summaryrefslogtreecommitdiffstats
path: root/meta/recipes-connectivity/bind
diff options
context:
space:
mode:
authorTudor Florea <tudor.florea@enea.com>2015-10-09 20:59:03 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-10-09 20:59:03 (GMT)
commit972dcfcdbfe75dcfeb777150c136576cf1a71e99 (patch)
tree97a61cd7e293d7ae9d56ef7ed0f81253365bb026 /meta/recipes-connectivity/bind
downloadpoky-972dcfcdbfe75dcfeb777150c136576cf1a71e99.tar.gz
initial commit for Enea Linux 5.0 arm
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-connectivity/bind')
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch119
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch89
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch92
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch40
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch41
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch141
-rw-r--r--meta/recipes-connectivity/bind/bind/bind92
-rw-r--r--meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch990
-rw-r--r--meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2015-5477.patch45
-rw-r--r--meta/recipes-connectivity/bind/bind/conf.patch314
-rw-r--r--meta/recipes-connectivity/bind/bind/cross-build-fix.patch21
-rw-r--r--meta/recipes-connectivity/bind/bind/dont-test-on-host.patch17
-rw-r--r--meta/recipes-connectivity/bind/bind/generate-rndc-key.sh7
-rw-r--r--meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch65
-rw-r--r--meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch42
-rw-r--r--meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff104
-rw-r--r--meta/recipes-connectivity/bind/bind/named.service22
-rw-r--r--meta/recipes-connectivity/bind/bind_9.9.5.bb99
18 files changed, 2250 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch b/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch
new file mode 100644
index 0000000..0abb475
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-9.8.1-CVE-2012-5166.patch
@@ -0,0 +1,119 @@
1bind_Fix_for_CVE-2012-5166
2
3Upstream-Status: Backport
4
5Reference:http://launchpadlibrarian.net/119212498/bind9_1%3A9.7.3.dfsOBg
6-1ubuntu2.6_1%3A9.7.3.dfsg-1ubuntu2.7.diff.gz
7
8ISC BIND 9.x before 9.7.6-P4, 9.8.x before 9.8.3-P4, 9.9.x before
99.9.1-P4, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P4 allows
10remote attackers to cause a denial of service (named daemon hang)
11via unspecified combinations of resource records.
12
13http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5166
14
15Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
16diff -urpN a/bin/named/query.c b/bin/named/query.c
17--- a/bin/named/query.c 2012-10-22 13:24:27.000000000 +0800
18+++ b/bin/named/query.c 2012-10-22 13:17:04.000000000 +0800
19@@ -1137,13 +1137,6 @@ query_isduplicate(ns_client_t *client, d
20 mname = NULL;
21 }
22
23- /*
24- * If the dns_name_t we're looking up is already in the message,
25- * we don't want to trigger the caller's name replacement logic.
26- */
27- if (name == mname)
28- mname = NULL;
29-
30 *mnamep = mname;
31
32 CTRACE("query_isduplicate: false: done");
33@@ -1341,6 +1334,7 @@ query_addadditional(void *arg, dns_name_
34 if (dns_rdataset_isassociated(rdataset) &&
35 !query_isduplicate(client, fname, type, &mname)) {
36 if (mname != NULL) {
37+ INSIST(mname != fname);
38 query_releasename(client, &fname);
39 fname = mname;
40 } else
41@@ -1401,11 +1395,13 @@ query_addadditional(void *arg, dns_name_
42 mname = NULL;
43 if (!query_isduplicate(client, fname,
44 dns_rdatatype_a, &mname)) {
45- if (mname != NULL) {
46- query_releasename(client, &fname);
47- fname = mname;
48- } else
49- need_addname = ISC_TRUE;
50+ if (mname != fname) {
51+ if (mname != NULL) {
52+ query_releasename(client, &fname);
53+ fname = mname;
54+ } else
55+ need_addname = ISC_TRUE;
56+ }
57 ISC_LIST_APPEND(fname->list, rdataset, link);
58 added_something = ISC_TRUE;
59 if (sigrdataset != NULL &&
60@@ -1444,11 +1440,13 @@ query_addadditional(void *arg, dns_name_
61 mname = NULL;
62 if (!query_isduplicate(client, fname,
63 dns_rdatatype_aaaa, &mname)) {
64- if (mname != NULL) {
65- query_releasename(client, &fname);
66- fname = mname;
67- } else
68- need_addname = ISC_TRUE;
69+ if (mname != fname) {
70+ if (mname != NULL) {
71+ query_releasename(client, &fname);
72+ fname = mname;
73+ } else
74+ need_addname = ISC_TRUE;
75+ }
76 ISC_LIST_APPEND(fname->list, rdataset, link);
77 added_something = ISC_TRUE;
78 if (sigrdataset != NULL &&
79@@ -1960,22 +1958,24 @@ query_addadditional2(void *arg, dns_name
80 crdataset->type == dns_rdatatype_aaaa) {
81 if (!query_isduplicate(client, fname, crdataset->type,
82 &mname)) {
83- if (mname != NULL) {
84- /*
85- * A different type of this name is
86- * already stored in the additional
87- * section. We'll reuse the name.
88- * Note that this should happen at most
89- * once. Otherwise, fname->link could
90- * leak below.
91- */
92- INSIST(mname0 == NULL);
93-
94- query_releasename(client, &fname);
95- fname = mname;
96- mname0 = mname;
97- } else
98- need_addname = ISC_TRUE;
99+ if (mname != fname) {
100+ if (mname != NULL) {
101+ /*
102+ * A different type of this name is
103+ * already stored in the additional
104+ * section. We'll reuse the name.
105+ * Note that this should happen at most
106+ * once. Otherwise, fname->link could
107+ * leak below.
108+ */
109+ INSIST(mname0 == NULL);
110+
111+ query_releasename(client, &fname);
112+ fname = mname;
113+ mname0 = mname;
114+ } else
115+ need_addname = ISC_TRUE;
116+ }
117 ISC_LIST_UNLINK(cfname.list, crdataset, link);
118 ISC_LIST_APPEND(fname->list, crdataset, link);
119 added_something = ISC_TRUE;
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch
new file mode 100644
index 0000000..19d8df1
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2011-4313.patch
@@ -0,0 +1,89 @@
1The patch to fix CVE-2011-4313
2
3Upstream-Status: Backport
4
5Reference: https://www.redhat.com/security/data/cve/CVE-2011-4313.html
6
7query.c in ISC BIND 9.0.x through 9.6.x, 9.4-ESV through 9.4-ESV-R5, 9.6-ESV
8through 9.6-ESV-R5, 9.7.0 through 9.7.4, 9.8.0 through 9.8.1, and 9.9.0a1
9through 9.9.0b1 allows remote attackers to cause a denial of service
10(assertion failure and named exit) via unknown vectors related to recursive DNS
11queries, error logging, and the caching of an invalid record by the resolver.
12
13Signed-off-by Ming Liu <ming.liu@windriver.com>
14---
15 bin/named/query.c | 19 ++++++++-----------
16 lib/dns/rbtdb.c | 4 ++--
17 2 files changed, 10 insertions(+), 13 deletions(-)
18
19--- a/bin/named/query.c
20+++ b/bin/named/query.c
21@@ -1393,11 +1393,9 @@ query_addadditional(void *arg, dns_name_
22 goto addname;
23 if (result == DNS_R_NCACHENXRRSET) {
24 dns_rdataset_disassociate(rdataset);
25- /*
26- * Negative cache entries don't have sigrdatasets.
27- */
28- INSIST(sigrdataset == NULL ||
29- ! dns_rdataset_isassociated(sigrdataset));
30+ if (sigrdataset != NULL &&
31+ dns_rdataset_isassociated(sigrdataset))
32+ dns_rdataset_disassociate(sigrdataset);
33 }
34 if (result == ISC_R_SUCCESS) {
35 mname = NULL;
36@@ -1438,8 +1436,9 @@ query_addadditional(void *arg, dns_name_
37 goto addname;
38 if (result == DNS_R_NCACHENXRRSET) {
39 dns_rdataset_disassociate(rdataset);
40- INSIST(sigrdataset == NULL ||
41- ! dns_rdataset_isassociated(sigrdataset));
42+ if (sigrdataset != NULL &&
43+ dns_rdataset_isassociated(sigrdataset))
44+ dns_rdataset_disassociate(sigrdataset);
45 }
46 if (result == ISC_R_SUCCESS) {
47 mname = NULL;
48@@ -1889,10 +1888,8 @@ query_addadditional2(void *arg, dns_name
49 goto setcache;
50 if (result == DNS_R_NCACHENXRRSET) {
51 dns_rdataset_disassociate(rdataset);
52- /*
53- * Negative cache entries don't have sigrdatasets.
54- */
55- INSIST(! dns_rdataset_isassociated(sigrdataset));
56+ if (dns_rdataset_isassociated(sigrdataset))
57+ dns_rdataset_disassociate(sigrdataset);
58 }
59 if (result == ISC_R_SUCCESS) {
60 /* Remember the result as a cache */
61--- a/lib/dns/rbtdb.c
62+++ b/lib/dns/rbtdb.c
63@@ -5053,7 +5053,7 @@ cache_find(dns_db_t *db, dns_name_t *nam
64 rdataset);
65 if (need_headerupdate(found, search.now))
66 update = found;
67- if (foundsig != NULL) {
68+ if (!NEGATIVE(found) && foundsig != NULL) {
69 bind_rdataset(search.rbtdb, node, foundsig, search.now,
70 sigrdataset);
71 if (need_headerupdate(foundsig, search.now))
72@@ -5596,7 +5596,7 @@ zone_findrdataset(dns_db_t *db, dns_dbno
73 }
74 if (found != NULL) {
75 bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
76- if (foundsig != NULL)
77+ if (!NEGATIVE(found) && foundsig != NULL)
78 bind_rdataset(rbtdb, rbtnode, foundsig, now,
79 sigrdataset);
80 }
81@@ -5685,7 +5685,7 @@ cache_findrdataset(dns_db_t *db, dns_dbn
82 }
83 if (found != NULL) {
84 bind_rdataset(rbtdb, rbtnode, found, now, rdataset);
85- if (foundsig != NULL)
86+ if (!NEGATIVE(found) && foundsig != NULL)
87 bind_rdataset(rbtdb, rbtnode, foundsig, now,
88 sigrdataset);
89 }
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch
new file mode 100644
index 0000000..c441eab
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-1667.patch
@@ -0,0 +1,92 @@
1bind CVE-2012-1667
2
3Upstream-Status: Backport
4
5ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1,
6and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource
7records with a zero-length RDATA section, which allows remote DNS servers to
8cause a denial of service (daemon crash or data corruption) or obtain
9sensitive information from process memory via a crafted record.
10
11http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1667
12
13The cve patch comes from bind97-9.7.0-10.P2.el5_8.1.src.rpm package.
14
15Signed-off-by: Li Wang <li.wang@windriver.com>
16---
17 lib/dns/rdata.c | 8 ++++----
18 lib/dns/rdataslab.c | 11 ++++++++---
19 2 files changed, 12 insertions(+), 7 deletions(-)
20
21diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
22index 063b1f6..9337a80 100644
23--- a/lib/dns/rdata.c
24+++ b/lib/dns/rdata.c
25@@ -325,8 +325,8 @@ dns_rdata_compare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
26
27 REQUIRE(rdata1 != NULL);
28 REQUIRE(rdata2 != NULL);
29- REQUIRE(rdata1->data != NULL);
30- REQUIRE(rdata2->data != NULL);
31+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
32+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
33 REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
34 REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
35
36@@ -356,8 +356,8 @@ dns_rdata_casecompare(const dns_rdata_t *rdata1, const dns_rdata_t *rdata2) {
37
38 REQUIRE(rdata1 != NULL);
39 REQUIRE(rdata2 != NULL);
40- REQUIRE(rdata1->data != NULL);
41- REQUIRE(rdata2->data != NULL);
42+ REQUIRE(rdata1->length == 0 || rdata1->data != NULL);
43+ REQUIRE(rdata2->length == 0 || rdata2->data != NULL);
44 REQUIRE(DNS_RDATA_VALIDFLAGS(rdata1));
45 REQUIRE(DNS_RDATA_VALIDFLAGS(rdata2));
46
47diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
48index a41f16f..ed13b30 100644
49--- a/lib/dns/rdataslab.c
50+++ b/lib/dns/rdataslab.c
51@@ -125,6 +125,11 @@ isc_result_t
52 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
53 isc_region_t *region, unsigned int reservelen)
54 {
55+ /*
56+ * Use &removed as a sentinal pointer for duplicate
57+ * rdata as rdata.data == NULL is valid.
58+ */
59+ static unsigned char removed;
60 struct xrdata *x;
61 unsigned char *rawbuf;
62 #if DNS_RDATASET_FIXED
63@@ -168,6 +173,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
64 INSIST(result == ISC_R_SUCCESS);
65 dns_rdata_init(&x[i].rdata);
66 dns_rdataset_current(rdataset, &x[i].rdata);
67+ INSIST(x[i].rdata.data != &removed);
68 #if DNS_RDATASET_FIXED
69 x[i].order = i;
70 #endif
71@@ -200,8 +206,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
72 */
73 for (i = 1; i < nalloc; i++) {
74 if (compare_rdata(&x[i-1].rdata, &x[i].rdata) == 0) {
75- x[i-1].rdata.data = NULL;
76- x[i-1].rdata.length = 0;
77+ x[i-1].rdata.data = &removed;
78 #if DNS_RDATASET_FIXED
79 /*
80 * Preserve the least order so A, B, A -> A, B
81@@ -291,7 +296,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
82 #endif
83
84 for (i = 0; i < nalloc; i++) {
85- if (x[i].rdata.data == NULL)
86+ if (x[i].rdata.data == &removed)
87 continue;
88 #if DNS_RDATASET_FIXED
89 offsettable[x[i].order] = rawbuf - offsetbase;
90--
911.7.0.5
92
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch
new file mode 100644
index 0000000..1e159bd
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2012-3817.patch
@@ -0,0 +1,40 @@
1bind: fix for CVE-2012-3817
2
3Upstream-Status: Backport
4
5ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2;
69.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation
7is enabled, does not properly initialize the failing-query cache, which allows
8remote attackers to cause a denial of service (assertion failure and daemon exit)
9by sending many queries.
10
11http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3817
12
13This patch is back-ported from bind-9.3.6-20.P1.el5_8.2.src.rpm package.
14
15Signed-off-by: Ming Liu <ming.liu@windriver.com>
16---
17 resolver.c | 5 +++--
18 1 file changed, 3 insertions(+), 2 deletions(-)
19
20--- a/lib/dns/resolver.c
21+++ b/lib/dns/resolver.c
22@@ -8318,6 +8318,7 @@ dns_resolver_addbadcache(dns_resolver_t
23 goto cleanup;
24 bad->type = type;
25 bad->hashval = hashval;
26+ bad->expire = *expire;
27 isc_buffer_init(&buffer, bad + 1, name->length);
28 dns_name_init(&bad->name, NULL);
29 dns_name_copy(name, &bad->name, &buffer);
30@@ -8329,8 +8330,8 @@ dns_resolver_addbadcache(dns_resolver_t
31 if (resolver->badcount < resolver->badhash * 2 &&
32 resolver->badhash > DNS_BADCACHE_SIZE)
33 resizehash(resolver, &now, ISC_FALSE);
34- }
35- bad->expire = *expire;
36+ } else
37+ bad->expire = *expire;
38 cleanup:
39 UNLOCK(&resolver->lock);
40 }
diff --git a/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch b/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch
new file mode 100644
index 0000000..7ec6deb
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-CVE-2013-2266.patch
@@ -0,0 +1,41 @@
1bind: fix for CVE-2013-2266
2
3Upstream-Status: Backport
4
5libdns in ISC BIND 9.7.x and 9.8.x before 9.8.4-P2, 9.8.5 before 9.8.5b2,
69.9.x before 9.9.2-P2, and 9.9.3 before 9.9.3b2 on UNIX platforms allows
7remote attackers to cause a denial of service (memory consumption) via a
8crafted regular expression, as demonstrated by a memory-exhaustion attack
9against a machine running a named process.
10
11http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2266
12
13Signed-off-by Ming Liu <ming.liu@windriver.com>
14---
15 config.h.in | 3 ---
16 configure.in | 2 +-
17 2 files changed, 1 insertion(+), 4 deletions(-)
18
19--- a/config.h.in
20+++ b/config.h.in
21@@ -277,9 +277,6 @@ int sigwait(const unsigned int *set, int
22 /* Define if your OpenSSL version supports GOST. */
23 #undef HAVE_OPENSSL_GOST
24
25-/* Define to 1 if you have the <regex.h> header file. */
26-#undef HAVE_REGEX_H
27-
28 /* Define to 1 if you have the `setegid' function. */
29 #undef HAVE_SETEGID
30
31--- a/configure.in
32+++ b/configure.in
33@@ -279,7 +279,7 @@ esac
34
35 AC_HEADER_STDC
36
37-AC_CHECK_HEADERS(fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
38+AC_CHECK_HEADERS(fcntl.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h,,,
39 [$ac_includes_default
40 #ifdef HAVE_SYS_PARAM_H
41 # include <sys/param.h>
diff --git a/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch
new file mode 100644
index 0000000..5dd6f69
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind-Fix-CVE-2012-4244.patch
@@ -0,0 +1,141 @@
1bind_Fix_for_CVE-2012-4244
2
3Upstream-Status: Backport
4
5Reference:https://bugzilla.novell.com/attachment.cgi?id=505661&action=edit
6
7ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3,
8 and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to
9cause a denial of service (assertion failure and named daemon exit) via
10a query for a long resource record.
11
12Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
13
14diff -urpN a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
15--- a/lib/dns/include/dns/rdata.h 2012-10-08 12:19:42.000000000 +0800
16+++ b/lib/dns/include/dns/rdata.h 2012-10-08 11:26:43.000000000 +0800
17@@ -147,6 +147,17 @@ struct dns_rdata {
18 (((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
19
20 /*
21+ * The maximum length of a RDATA that can be sent on the wire.
22+ * Max packet size (65535) less header (12), less name (1), type (2),
23+ * class (2), ttl(4), length (2).
24+ *
25+ * None of the defined types that support name compression can exceed
26+ * this and all new types are to be sent uncompressed.
27+ */
28+
29+#define DNS_RDATA_MAXLENGTH 65512U
30+
31+/*
32 * Flags affecting rdata formatting style. Flags 0xFFFF0000
33 * are used by masterfile-level formatting and defined elsewhere.
34 * See additional comments at dns_rdata_tofmttext().
35diff -urpN a/lib/dns/master.c b/lib/dns/master.c
36--- a/lib/dns/master.c 2012-10-08 12:19:42.000000000 +0800
37+++ b/lib/dns/master.c 2012-10-08 11:27:06.000000000 +0800
38@@ -75,7 +75,7 @@
39 /*%
40 * max message size - header - root - type - class - ttl - rdlen
41 */
42-#define MINTSIZ (65535 - 12 - 1 - 2 - 2 - 4 - 2)
43+#define MINTSIZ DNS_RDATA_MAXLENGTH
44 /*%
45 * Size for tokens in the presentation format,
46 * The largest tokens are the base64 blocks in KEY and CERT records,
47diff -urpN a/lib/dns/rdata.c b/lib/dns/rdata.c
48--- a/lib/dns/rdata.c 2012-10-08 12:19:42.000000000 +0800
49+++ b/lib/dns/rdata.c 2012-10-08 11:27:27.000000000 +0800
50@@ -425,6 +425,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
51 isc_buffer_t st;
52 isc_boolean_t use_default = ISC_FALSE;
53 isc_uint32_t activelength;
54+ size_t length;
55
56 REQUIRE(dctx != NULL);
57 if (rdata != NULL) {
58@@ -455,6 +456,14 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
59 }
60
61 /*
62+ * Reject any rdata that expands out to more than DNS_RDATA_MAXLENGTH
63+ * as we cannot transmit it.
64+ */
65+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
66+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
67+ result = DNS_R_FORMERR;
68+
69+ /*
70 * We should have consumed all of our buffer.
71 */
72 if (result == ISC_R_SUCCESS && !buffer_empty(source))
73@@ -462,8 +471,7 @@ dns_rdata_fromwire(dns_rdata_t *rdata, d
74
75 if (rdata != NULL && result == ISC_R_SUCCESS) {
76 region.base = isc_buffer_used(&st);
77- region.length = isc_buffer_usedlength(target) -
78- isc_buffer_usedlength(&st);
79+ region.length = length;
80 dns_rdata_fromregion(rdata, rdclass, type, &region);
81 }
82
83@@ -598,6 +606,7 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
84 unsigned long line;
85 void (*callback)(dns_rdatacallbacks_t *, const char *, ...);
86 isc_result_t tresult;
87+ size_t length;
88
89 REQUIRE(origin == NULL || dns_name_isabsolute(origin) == ISC_TRUE);
90 if (rdata != NULL) {
91@@ -670,10 +679,13 @@ dns_rdata_fromtext(dns_rdata_t *rdata, d
92 }
93 } while (1);
94
95+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
96+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
97+ result = ISC_R_NOSPACE;
98+
99 if (rdata != NULL && result == ISC_R_SUCCESS) {
100 region.base = isc_buffer_used(&st);
101- region.length = isc_buffer_usedlength(target) -
102- isc_buffer_usedlength(&st);
103+ region.length = length;
104 dns_rdata_fromregion(rdata, rdclass, type, &region);
105 }
106 if (result != ISC_R_SUCCESS) {
107@@ -781,6 +793,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
108 isc_buffer_t st;
109 isc_region_t region;
110 isc_boolean_t use_default = ISC_FALSE;
111+ size_t length;
112
113 REQUIRE(source != NULL);
114 if (rdata != NULL) {
115@@ -795,10 +808,13 @@ dns_rdata_fromstruct(dns_rdata_t *rdata,
116 if (use_default)
117 (void)NULL;
118
119+ length = isc_buffer_usedlength(target) - isc_buffer_usedlength(&st);
120+ if (result == ISC_R_SUCCESS && length > DNS_RDATA_MAXLENGTH)
121+ result = ISC_R_NOSPACE;
122+
123 if (rdata != NULL && result == ISC_R_SUCCESS) {
124 region.base = isc_buffer_used(&st);
125- region.length = isc_buffer_usedlength(target) -
126- isc_buffer_usedlength(&st);
127+ region.length = length;
128 dns_rdata_fromregion(rdata, rdclass, type, &region);
129 }
130 if (result != ISC_R_SUCCESS)
131diff -urpN a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
132--- a/lib/dns/rdataslab.c 2012-10-08 12:19:42.000000000 +0800
133+++ b/lib/dns/rdataslab.c 2012-10-08 11:27:54.000000000 +0800
134@@ -304,6 +304,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_
135 length = x[i].rdata.length;
136 if (rdataset->type == dns_rdatatype_rrsig)
137 length++;
138+ INSIST(length <= 0xffff);
139 *rawbuf++ = (length & 0xff00) >> 8;
140 *rawbuf++ = (length & 0x00ff);
141 #if DNS_RDATASET_FIXED
diff --git a/meta/recipes-connectivity/bind/bind/bind9 b/meta/recipes-connectivity/bind/bind/bind9
new file mode 100644
index 0000000..968679f
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind9
@@ -0,0 +1,2 @@
1# startup options for the server
2OPTIONS="-u bind"
diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
new file mode 100644
index 0000000..62142d2
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2014-8500.patch
@@ -0,0 +1,990 @@
1From 603a0e2637b35a2da820bc807f69bcf09c682dce Mon Sep 17 00:00:00 2001
2From: Evan Hunt <each@isc.org>
3Date: Mon, 17 Nov 2014 23:49:07 -0800
4Subject: [PATCH] [v9_9] limit recursion depth and iterative queries
5
64006. [security] A flaw in delegation handling could be exploited
7 to put named into an infinite loop. This has
8 been addressed by placing limits on the number
9 of levels of recursion named will allow (default 7),
10 and the number of iterative queries that it will
11 send (default 50) before terminating a recursive
12 query (CVE-2014-8500).
13
14 The recursion depth limit is configured via the
15 "max-recursion-depth" option. [RT #35780]
16
17Upstream-Status: Backport
18
19Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
20---
21 bin/named/config.c | 3 +-
22 bin/named/include/named/query.h | 2 -
23 bin/named/query.c | 7 ++-
24 bin/named/server.c | 5 ++
25 bin/tests/system/many/clean.sh | 7 +++
26 bin/tests/system/many/ns1/named.conf | 33 +++++++++++++
27 bin/tests/system/many/ns2/named.conf | 30 ++++++++++++
28 bin/tests/system/many/ns3/named.conf | 32 +++++++++++++
29 bin/tests/system/many/ns4/named.conf | 30 ++++++++++++
30 bin/tests/system/many/ns5/hints.db | 2 +
31 bin/tests/system/many/ns5/named.conf | 29 ++++++++++++
32 bin/tests/system/many/setup.sh | 75 ++++++++++++++++++++++++++++++
33 bin/tests/system/many/tests.sh | 48 +++++++++++++++++++
34 doc/arm/Bv9ARM-book.xml | 12 +++++
35 lib/dns/adb.c | 58 ++++++++++++++++-------
36 lib/dns/include/dns/adb.h | 8 ++++
37 lib/dns/include/dns/resolver.h | 25 ++++++++++
38 lib/dns/resolver.c | 90 ++++++++++++++++++++++++++++++------
39 lib/isccfg/namedconf.c | 1 +
40 20 files changed, 471 insertions(+), 37 deletions(-)
41 create mode 100644 bin/tests/system/many/clean.sh
42 create mode 100644 bin/tests/system/many/ns1/named.conf
43 create mode 100644 bin/tests/system/many/ns2/named.conf
44 create mode 100644 bin/tests/system/many/ns3/named.conf
45 create mode 100644 bin/tests/system/many/ns4/named.conf
46 create mode 100644 bin/tests/system/many/ns5/hints.db
47 create mode 100644 bin/tests/system/many/ns5/named.conf
48 create mode 100644 bin/tests/system/many/setup.sh
49 create mode 100644 bin/tests/system/many/tests.sh
50
51diff --git a/bin/named/config.c b/bin/named/config.c
52index 2782720..5ee8c4e 100644
53--- a/bin/named/config.c
54+++ b/bin/named/config.c
55@@ -15,8 +15,6 @@
56 * PERFORMANCE OF THIS SOFTWARE.
57 */
58
59-/* $Id: config.c,v 1.123 2012/01/06 23:46:41 tbox Exp $ */
60-
61 /*! \file */
62
63 #include <config.h>
64@@ -160,6 +158,7 @@ options {\n\
65 dnssec-accept-expired no;\n\
66 clients-per-query 10;\n\
67 max-clients-per-query 100;\n\
68+ max-recursion-depth 7;\n\
69 zero-no-soa-ttl-cache no;\n\
70 nsec3-test-zone no;\n\
71 allow-new-zones no;\n\
72diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
73index 3beabb8..b5e3900 100644
74--- a/bin/named/include/named/query.h
75+++ b/bin/named/include/named/query.h
76@@ -15,8 +15,6 @@
77 * PERFORMANCE OF THIS SOFTWARE.
78 */
79
80-/* $Id: query.h,v 1.45 2011/01/13 04:59:24 tbox Exp $ */
81-
82 #ifndef NAMED_QUERY_H
83 #define NAMED_QUERY_H 1
84
85diff --git a/bin/named/query.c b/bin/named/query.c
86index 982f76d..47bfc6a 100644
87--- a/bin/named/query.c
88+++ b/bin/named/query.c
89@@ -3877,12 +3877,11 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname,
90 peeraddr = &client->peeraddr;
91 else
92 peeraddr = NULL;
93- result = dns_resolver_createfetch2(client->view->resolver,
94+ result = dns_resolver_createfetch3(client->view->resolver,
95 qname, qtype, qdomain, nameservers,
96 NULL, peeraddr, client->message->id,
97- client->query.fetchoptions,
98- client->task,
99- query_resume, client,
100+ client->query.fetchoptions, 0,
101+ client->task, query_resume, client,
102 rdataset, sigrdataset,
103 &client->query.fetch);
104
105diff --git a/bin/named/server.c b/bin/named/server.c
106index ac015a4..0559977 100644
107--- a/bin/named/server.c
108+++ b/bin/named/server.c
109@@ -3161,6 +3161,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
110 cfg_obj_asuint32(obj),
111 max_clients_per_query);
112
113+ obj = NULL;
114+ result = ns_config_get(maps, "max-recursion-depth", &obj);
115+ INSIST(result == ISC_R_SUCCESS);
116+ dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj));
117+
118 #ifdef ALLOW_FILTER_AAAA_ON_V4
119 obj = NULL;
120 result = ns_config_get(maps, "filter-aaaa-on-v4", &obj);
121diff --git a/bin/tests/system/many/clean.sh b/bin/tests/system/many/clean.sh
122new file mode 100644
123index 0000000..119b1f5
124--- /dev/null
125+++ b/bin/tests/system/many/clean.sh
126@@ -0,0 +1,7 @@
127+rm -f ns1/[1-9]*example.tld?.db
128+rm -f ns2/[1-9]*example.tld?.db
129+rm -f ns1/zones.conf
130+rm -f ns2/zones.conf
131+rm -f */root.db
132+rm -f ns3/tld1.db
133+rm -f ns4/tld2.db
134diff --git a/bin/tests/system/many/ns1/named.conf b/bin/tests/system/many/ns1/named.conf
135new file mode 100644
136index 0000000..abc9dca
137--- /dev/null
138+++ b/bin/tests/system/many/ns1/named.conf
139@@ -0,0 +1,33 @@
140+/*
141+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
142+ *
143+ * Permission to use, copy, modify, and/or distribute this software for any
144+ * purpose with or without fee is hereby granted, provided that the above
145+ * copyright notice and this permission notice appear in all copies.
146+ *
147+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
148+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
149+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
150+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
151+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
152+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
153+ * PERFORMANCE OF THIS SOFTWARE.
154+ */
155+
156+controls { /* empty */ };
157+
158+options {
159+ query-source address 10.53.0.1;
160+ notify-source 10.53.0.1;
161+ transfer-source 10.53.0.1;
162+ port 5300;
163+ pid-file "named.pid";
164+ listen-on { 10.53.0.1; };
165+ listen-on-v6 { none; };
166+ recursion no;
167+};
168+
169+include "zones.conf";
170+
171+// zone "tld1" { type master; file "tld1.db"; };
172+// zone "tld2" { type master; file "tld2.db"; };
173diff --git a/bin/tests/system/many/ns2/named.conf b/bin/tests/system/many/ns2/named.conf
174new file mode 100644
175index 0000000..16266e2
176--- /dev/null
177+++ b/bin/tests/system/many/ns2/named.conf
178@@ -0,0 +1,30 @@
179+/*
180+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
181+ *
182+ * Permission to use, copy, modify, and/or distribute this software for any
183+ * purpose with or without fee is hereby granted, provided that the above
184+ * copyright notice and this permission notice appear in all copies.
185+ *
186+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
187+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
188+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
189+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
190+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
191+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
192+ * PERFORMANCE OF THIS SOFTWARE.
193+ */
194+
195+controls { /* empty */ };
196+
197+options {
198+ query-source address 10.53.0.2;
199+ notify-source 10.53.0.2;
200+ transfer-source 10.53.0.2;
201+ port 5300;
202+ pid-file "named.pid";
203+ listen-on { 10.53.0.2; };
204+ listen-on-v6 { none; };
205+ recursion no;
206+};
207+
208+include "zones.conf";
209diff --git a/bin/tests/system/many/ns3/named.conf b/bin/tests/system/many/ns3/named.conf
210new file mode 100644
211index 0000000..b950afe
212--- /dev/null
213+++ b/bin/tests/system/many/ns3/named.conf
214@@ -0,0 +1,32 @@
215+/*
216+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
217+ *
218+ * Permission to use, copy, modify, and/or distribute this software for any
219+ * purpose with or without fee is hereby granted, provided that the above
220+ * copyright notice and this permission notice appear in all copies.
221+ *
222+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
223+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
224+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
225+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
226+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
227+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
228+ * PERFORMANCE OF THIS SOFTWARE.
229+ */
230+
231+controls { /* empty */ };
232+
233+options {
234+ query-source address 10.53.0.3;
235+ notify-source 10.53.0.3;
236+ transfer-source 10.53.0.3;
237+ port 5300;
238+ pid-file "named.pid";
239+ listen-on { 10.53.0.3; };
240+ listen-on-v6 { none; };
241+ recursion no;
242+};
243+
244+zone "." { type master; file "root.db"; };
245+
246+zone "tld1" { type master; file "tld1.db"; };
247diff --git a/bin/tests/system/many/ns4/named.conf b/bin/tests/system/many/ns4/named.conf
248new file mode 100644
249index 0000000..ca9aa6a
250--- /dev/null
251+++ b/bin/tests/system/many/ns4/named.conf
252@@ -0,0 +1,30 @@
253+/*
254+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
255+ *
256+ * Permission to use, copy, modify, and/or distribute this software for any
257+ * purpose with or without fee is hereby granted, provided that the above
258+ * copyright notice and this permission notice appear in all copies.
259+ *
260+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
261+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
262+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
263+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
264+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
265+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
266+ * PERFORMANCE OF THIS SOFTWARE.
267+ */
268+
269+controls { /* empty */ };
270+
271+options {
272+ query-source address 10.53.0.4;
273+ notify-source 10.53.0.4;
274+ transfer-source 10.53.0.4;
275+ port 5300;
276+ pid-file "named.pid";
277+ listen-on { 10.53.0.4; };
278+ listen-on-v6 { none; };
279+ recursion no;
280+};
281+
282+zone "tld2" { type master; file "tld2.db"; };
283diff --git a/bin/tests/system/many/ns5/hints.db b/bin/tests/system/many/ns5/hints.db
284new file mode 100644
285index 0000000..c05809b
286--- /dev/null
287+++ b/bin/tests/system/many/ns5/hints.db
288@@ -0,0 +1,2 @@
289+. 60 in ns ns.nil.
290+ns.nil. 60 in A 10.53.0.3
291diff --git a/bin/tests/system/many/ns5/named.conf b/bin/tests/system/many/ns5/named.conf
292new file mode 100644
293index 0000000..fce7d59
294--- /dev/null
295+++ b/bin/tests/system/many/ns5/named.conf
296@@ -0,0 +1,29 @@
297+/*
298+ * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
299+ *
300+ * Permission to use, copy, modify, and/or distribute this software for any
301+ * purpose with or without fee is hereby granted, provided that the above
302+ * copyright notice and this permission notice appear in all copies.
303+ *
304+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
305+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
306+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
307+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
308+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
309+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
310+ * PERFORMANCE OF THIS SOFTWARE.
311+ */
312+
313+controls { /* empty */ };
314+
315+options {
316+ query-source address 10.53.0.5;
317+ notify-source 10.53.0.5;
318+ transfer-source 10.53.0.5;
319+ port 5300;
320+ pid-file "named.pid";
321+ listen-on { 10.53.0.5; };
322+ listen-on-v6 { none; };
323+};
324+
325+zone "." { type hint; file "hints.db"; };
326diff --git a/bin/tests/system/many/setup.sh b/bin/tests/system/many/setup.sh
327new file mode 100644
328index 0000000..80695b5
329--- /dev/null
330+++ b/bin/tests/system/many/setup.sh
331@@ -0,0 +1,75 @@
332+i=1
333+
334+cat > ns3/root.db << EOF
335+. 60 in soa ns.nil. hostmaster.ns.nil. 1 0 0 0 0
336+. 60 in ns ns.nil.
337+ns.nil. 60 in a 10.53.0.3
338+tld1. 60 in ns ns.tld1.
339+ns.tld1. 60 in a 10.53.0.3
340+tld2. 60 in ns ns.tld2.
341+ns.tld2. 60 in a 10.53.0.4
342+EOF
343+
344+cat > ns3/tld1.db << EOF
345+tld1. 60 in soa ns.tld1. hostmaster.ns.tld1. 1 0 0 0 0
346+tld1. 60 in ns ns.tld1.
347+ns.tld1. 60 in a 10.53.0.1
348+EOF
349+
350+cat > ns4/tld2.db << EOF
351+tld2. 60 in soa ns.tld2. hostmaster.ns.tld4. 1 0 0 0 0
352+tld2. 60 in ns ns.tld2.
353+ns.tld2. 60 in a 10.53.0.1
354+EOF
355+
356+: > ns1/zones.conf
357+: > ns2/zones.conf
358+
359+while [ $i -lt 1000 ]
360+do
361+j=`expr $i + 1`
362+s=`expr $j % 2 + 1`
363+n=`expr $i % 2 + 1`
364+t=`expr $s + 2`
365+
366+# i=1 j=2 s=1 n=2
367+# i=2 j=3 s=1 n=2
368+# i=3 j=4 s=1 n=2
369+
370+cat > ns1/${i}example.tld${s}.db << EOF
371+${i}example.tld${s}. 60 in soa ns.${j}example.tld${n}. hostmaster 1 0 0 0 0
372+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
373+ns.${i}example.tld${s}. 60 in a 10.53.0.1
374+EOF
375+
376+cat >> ns1/zones.conf << EOF
377+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
378+EOF
379+
380+cat >> ns${t}/tld${s}.db << EOF
381+${i}example.tld${s}. 60 in ns ns.${j}example.tld${n}.
382+EOF
383+
384+i=$j
385+
386+done
387+
388+j=`expr $i + 1`
389+s=`expr $j % 2 + 1`
390+n=`expr $s % 2 + 1`
391+t=`expr $s + 2`
392+
393+cat > ns1/${i}example.tld${s}.db << EOF
394+${i}example.tld${s}. 60 in soa ns.${i}example.tld${s}. hostmaster 1 0 0 0 0
395+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
396+ns.${i}example.tld${s}. 60 in a 10.53.0.1
397+EOF
398+
399+cat >> ns1/zones.conf << EOF
400+zone "${i}example.tld${s}" { type master; file "${i}example.tld${s}.db"; };
401+EOF
402+
403+cat >> ns${t}/tld${s}.db << EOF
404+${i}example.tld${s}. 60 in ns ns.${i}example.tld${s}.
405+ns.${i}example.tld${s}. 60 in a 10.53.0.1
406+EOF
407diff --git a/bin/tests/system/many/tests.sh b/bin/tests/system/many/tests.sh
408new file mode 100644
409index 0000000..37964e2
410--- /dev/null
411+++ b/bin/tests/system/many/tests.sh
412@@ -0,0 +1,48 @@
413+#!/bin/sh
414+#
415+# Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
416+#
417+# Permission to use, copy, modify, and/or distribute this software for any
418+# purpose with or without fee is hereby granted, provided that the above
419+# copyright notice and this permission notice appear in all copies.
420+#
421+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
422+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
423+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
424+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
425+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
426+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
427+# PERFORMANCE OF THIS SOFTWARE.
428+
429+SYSTEMTESTTOP=..
430+. $SYSTEMTESTTOP/conf.sh
431+
432+status=0
433+n=0
434+
435+n=`expr $n + 1`
436+echo "I: attempt lookup 1example.tld2 soa ($n)"
437+ret=0
438+$DIG +tcp 1example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n
439+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
440+if [ $ret != 0 ]; then echo "I:failed"; fi
441+status=`expr $status + $ret`
442+
443+n=`expr $n + 1`
444+echo "I: attempt lookup 992example.tld2 soa ($n)"
445+ret=0
446+$DIG +tcp 992example.tld2 soa @10.53.0.5 -p 5300 > dig.out.test$n
447+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
448+if [ $ret != 0 ]; then echo "I:failed"; fi
449+status=`expr $status + $ret`
450+
451+n=`expr $n + 1`
452+echo "I: attempt lookup 993example.tld1 soa ($n)"
453+ret=0
454+$DIG +tcp 993example.tld1 soa @10.53.0.5 -p 5300 > dig.out.test$n
455+grep "status: NOERROR" dig.out.test$n > /dev/null || ret=1
456+if [ $ret != 0 ]; then echo "I:failed"; fi
457+status=`expr $status + $ret`
458+
459+echo "I:exit status: $status"
460+exit $status
461diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
462index 9f7bd38..fff4249 100644
463--- a/doc/arm/Bv9ARM-book.xml
464+++ b/doc/arm/Bv9ARM-book.xml
465@@ -4861,6 +4861,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
466 <optional> max-acache-size <replaceable>size_spec</replaceable> ; </optional>
467 <optional> clients-per-query <replaceable>number</replaceable> ; </optional>
468 <optional> max-clients-per-query <replaceable>number</replaceable> ; </optional>
469+ <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional>
470 <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
471 <optional> empty-server <replaceable>name</replaceable> ; </optional>
472 <optional> empty-contact <replaceable>name</replaceable> ; </optional>
473@@ -8680,6 +8681,17 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
474 </listitem>
475 </varlistentry>
476
477+ <varlistentry id="max-recursion-depth">
478+ <term><command>max-recursion-depth</command></term>
479+ <listitem>
480+ <para>
481+ Sets the maximum number of levels of recursion
482+ permitted at any one time while resolving a name.
483+ The default is 7.
484+ </para>
485+ </listitem>
486+ </varlistentry>
487+
488 <varlistentry>
489 <term><command>notify-delay</command></term>
490 <listitem>
491diff --git a/lib/dns/adb.c b/lib/dns/adb.c
492index 2ccb51e..fe9b3f7 100644
493--- a/lib/dns/adb.c
494+++ b/lib/dns/adb.c
495@@ -199,6 +199,7 @@ struct dns_adbfetch {
496 unsigned int magic;
497 dns_fetch_t *fetch;
498 dns_rdataset_t rdataset;
499+ unsigned int depth;
500 };
501
502 /*%
503@@ -300,7 +301,7 @@ static inline void violate_locking_hierarchy(isc_mutex_t *, isc_mutex_t *);
504 static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
505 static void clean_target(dns_adb_t *, dns_name_t *);
506 static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
507- unsigned int);
508+ isc_uint32_t, unsigned int);
509 static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
510 static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
511 isc_stdtime_t);
512@@ -308,7 +309,7 @@ static void cancel_fetches_at_name(dns_adbname_t *);
513 static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
514 dns_rdatatype_t);
515 static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
516- dns_rdatatype_t);
517+ unsigned int, dns_rdatatype_t);
518 static inline void check_exit(dns_adb_t *);
519 static void destroy(dns_adb_t *);
520 static isc_boolean_t shutdown_names(dns_adb_t *);
521@@ -984,7 +985,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
522 * Clean up the name's various lists. These two are destructive
523 * in that they will always empty the list.
524 */
525- clean_finds_at_name(name, ev, DNS_ADBFIND_ADDRESSMASK);
526+ clean_finds_at_name(name, ev, 0, DNS_ADBFIND_ADDRESSMASK);
527 result4 = clean_namehooks(adb, &name->v4);
528 result6 = clean_namehooks(adb, &name->v6);
529 clean_target(adb, &name->target);
530@@ -1409,7 +1410,7 @@ event_free(isc_event_t *event) {
531 */
532 static void
533 clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
534- unsigned int addrs)
535+ isc_uint32_t qtotal, unsigned int addrs)
536 {
537 isc_event_t *ev;
538 isc_task_t *task;
539@@ -1469,6 +1470,7 @@ clean_finds_at_name(dns_adbname_t *name, isc_eventtype_t evtype,
540 ev->ev_sender = find;
541 find->result_v4 = find_err_map[name->fetch_err];
542 find->result_v6 = find_err_map[name->fetch6_err];
543+ find->qtotal += qtotal;
544 ev->ev_type = evtype;
545 ev->ev_destroy = event_free;
546 ev->ev_destroy_arg = find;
547@@ -1827,6 +1829,7 @@ new_adbfind(dns_adb_t *adb) {
548 h->flags = 0;
549 h->result_v4 = ISC_R_UNEXPECTED;
550 h->result_v6 = ISC_R_UNEXPECTED;
551+ h->qtotal = 0;
552 ISC_LINK_INIT(h, publink);
553 ISC_LINK_INIT(h, plink);
554 ISC_LIST_INIT(h->list);
555@@ -2799,6 +2802,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
556 isc_stdtime_t now, dns_name_t *target,
557 in_port_t port, dns_adbfind_t **findp)
558 {
559+ return (dns_adb_createfind2(adb, task, action, arg, name,
560+ qname, qtype, options, now,
561+ target, port, 0, findp));
562+}
563+
564+isc_result_t
565+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
566+ void *arg, dns_name_t *name, dns_name_t *qname,
567+ dns_rdatatype_t qtype, unsigned int options,
568+ isc_stdtime_t now, dns_name_t *target,
569+ in_port_t port, unsigned int depth,
570+ dns_adbfind_t **findp)
571+{
572 dns_adbfind_t *find;
573 dns_adbname_t *adbname;
574 int bucket;
575@@ -3029,7 +3045,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
576 * Start V4.
577 */
578 if (WANT_INET(wanted_fetches) &&
579- fetch_name(adbname, start_at_zone,
580+ fetch_name(adbname, start_at_zone, depth,
581 dns_rdatatype_a) == ISC_R_SUCCESS) {
582 DP(DEF_LEVEL,
583 "dns_adb_createfind: started A fetch for name %p",
584@@ -3040,7 +3056,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
585 * Start V6.
586 */
587 if (WANT_INET6(wanted_fetches) &&
588- fetch_name(adbname, start_at_zone,
589+ fetch_name(adbname, start_at_zone, depth,
590 dns_rdatatype_aaaa) == ISC_R_SUCCESS) {
591 DP(DEF_LEVEL,
592 "dns_adb_createfind: "
593@@ -3656,6 +3672,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
594 isc_result_t result;
595 unsigned int address_type;
596 isc_boolean_t want_check_exit = ISC_FALSE;
597+ isc_uint32_t qtotal = 0;
598
599 UNUSED(task);
600
601@@ -3666,6 +3683,8 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
602 adb = name->adb;
603 INSIST(DNS_ADB_VALID(adb));
604
605+ qtotal = dev->qtotal;
606+
607 bucket = name->lock_bucket;
608 LOCK(&adb->namelocks[bucket]);
609
610@@ -3783,6 +3802,12 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
611 DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s",
612 buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA",
613 dns_result_totext(dev->result));
614+ /*
615+ * Don't record a failure unless this is the initial
616+ * fetch of a chain.
617+ */
618+ if (fetch->depth > 1)
619+ goto out;
620 /* XXXMLG Don't pound on bad servers. */
621 if (address_type == DNS_ADBFIND_INET) {
622 name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
623@@ -3814,15 +3839,14 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
624 free_adbfetch(adb, &fetch);
625 isc_event_free(&ev);
626
627- clean_finds_at_name(name, ev_status, address_type);
628+ clean_finds_at_name(name, ev_status, qtotal, address_type);
629
630 UNLOCK(&adb->namelocks[bucket]);
631 }
632
633 static isc_result_t
634-fetch_name(dns_adbname_t *adbname,
635- isc_boolean_t start_at_zone,
636- dns_rdatatype_t type)
637+fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone,
638+ unsigned int depth, dns_rdatatype_t type)
639 {
640 isc_result_t result;
641 dns_adbfetch_t *fetch = NULL;
642@@ -3867,12 +3891,14 @@ fetch_name(dns_adbname_t *adbname,
643 result = ISC_R_NOMEMORY;
644 goto cleanup;
645 }
646-
647- result = dns_resolver_createfetch(adb->view->resolver, &adbname->name,
648- type, name, nameservers, NULL,
649- options, adb->task, fetch_callback,
650- adbname, &fetch->rdataset, NULL,
651- &fetch->fetch);
652+ fetch->depth = depth;
653+
654+ result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name,
655+ type, name, nameservers, NULL,
656+ NULL, 0, options, depth, adb->task,
657+ fetch_callback, adbname,
658+ &fetch->rdataset, NULL,
659+ &fetch->fetch);
660 if (result != ISC_R_SUCCESS)
661 goto cleanup;
662
663diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
664index 35350ff..7501f01 100644
665--- a/lib/dns/include/dns/adb.h
666+++ b/lib/dns/include/dns/adb.h
667@@ -118,6 +118,8 @@ struct dns_adbfind {
668 isc_result_t result_v6; /*%< RO: v6 result */
669 ISC_LINK(dns_adbfind_t) publink; /*%< RW: client use */
670
671+ isc_uint32_t qtotal;
672+
673 /* Private */
674 isc_mutex_t lock; /* locks all below */
675 in_port_t port;
676@@ -334,6 +336,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
677 dns_rdatatype_t qtype, unsigned int options,
678 isc_stdtime_t now, dns_name_t *target,
679 in_port_t port, dns_adbfind_t **find);
680+isc_result_t
681+dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
682+ void *arg, dns_name_t *name, dns_name_t *qname,
683+ dns_rdatatype_t qtype, unsigned int options,
684+ isc_stdtime_t now, dns_name_t *target, in_port_t port,
685+ unsigned int depth, dns_adbfind_t **find);
686 /*%<
687 * Main interface for clients. The adb will look up the name given in
688 * "name" and will build up a list of found addresses, and perhaps start
689diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
690index 4e20eb6..c256049 100644
691--- a/lib/dns/include/dns/resolver.h
692+++ b/lib/dns/include/dns/resolver.h
693@@ -82,6 +82,7 @@ typedef struct dns_fetchevent {
694 isc_sockaddr_t * client;
695 dns_messageid_t id;
696 isc_result_t vresult;
697+ isc_uint32_t qtotal;
698 } dns_fetchevent_t;
699
700 /*
701@@ -275,6 +276,18 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
702 dns_rdataset_t *rdataset,
703 dns_rdataset_t *sigrdataset,
704 dns_fetch_t **fetchp);
705+isc_result_t
706+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
707+ dns_rdatatype_t type,
708+ dns_name_t *domain, dns_rdataset_t *nameservers,
709+ dns_forwarders_t *forwarders,
710+ isc_sockaddr_t *client, isc_uint16_t id,
711+ unsigned int options, unsigned int depth,
712+ isc_task_t *task,
713+ isc_taskaction_t action, void *arg,
714+ dns_rdataset_t *rdataset,
715+ dns_rdataset_t *sigrdataset,
716+ dns_fetch_t **fetchp);
717 /*%<
718 * Recurse to answer a question.
719 *
720@@ -576,6 +589,18 @@ dns_resolver_printbadcache(dns_resolver_t *resolver, FILE *fp);
721 * \li resolver to be valid.
722 */
723
724+void
725+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth);
726+unsigned int
727+dns_resolver_getmaxdepth(dns_resolver_t *resolver);
728+/*%
729+ * Get and set how many NS indirections will be followed when looking for
730+ * nameserver addresses.
731+ *
732+ * Requires:
733+ * \li resolver to be valid.
734+ */
735+
736 ISC_LANG_ENDDECLS
737
738 #endif /* DNS_RESOLVER_H */
739diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
740index e517dad..6a635b2 100644
741--- a/lib/dns/resolver.c
742+++ b/lib/dns/resolver.c
743@@ -131,6 +131,16 @@
744 #define MAXIMUM_QUERY_TIMEOUT 30 /* The maximum time in seconds for the whole query to live. */
745 #endif
746
747+/* The default maximum number of recursions to follow before giving up. */
748+#ifndef DEFAULT_RECURSION_DEPTH
749+#define DEFAULT_RECURSION_DEPTH 7
750+#endif
751+
752+/* The default maximum number of iterative queries to allow before giving up. */
753+#ifndef DEFAULT_MAX_QUERIES
754+#define DEFAULT_MAX_QUERIES 50
755+#endif
756+
757 /*%
758 * Maximum EDNS0 input packet size.
759 */
760@@ -297,6 +307,7 @@ struct fetchctx {
761 isc_uint64_t duration;
762 isc_boolean_t logged;
763 unsigned int querysent;
764+ unsigned int totalqueries;
765 unsigned int referrals;
766 unsigned int lamecount;
767 unsigned int neterr;
768@@ -307,6 +318,7 @@ struct fetchctx {
769 isc_boolean_t timeout;
770 dns_adbaddrinfo_t *addrinfo;
771 isc_sockaddr_t *client;
772+ unsigned int depth;
773 };
774
775 #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
776@@ -419,6 +431,7 @@ struct dns_resolver {
777 isc_timer_t * spillattimer;
778 isc_boolean_t zero_no_soa_ttl;
779 unsigned int query_timeout;
780+ unsigned int maxdepth;
781
782 /* Locked by lock. */
783 unsigned int references;
784@@ -1097,6 +1110,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
785 event->result == DNS_R_NCACHENXRRSET);
786 }
787
788+ event->qtotal = fctx->totalqueries;
789 isc_task_sendanddetach(&task, ISC_EVENT_PTR(&event));
790 count++;
791 }
792@@ -1537,7 +1551,9 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
793 if (result != ISC_R_SUCCESS)
794 goto cleanup_dispatch;
795 }
796+
797 fctx->querysent++;
798+ fctx->totalqueries++;
799
800 ISC_LIST_APPEND(fctx->queries, query, link);
801 query->fctx->nqueries++;
802@@ -2194,9 +2210,10 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
803 */
804 INSIST(!SHUTTINGDOWN(fctx));
805 fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
806- if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
807+ if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
808 want_try = ISC_TRUE;
809- else {
810+ fctx->totalqueries += find->qtotal;
811+ } else {
812 fctx->findfail++;
813 if (fctx->pending == 0) {
814 /*
815@@ -2479,12 +2496,13 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
816 * See what we know about this address.
817 */
818 find = NULL;
819- result = dns_adb_createfind(fctx->adb,
820- res->buckets[fctx->bucketnum].task,
821- fctx_finddone, fctx, name,
822- &fctx->name, fctx->type,
823- options, now, NULL,
824- res->view->dstport, &find);
825+ result = dns_adb_createfind2(fctx->adb,
826+ res->buckets[fctx->bucketnum].task,
827+ fctx_finddone, fctx, name,
828+ &fctx->name, fctx->type,
829+ options, now, NULL,
830+ res->view->dstport,
831+ fctx->depth + 1, &find);
832 if (result != ISC_R_SUCCESS) {
833 if (result == DNS_R_ALIAS) {
834 /*
835@@ -2592,6 +2610,11 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
836
837 res = fctx->res;
838
839+ if (fctx->depth > res->maxdepth) {
840+ FCTXTRACE("too much NS indirection");
841+ return (DNS_R_SERVFAIL);
842+ }
843+
844 /*
845 * Forwarders.
846 */
847@@ -3030,6 +3053,9 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
848
849 REQUIRE(!ADDRWAIT(fctx));
850
851+ if (fctx->totalqueries > DEFAULT_MAX_QUERIES)
852+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
853+
854 addrinfo = fctx_nextaddress(fctx);
855 if (addrinfo == NULL) {
856 /*
857@@ -3388,6 +3414,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
858 * Normal fctx startup.
859 */
860 fctx->state = fetchstate_active;
861+ fctx->totalqueries = 0;
862 /*
863 * Reset the control event for later use in shutting down
864 * the fctx.
865@@ -3457,6 +3484,7 @@ fctx_join(fetchctx_t *fctx, isc_task_t *task, isc_sockaddr_t *client,
866 event->fetch = fetch;
867 event->client = client;
868 event->id = id;
869+ event->qtotal = 0;
870 dns_fixedname_init(&event->foundname);
871
872 /*
873@@ -3493,7 +3521,8 @@ log_ns_ttl(fetchctx_t *fctx, const char *where) {
874 static isc_result_t
875 fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
876 dns_name_t *domain, dns_rdataset_t *nameservers,
877- unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp)
878+ unsigned int options, unsigned int bucketnum, unsigned int depth,
879+ fetchctx_t **fctxp)
880 {
881 fetchctx_t *fctx;
882 isc_result_t result;
883@@ -3545,6 +3574,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
884 fctx->state = fetchstate_init;
885 fctx->want_shutdown = ISC_FALSE;
886 fctx->cloned = ISC_FALSE;
887+ fctx->depth = depth;
888 ISC_LIST_INIT(fctx->queries);
889 ISC_LIST_INIT(fctx->finds);
890 ISC_LIST_INIT(fctx->altfinds);
891@@ -3563,6 +3593,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
892 fctx->pending = 0;
893 fctx->restarts = 0;
894 fctx->querysent = 0;
895+ fctx->totalqueries = 0;
896 fctx->referrals = 0;
897 TIME_NOW(&fctx->start);
898 fctx->timeouts = 0;
899@@ -7781,6 +7812,7 @@ dns_resolver_create(dns_view_t *view,
900 res->spillattimer = NULL;
901 res->zero_no_soa_ttl = ISC_FALSE;
902 res->query_timeout = DEFAULT_QUERY_TIMEOUT;
903+ res->maxdepth = DEFAULT_RECURSION_DEPTH;
904 res->nbuckets = ntasks;
905 res->activebuckets = ntasks;
906 res->buckets = isc_mem_get(view->mctx,
907@@ -8219,9 +8251,9 @@ dns_resolver_createfetch(dns_resolver_t *res, dns_name_t *name,
908 dns_rdataset_t *sigrdataset,
909 dns_fetch_t **fetchp)
910 {
911- return (dns_resolver_createfetch2(res, name, type, domain,
912+ return (dns_resolver_createfetch3(res, name, type, domain,
913 nameservers, forwarders, NULL, 0,
914- options, task, action, arg,
915+ options, 0, task, action, arg,
916 rdataset, sigrdataset, fetchp));
917 }
918
919@@ -8237,6 +8269,25 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
920 dns_rdataset_t *sigrdataset,
921 dns_fetch_t **fetchp)
922 {
923+ return (dns_resolver_createfetch3(res, name, type, domain,
924+ nameservers, forwarders, client, id,
925+ options, 0, task, action, arg,
926+ rdataset, sigrdataset, fetchp));
927+}
928+
929+isc_result_t
930+dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name,
931+ dns_rdatatype_t type,
932+ dns_name_t *domain, dns_rdataset_t *nameservers,
933+ dns_forwarders_t *forwarders,
934+ isc_sockaddr_t *client, dns_messageid_t id,
935+ unsigned int options, unsigned int depth,
936+ isc_task_t *task,
937+ isc_taskaction_t action, void *arg,
938+ dns_rdataset_t *rdataset,
939+ dns_rdataset_t *sigrdataset,
940+ dns_fetch_t **fetchp)
941+{
942 dns_fetch_t *fetch;
943 fetchctx_t *fctx = NULL;
944 isc_result_t result = ISC_R_SUCCESS;
945@@ -8325,11 +8376,12 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,
946
947 if (fctx == NULL) {
948 result = fctx_create(res, name, type, domain, nameservers,
949- options, bucketnum, &fctx);
950+ options, bucketnum, depth, &fctx);
951 if (result != ISC_R_SUCCESS)
952 goto unlock;
953 new_fctx = ISC_TRUE;
954- }
955+ } else if (fctx->depth > depth)
956+ fctx->depth = depth;
957
958 result = fctx_join(fctx, task, client, id, action, arg,
959 rdataset, sigrdataset, fetch);
960@@ -9101,3 +9153,15 @@ dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
961
962 resolver->query_timeout = seconds;
963 }
964+
965+void
966+dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) {
967+ REQUIRE(VALID_RESOLVER(resolver));
968+ resolver->maxdepth = maxdepth;
969+}
970+
971+unsigned int
972+dns_resolver_getmaxdepth(dns_resolver_t *resolver) {
973+ REQUIRE(VALID_RESOLVER(resolver));
974+ return (resolver->maxdepth);
975+}
976diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
977index bfd4bab..5f8b037 100644
978--- a/lib/isccfg/namedconf.c
979+++ b/lib/isccfg/namedconf.c
980@@ -1393,6 +1393,7 @@ view_clauses[] = {
981 { "max-cache-ttl", &cfg_type_uint32, 0 },
982 { "max-clients-per-query", &cfg_type_uint32, 0 },
983 { "max-ncache-ttl", &cfg_type_uint32, 0 },
984+ { "max-recursion-depth", &cfg_type_uint32, 0 },
985 { "max-udp-size", &cfg_type_uint32, 0 },
986 { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
987 { "minimal-responses", &cfg_type_boolean, 0 },
988--
9891.9.1
990
diff --git a/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2015-5477.patch b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2015-5477.patch
new file mode 100644
index 0000000..896272a
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/bind9_9_5-CVE-2015-5477.patch
@@ -0,0 +1,45 @@
1From dbb064aa7972ef918d9a235b713108a4846cbb62 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Tue, 14 Jul 2015 14:48:42 +1000
4Subject: [PATCH] 4165. [bug] An failure to reset a value to NULL
5 in tkey.c could result in an assertion failure.
6 (CVE-2015-5477) [RT #40046]
7
8Upstream-Status: Backport
9[CHANGES file has been edited manually to add CVE-2015-5477 and
10an already applied CVE (CVE-2014-8500)].
11
12Referenc: https://kb.isc.org/article/AA-01272
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15
16diff -ruN a/CHANGES b/CHANGES
17--- a/CHANGES 2014-01-27 19:58:24.000000000 +0100
18+++ b/CHANGES 2015-07-30 11:03:18.871670769 +0200
19@@ -1,4 +1,15 @@
20 --- 9.9.5 released ---
21+4165. [security] An failure to reset a value to NULL in tkey.c could
22+ result in an assertion failure. (CVE-2015-5477)
23+ [RT #40046]
24+
25+4006. [security] A flaw in delegation handling could be exploited
26+ to put named into an infinite loop. This has
27+ been addressed by placing limits on the number
28+ of levels of recursion named will allow (default 7),
29+ and the number of iterative queries that it will
30+ send (default 50) before terminating a recursive
31+ query (CVE-2014-8500).
32
33 --- 9.9.5rc2 released ---
34
35diff -ruN a/lib/dns/tkey.c b/lib/dns/tkey.c
36--- a/lib/dns/tkey.c 2014-01-27 19:58:24.000000000 +0100
37+++ b/lib/dns/tkey.c 2015-07-30 10:58:30.647945942 +0200
38@@ -650,6 +650,7 @@
39 * Try the answer section, since that's where Win2000
40 * puts it.
41 */
42+ name = NULL;
43 if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
44 dns_rdatatype_tkey, 0, &name,
45 &tkeyset) != ISC_R_SUCCESS) {
diff --git a/meta/recipes-connectivity/bind/bind/conf.patch b/meta/recipes-connectivity/bind/bind/conf.patch
new file mode 100644
index 0000000..432c874
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/conf.patch
@@ -0,0 +1,314 @@
1Upstream-Status: Inappropriate [configuration]
2
3the patch is imported from openembedded project
4
511/30/2010 - Qing He <qing.he@intel.com>
6
7diff -urN bind-9.3.1.orig/conf/db.0 bind-9.3.1/conf/db.0
8--- bind-9.3.1.orig/conf/db.0 1970-01-01 01:00:00.000000000 +0100
9+++ bind-9.3.1/conf/db.0 2005-07-10 22:14:00.000000000 +0200
10@@ -0,0 +1,12 @@
11+;
12+; BIND reverse data file for broadcast zone
13+;
14+$TTL 604800
15+@ IN SOA localhost. root.localhost. (
16+ 1 ; Serial
17+ 604800 ; Refresh
18+ 86400 ; Retry
19+ 2419200 ; Expire
20+ 604800 ) ; Negative Cache TTL
21+;
22+@ IN NS localhost.
23diff -urN bind-9.3.1.orig/conf/db.127 bind-9.3.1/conf/db.127
24--- bind-9.3.1.orig/conf/db.127 1970-01-01 01:00:00.000000000 +0100
25+++ bind-9.3.1/conf/db.127 2005-07-10 22:14:00.000000000 +0200
26@@ -0,0 +1,13 @@
27+;
28+; BIND reverse data file for local loopback interface
29+;
30+$TTL 604800
31+@ IN SOA localhost. root.localhost. (
32+ 1 ; Serial
33+ 604800 ; Refresh
34+ 86400 ; Retry
35+ 2419200 ; Expire
36+ 604800 ) ; Negative Cache TTL
37+;
38+@ IN NS localhost.
39+1.0.0 IN PTR localhost.
40diff -urN bind-9.3.1.orig/conf/db.empty bind-9.3.1/conf/db.empty
41--- bind-9.3.1.orig/conf/db.empty 1970-01-01 01:00:00.000000000 +0100
42+++ bind-9.3.1/conf/db.empty 2005-07-10 22:14:00.000000000 +0200
43@@ -0,0 +1,14 @@
44+; BIND reverse data file for empty rfc1918 zone
45+;
46+; DO NOT EDIT THIS FILE - it is used for multiple zones.
47+; Instead, copy it, edit named.conf, and use that copy.
48+;
49+$TTL 86400
50+@ IN SOA localhost. root.localhost. (
51+ 1 ; Serial
52+ 604800 ; Refresh
53+ 86400 ; Retry
54+ 2419200 ; Expire
55+ 86400 ) ; Negative Cache TTL
56+;
57+@ IN NS localhost.
58diff -urN bind-9.3.1.orig/conf/db.local bind-9.3.1/conf/db.local
59--- bind-9.3.1.orig/conf/db.local 1970-01-01 01:00:00.000000000 +0100
60+++ bind-9.3.1/conf/db.local 2005-07-10 22:14:00.000000000 +0200
61@@ -0,0 +1,13 @@
62+;
63+; BIND data file for local loopback interface
64+;
65+$TTL 604800
66+@ IN SOA localhost. root.localhost. (
67+ 1 ; Serial
68+ 604800 ; Refresh
69+ 86400 ; Retry
70+ 2419200 ; Expire
71+ 604800 ) ; Negative Cache TTL
72+;
73+@ IN NS localhost.
74+@ IN A 127.0.0.1
75diff -urN bind-9.3.1.orig/conf/db.root bind-9.3.1/conf/db.root
76--- bind-9.3.1.orig/conf/db.root 1970-01-01 01:00:00.000000000 +0100
77+++ bind-9.3.1/conf/db.root 2005-07-10 22:14:00.000000000 +0200
78@@ -0,0 +1,45 @@
79+
80+; <<>> DiG 9.2.3 <<>> ns . @a.root-servers.net.
81+;; global options: printcmd
82+;; Got answer:
83+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18944
84+;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
85+
86+;; QUESTION SECTION:
87+;. IN NS
88+
89+;; ANSWER SECTION:
90+. 518400 IN NS A.ROOT-SERVERS.NET.
91+. 518400 IN NS B.ROOT-SERVERS.NET.
92+. 518400 IN NS C.ROOT-SERVERS.NET.
93+. 518400 IN NS D.ROOT-SERVERS.NET.
94+. 518400 IN NS E.ROOT-SERVERS.NET.
95+. 518400 IN NS F.ROOT-SERVERS.NET.
96+. 518400 IN NS G.ROOT-SERVERS.NET.
97+. 518400 IN NS H.ROOT-SERVERS.NET.
98+. 518400 IN NS I.ROOT-SERVERS.NET.
99+. 518400 IN NS J.ROOT-SERVERS.NET.
100+. 518400 IN NS K.ROOT-SERVERS.NET.
101+. 518400 IN NS L.ROOT-SERVERS.NET.
102+. 518400 IN NS M.ROOT-SERVERS.NET.
103+
104+;; ADDITIONAL SECTION:
105+A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
106+B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
107+C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
108+D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
109+E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
110+F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
111+G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
112+H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
113+I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
114+J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
115+K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
116+L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12
117+M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
118+
119+;; Query time: 81 msec
120+;; SERVER: 198.41.0.4#53(a.root-servers.net.)
121+;; WHEN: Sun Feb 1 11:27:14 2004
122+;; MSG SIZE rcvd: 436
123+
124diff -urN bind-9.3.1.orig/conf/named.conf bind-9.3.1/conf/named.conf
125--- bind-9.3.1.orig/conf/named.conf 1970-01-01 01:00:00.000000000 +0100
126+++ bind-9.3.1/conf/named.conf 2005-07-10 22:33:46.000000000 +0200
127@@ -0,0 +1,49 @@
128+// This is the primary configuration file for the BIND DNS server named.
129+//
130+// If you are just adding zones, please do that in /etc/bind/named.conf.local
131+
132+include "/etc/bind/named.conf.options";
133+
134+// prime the server with knowledge of the root servers
135+zone "." {
136+ type hint;
137+ file "/etc/bind/db.root";
138+};
139+
140+// be authoritative for the localhost forward and reverse zones, and for
141+// broadcast zones as per RFC 1912
142+
143+zone "localhost" {
144+ type master;
145+ file "/etc/bind/db.local";
146+};
147+
148+zone "127.in-addr.arpa" {
149+ type master;
150+ file "/etc/bind/db.127";
151+};
152+
153+zone "0.in-addr.arpa" {
154+ type master;
155+ file "/etc/bind/db.0";
156+};
157+
158+zone "255.in-addr.arpa" {
159+ type master;
160+ file "/etc/bind/db.255";
161+};
162+
163+// zone "com" { type delegation-only; };
164+// zone "net" { type delegation-only; };
165+
166+// From the release notes:
167+// Because many of our users are uncomfortable receiving undelegated answers
168+// from root or top level domains, other than a few for whom that behaviour
169+// has been trusted and expected for quite some length of time, we have now
170+// introduced the "root-delegations-only" feature which applies delegation-only
171+// logic to all top level domains, and to the root domain. An exception list
172+// should be specified, including "MUSEUM" and "DE", and any other top level
173+// domains from whom undelegated responses are expected and trusted.
174+// root-delegation-only exclude { "DE"; "MUSEUM"; };
175+
176+include "/etc/bind/named.conf.local";
177diff -urN bind-9.3.1.orig/conf/named.conf.local bind-9.3.1/conf/named.conf.local
178--- bind-9.3.1.orig/conf/named.conf.local 1970-01-01 01:00:00.000000000 +0100
179+++ bind-9.3.1/conf/named.conf.local 2005-07-10 22:14:06.000000000 +0200
180@@ -0,0 +1,8 @@
181+//
182+// Do any local configuration here
183+//
184+
185+// Consider adding the 1918 zones here, if they are not used in your
186+// organization
187+//include "/etc/bind/zones.rfc1918";
188+
189diff -urN bind-9.3.1.orig/conf/named.conf.options bind-9.3.1/conf/named.conf.options
190--- bind-9.3.1.orig/conf/named.conf.options 1970-01-01 01:00:00.000000000 +0100
191+++ bind-9.3.1/conf/named.conf.options 2005-07-10 22:14:06.000000000 +0200
192@@ -0,0 +1,24 @@
193+options {
194+ directory "/var/cache/bind";
195+
196+ // If there is a firewall between you and nameservers you want
197+ // to talk to, you might need to uncomment the query-source
198+ // directive below. Previous versions of BIND always asked
199+ // questions using port 53, but BIND 8.1 and later use an unprivileged
200+ // port by default.
201+
202+ // query-source address * port 53;
203+
204+ // If your ISP provided one or more IP addresses for stable
205+ // nameservers, you probably want to use them as forwarders.
206+ // Uncomment the following block, and insert the addresses replacing
207+ // the all-0's placeholder.
208+
209+ // forwarders {
210+ // 0.0.0.0;
211+ // };
212+
213+ auth-nxdomain no; # conform to RFC1035
214+
215+};
216+
217diff -urN bind-9.3.1.orig/conf/zones.rfc1918 bind-9.3.1/conf/zones.rfc1918
218--- bind-9.3.1.orig/conf/zones.rfc1918 1970-01-01 01:00:00.000000000 +0100
219+++ bind-9.3.1/conf/zones.rfc1918 2005-07-10 22:14:10.000000000 +0200
220@@ -0,0 +1,20 @@
221+zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
222+
223+zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
224+zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
225+zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
226+zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
227+zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
228+zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
229+zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
230+zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
231+zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
232+zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
233+zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
234+zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
235+zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
236+zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
237+zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
238+zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
239+
240+zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
241diff -urN bind-9.3.1.orig/init.d bind-9.3.1/init.d
242--- bind-9.3.1.orig/init.d 1970-01-01 01:00:00.000000000 +0100
243+++ bind-9.3.1/init.d 2005-07-10 23:09:58.000000000 +0200
244@@ -0,0 +1,70 @@
245+#!/bin/sh
246+
247+PATH=/sbin:/bin:/usr/sbin:/usr/bin
248+
249+# for a chrooted server: "-u bind -t /var/lib/named"
250+# Don't modify this line, change or create /etc/default/bind9.
251+OPTIONS=""
252+
253+test -f /etc/default/bind9 && . /etc/default/bind9
254+
255+test -x /usr/sbin/rndc || exit 0
256+
257+case "$1" in
258+ start)
259+ echo -n "Starting domain name service: named"
260+
261+ modprobe capability >/dev/null 2>&1 || true
262+ if [ ! -f /etc/bind/rndc.key ]; then
263+ /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
264+ chmod 0640 /etc/bind/rndc.key
265+ fi
266+ if [ -f /var/run/named/named.pid ]; then
267+ ps `cat /var/run/named/named.pid` > /dev/null && exit 1
268+ fi
269+
270+ # dirs under /var/run can go away on reboots.
271+ mkdir -p /var/run/named
272+ mkdir -p /var/cache/bind
273+ chmod 775 /var/run/named
274+ chown root:bind /var/run/named >/dev/null 2>&1 || true
275+
276+ if [ ! -x /usr/sbin/named ]; then
277+ echo "named binary missing - not starting"
278+ exit 1
279+ fi
280+ if start-stop-daemon --start --quiet --exec /usr/sbin/named \
281+ --pidfile /var/run/named/named.pid -- $OPTIONS; then
282+ if [ -x /sbin/resolvconf ] ; then
283+ echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo
284+ fi
285+ fi
286+ echo "."
287+ ;;
288+
289+ stop)
290+ echo -n "Stopping domain name service: named"
291+ if [ -x /sbin/resolvconf ]; then
292+ /sbin/resolvconf -d lo
293+ fi
294+ /usr/sbin/rndc stop >/dev/null 2>&1
295+ echo "."
296+ ;;
297+
298+ reload)
299+ /usr/sbin/rndc reload
300+ ;;
301+
302+ restart|force-reload)
303+ $0 stop
304+ sleep 2
305+ $0 start
306+ ;;
307+
308+ *)
309+ echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
310+ exit 1
311+ ;;
312+esac
313+
314+exit 0
diff --git a/meta/recipes-connectivity/bind/bind/cross-build-fix.patch b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch
new file mode 100644
index 0000000..4c37b6b
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/cross-build-fix.patch
@@ -0,0 +1,21 @@
1Upstream-Status: Inappropriate [configuration]
2
311/30/2010
4gen.c should be build by ${BUILD_CC}
5
6Signed-off-by: Qing He <qing.he@intel.com>
7
8diff --git a/lib/export/dns/Makefile.in b/lib/export/dns/Makefile.in
9index aeadf57..d3fae74 100644
10--- a/lib/export/dns/Makefile.in
11+++ b/lib/export/dns/Makefile.in
12@@ -166,7 +166,8 @@ code.h: gen
13 ./gen -s ${srcdir} > code.h
14
15 gen: ${srcdir}/gen.c
16- ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o $@ ${srcdir}/gen.c ${LIBS}
17+ ${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
18+ ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
19
20 #We don't need rbtdb64 for this library
21 #rbtdb64.@O@: rbtdb.c
diff --git a/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
new file mode 100644
index 0000000..288e58b
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/dont-test-on-host.patch
@@ -0,0 +1,17 @@
1Upstream-Status: Pending
2
3Signed-off-by Saul Wold <sgw@linux.intel.com>
4
5Index: bind-9.9.5/bin/Makefile.in
6===================================================================
7--- bind-9.9.5.orig/bin/Makefile.in
8+++ bind-9.9.5/bin/Makefile.in
9@@ -19,7 +19,7 @@ srcdir = @srcdir@
10 VPATH = @srcdir@
11 top_srcdir = @top_srcdir@
12
13-SUBDIRS = named rndc dig dnssec tools tests nsupdate \
14+SUBDIRS = named rndc dig dnssec tools nsupdate \
15 check confgen @PYTHON_TOOLS@ @PKCS11_TOOLS@
16 TARGETS =
17
diff --git a/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
new file mode 100644
index 0000000..db20127
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/generate-rndc-key.sh
@@ -0,0 +1,7 @@
1#!/bin/sh
2
3if [ ! -s /etc/bind/rndc.key ]; then
4 echo -n "Generating /etc/bind/rndc.key:"
5 /usr/sbin/rndc-confgen -a -b 512 -r /dev/urandom
6 chmod 0640 /etc/bind/rndc.key
7fi
diff --git a/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
new file mode 100644
index 0000000..11db95e
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/init.d-add-support-for-read-only-rootfs.patch
@@ -0,0 +1,65 @@
1Subject: init.d: add support for read-only rootfs
2
3Upstream-Status: Inappropriate [oe specific]
4
5Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
6---
7 init.d | 40 ++++++++++++++++++++++++++++++++++++++++
8 1 file changed, 40 insertions(+)
9
10diff --git a/init.d b/init.d
11index 0111ed4..24677c8 100644
12--- a/init.d
13+++ b/init.d
14@@ -6,8 +6,48 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
15 # Don't modify this line, change or create /etc/default/bind9.
16 OPTIONS=""
17
18+test -f /etc/default/rcS && . /etc/default/rcS
19 test -f /etc/default/bind9 && . /etc/default/bind9
20
21+# This function is here because it's possible that /var and / are on different partitions.
22+is_on_read_only_partition () {
23+ DIRECTORY=$1
24+ dir=`readlink -f $DIRECTORY`
25+ while true; do
26+ if [ ! -d "$dir" ]; then
27+ echo "ERROR: $dir is not a directory"
28+ exit 1
29+ else
30+ for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
31+ END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
32+ [ "$flag" = "FOUND" ] && partition="read-write"
33+ [ "$flag" = "ro" ] && { partition="read-only"; break; }
34+ done
35+ if [ "$dir" = "/" -o -n "$partition" ]; then
36+ break
37+ else
38+ dir=`dirname $dir`
39+ fi
40+ fi
41+ done
42+ [ "$partition" = "read-only" ] && echo "yes" || echo "no"
43+}
44+
45+bind_mount () {
46+ olddir=$1
47+ newdir=$2
48+ mkdir -p $olddir
49+ cp -a $newdir/* $olddir
50+ mount --bind $olddir $newdir
51+}
52+
53+# Deal with read-only rootfs
54+if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
55+ [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
56+ [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
57+ [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
58+fi
59+
60 test -x /usr/sbin/rndc || exit 0
61
62 case "$1" in
63--
641.7.9.5
65
diff --git a/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
new file mode 100644
index 0000000..146f3e3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/make-etc-initd-bind-stop-work.patch
@@ -0,0 +1,42 @@
1bind: make "/etc/init.d/bind stop" work
2
3Upstream-Status: Inappropriate [configuration]
4
5Add some configurations, make rndc command be able to controls
6the named daemon.
7
8Signed-off-by: Roy Li <rongqing.li@windriver.com>
9---
10 conf/named.conf | 5 +++++
11 conf/rndc.conf | 5 +++++
12 2 files changed, 10 insertions(+), 0 deletions(-)
13 create mode 100644 conf/rndc.conf
14
15diff --git a/conf/named.conf b/conf/named.conf
16index 95829cf..c8899e7 100644
17--- a/conf/named.conf
18+++ b/conf/named.conf
19@@ -47,3 +47,8 @@ zone "255.in-addr.arpa" {
20 // root-delegation-only exclude { "DE"; "MUSEUM"; };
21
22 include "/etc/bind/named.conf.local";
23+include "/etc/bind/rndc.key" ;
24+controls {
25+ inet 127.0.0.1 allow { localhost; }
26+ keys { rndc-key; };
27+};
28diff --git a/conf/rndc.conf b/conf/rndc.conf
29new file mode 100644
30index 0000000..a0b481d
31--- /dev/null
32+++ b/conf/rndc.conf
33@@ -0,0 +1,5 @@
34+include "/etc/bind/rndc.key";
35+options {
36+ default-server localhost;
37+ default-key rndc-key;
38+};
39
40--
411.7.5.4
42
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
new file mode 100644
index 0000000..2930796
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
@@ -0,0 +1,104 @@
1bind: port a patch to fix a build failure
2
3mips1 does not support ll and sc instructions, and lead to below error, now
4we port a patch from debian to fix it
5[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
6
7| {standard input}: Assembler messages:
8| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
9| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
10
11Upstream-Status: Pending
12
13Signed-off-by: Roy Li <rongqing.li@windriver.com>
14
15--- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
16+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
17@@ -31,18 +31,20 @@
18 isc_atomic_xadd(isc_int32_t *p, int val) {
19 isc_int32_t orig;
20
21- /* add is a cheat, since MIPS has no mov instruction */
22- __asm__ volatile (
23- "1:"
24- "ll $3, %1\n"
25- "add %0, $0, $3\n"
26- "add $3, $3, %2\n"
27- "sc $3, %1\n"
28- "beq $3, 0, 1b"
29- : "=&r"(orig)
30- : "m"(*p), "r"(val)
31- : "memory", "$3"
32- );
33+ __asm__ __volatile__ (
34+ " .set push \n"
35+ " .set mips2 \n"
36+ " .set noreorder \n"
37+ " .set noat \n"
38+ "1: ll $1, %1 \n"
39+ " addu %0, $1, %2 \n"
40+ " sc %0, %1 \n"
41+ " beqz %0, 1b \n"
42+ " move %0, $1 \n"
43+ " .set pop \n"
44+ : "=&r" (orig), "+R" (*p)
45+ : "r" (val)
46+ : "memory");
47
48 return (orig);
49 }
50@@ -52,16 +54,7 @@
51 */
52 static inline void
53 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
54- __asm__ volatile (
55- "1:"
56- "ll $3, %0\n"
57- "add $3, $0, %1\n"
58- "sc $3, %0\n"
59- "beq $3, 0, 1b"
60- :
61- : "m"(*p), "r"(val)
62- : "memory", "$3"
63- );
64+ *p = val;
65 }
66
67 /*
68@@ -72,20 +65,23 @@
69 static inline isc_int32_t
70 isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
71 isc_int32_t orig;
72+ isc_int32_t tmp;
73
74- __asm__ volatile(
75- "1:"
76- "ll $3, %1\n"
77- "add %0, $0, $3\n"
78- "bne $3, %2, 2f\n"
79- "add $3, $0, %3\n"
80- "sc $3, %1\n"
81- "beq $3, 0, 1b\n"
82- "2:"
83- : "=&r"(orig)
84- : "m"(*p), "r"(cmpval), "r"(val)
85- : "memory", "$3"
86- );
87+ __asm__ __volatile__ (
88+ " .set push \n"
89+ " .set mips2 \n"
90+ " .set noreorder \n"
91+ " .set noat \n"
92+ "1: ll $1, %1 \n"
93+ " bne $1, %3, 2f \n"
94+ " move %2, %4 \n"
95+ " sc %2, %1 \n"
96+ " beqz %2, 1b \n"
97+ "2: move %0, $1 \n"
98+ " .set pop \n"
99+ : "=&r"(orig), "+R" (*p), "=r" (tmp)
100+ : "r"(cmpval), "r"(val)
101+ : "memory");
102
103 return (orig);
104 }
diff --git a/meta/recipes-connectivity/bind/bind/named.service b/meta/recipes-connectivity/bind/bind/named.service
new file mode 100644
index 0000000..cda56ef
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/named.service
@@ -0,0 +1,22 @@
1[Unit]
2Description=Berkeley Internet Name Domain (DNS)
3Wants=nss-lookup.target
4Before=nss-lookup.target
5After=network.target
6
7[Service]
8Type=forking
9EnvironmentFile=-/etc/default/bind9
10PIDFile=/run/named/named.pid
11
12ExecStartPre=@SBINDIR@/generate-rndc-key.sh
13ExecStart=@SBINDIR@/named $OPTIONS
14
15ExecReload=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc reload > /dev/null 2>&1 || @BASE_BINDIR@/kill -HUP $MAINPID'
16
17ExecStop=@BASE_BINDIR@/sh -c '@SBINDIR@/rndc stop > /dev/null 2>&1 || @BASE_BINDIR@/kill -TERM $MAINPID'
18
19PrivateTmp=true
20
21[Install]
22WantedBy=multi-user.target
diff --git a/meta/recipes-connectivity/bind/bind_9.9.5.bb b/meta/recipes-connectivity/bind/bind_9.9.5.bb
new file mode 100644
index 0000000..e206cc4
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind_9.9.5.bb
@@ -0,0 +1,99 @@
1SUMMARY = "ISC Internet Domain Name Server"
2HOMEPAGE = "http://www.isc.org/sw/bind/"
3SECTION = "console/network"
4
5LICENSE = "ISC & BSD"
6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=a3df5f651469919a0e6cb42f84fb6ff1"
7
8DEPENDS = "openssl libcap"
9
10SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
11 file://conf.patch \
12 file://cross-build-fix.patch \
13 file://make-etc-initd-bind-stop-work.patch \
14 file://mips1-not-support-opcode.diff \
15 file://dont-test-on-host.patch \
16 file://generate-rndc-key.sh \
17 file://named.service \
18 file://bind9 \
19 file://init.d-add-support-for-read-only-rootfs.patch \
20 file://bind9_9_5-CVE-2014-8500.patch \
21 file://bind9_9_5-CVE-2015-5477.patch \
22 "
23
24SRC_URI[md5sum] = "e676c65cad5234617ee22f48e328c24e"
25SRC_URI[sha256sum] = "d4b64c1dde442145a316679acff2df4008aa117ae52dfa3a6bc69efecc7840d1"
26
27# --enable-exportlib is necessary for building dhcp
28ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
29EXTRA_OECONF = " ${ENABLE_IPV6} --with-randomdev=/dev/random --disable-threads \
30 --disable-devpoll --disable-epoll --with-gost=no \
31 --with-gssapi=no --with-ecdsa=yes \
32 --sysconfdir=${sysconfdir}/bind \
33 --with-openssl=${STAGING_LIBDIR}/.. --with-libxml2=${STAGING_LIBDIR}/.. \
34 --enable-exportlib --with-export-includedir=${includedir} --with-export-libdir=${libdir} \
35 "
36inherit autotools-brokensep update-rc.d systemd useradd
37
38USERADD_PACKAGES = "${PN}"
39USERADD_PARAM_${PN} = "--system --home /var/cache/bind --no-create-home \
40 --user-group bind"
41
42INITSCRIPT_NAME = "bind"
43INITSCRIPT_PARAMS = "defaults"
44
45SYSTEMD_SERVICE_${PN} = "named.service"
46
47PARALLEL_MAKE = ""
48
49RDEPENDS_${PN} = "python-core"
50
51PACKAGE_BEFORE_PN += "${PN}-utils"
52FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
53FILES_${PN}-dev += "${bindir}/isc-config.h"
54FILES_${PN} += "${sbindir}/generate-rndc-key.sh"
55
56do_install_prepend() {
57 # clean host path in isc-config.sh before the hardlink created
58 # by "make install":
59 # bind9-config -> isc-config.sh
60 sed -i -e "s,${STAGING_LIBDIR},${libdir}," ${S}/isc-config.sh
61}
62
63do_install_append() {
64 rm "${D}${bindir}/nslookup"
65 rm "${D}${mandir}/man1/nslookup.1"
66 rmdir "${D}${localstatedir}/run"
67 rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
68 install -d "${D}${localstatedir}/cache/bind"
69 install -d "${D}${sysconfdir}/bind"
70 install -d "${D}${sysconfdir}/init.d"
71 install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
72 install -m 755 "${S}/init.d" "${D}${sysconfdir}/init.d/bind"
73 sed -i -e '1s,#!.*python,#! /usr/bin/env python,' ${D}${sbindir}/dnssec-coverage ${D}${sbindir}/dnssec-checkds
74
75 # Install systemd related files
76 install -d ${D}${localstatedir}/cache/bind
77 install -d ${D}${sbindir}
78 install -m 755 ${WORKDIR}/generate-rndc-key.sh ${D}${sbindir}
79 install -d ${D}${systemd_unitdir}/system
80 install -m 0644 ${WORKDIR}/named.service ${D}${systemd_unitdir}/system
81 sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' \
82 -e 's,@SBINDIR@,${sbindir},g' \
83 ${D}${systemd_unitdir}/system/named.service
84
85 install -d ${D}${sysconfdir}/default
86 install -m 0644 ${WORKDIR}/bind9 ${D}${sysconfdir}/default
87}
88
89CONFFILES_${PN} = " \
90 ${sysconfdir}/bind/named.conf \
91 ${sysconfdir}/bind/named.conf.local \
92 ${sysconfdir}/bind/named.conf.options \
93 ${sysconfdir}/bind/db.0 \
94 ${sysconfdir}/bind/db.127 \
95 ${sysconfdir}/bind/db.empty \
96 ${sysconfdir}/bind/db.local \
97 ${sysconfdir}/bind/db.root \
98 "
99