
75 | do_install_prepend() { | 70 | do_install_prepend() { |
76 | # clean host path in isc-config.sh before the hardlink created | 71 | # clean host path in isc-config.sh before the hardlink created |
@@ -107,6 +102,8 @@ do_install_append() { | |||
107 | install -d ${D}${sysconfdir}/tmpfiles.d | 102 | install -d ${D}${sysconfdir}/tmpfiles.d |
108 | echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf | 103 | echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf |
109 | fi | 104 | fi |
105 | |||
106 | rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/isc/*.pyc | ||
110 | } | 107 | } |
111 | 108 | ||
112 | CONFFILES_${PN} = " \ | 109 | CONFFILES_${PN} = " \ |