1 files changed, 67 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
new file mode 100644
index 0000000000..940c6776d3
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
+From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
+Date: Thu, 8 Sep 2022 11:11:30 +0200
+Subject: [PATCH 1/3] Bound the amount of work performed for delegations
+Limit the amount of database lookups that can be triggered in
+fctx_getaddresses() (i.e. when determining the name server addresses to
+query next) by setting a hard limit on the number of NS RRs processed
+for any delegation encountered.  Without any limit in place, named can
+be forced to perform large amounts of database lookups per each query
+received, which severely impacts resolver performance.
+The limit used (20) is an arbitrary value that is considered to be big
+enough for any sane DNS delegation.
+(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
+Upstream-Status: Backport
+CVE: CVE-2022-2795
+Reference to upstream patch:
+https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
+Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
+---
+ lib/dns/resolver.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index 8ae9a993bbd7..ac9a9ef5d009 100644
+--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
+@@ -180,6 +180,12 @@
+  */
+ #define NS_FAIL_LIMIT 4
+ #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+ 
+ /* Number of hash buckets for zone counters */
+ #ifndef RES_DOMAIN_BUCKETS
+@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+        bool need_alternate = false;
+        bool all_spilled = true;
+        unsigned int no_addresses = 0;
+       unsigned int ns_processed = 0;
+ 
+        FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
+ 
+@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
+ 
+                dns_rdata_reset(&rdata);
+                dns_rdata_freestruct(&ns);
+
+               if (++ns_processed >= NS_PROCESSING_LIMIT) {
+                       result = ISC_R_NOMORE;
+                       break;
+               }
+        }
+        if (result != ISC_R_NOMORE) {
+                return (result);
+-- 
+2.34.1

diff --git a/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch new file mode 100644 index 0000000000..940c6776d3 --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/CVE-2022-2795.patch
@@ -0,0 +1,67 @@
	1	From 36c878a0124973f29b7ca49e6bb18310f9b2601f Mon Sep 17 00:00:00 2001
	2	From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
	3	Date: Thu, 8 Sep 2022 11:11:30 +0200
	4	Subject: [PATCH 1/3] Bound the amount of work performed for delegations
	5
	6	Limit the amount of database lookups that can be triggered in
	7	fctx_getaddresses() (i.e. when determining the name server addresses to
	8	query next) by setting a hard limit on the number of NS RRs processed
	9	for any delegation encountered. Without any limit in place, named can
	10	be forced to perform large amounts of database lookups per each query
	11	received, which severely impacts resolver performance.
	12
	13	The limit used (20) is an arbitrary value that is considered to be big
	14	enough for any sane DNS delegation.
	15
	16	(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a)
	17
	18	Upstream-Status: Backport
	19	CVE: CVE-2022-2795
	20	Reference to upstream patch:
	21	https://gitlab.isc.org/isc-projects/bind9/-/commit/bf2ea6d8525bfd96a84dad221ba9e004adb710a8
	22
	23	Signed-off-by: Mathieu Dubois-Briand <mbriand@witekio.com>
	24	---
	25	lib/dns/resolver.c \| 12 ++++++++++++
	26	1 file changed, 12 insertions(+)
	27
	28	diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
	29	index 8ae9a993bbd7..ac9a9ef5d009 100644
	30	--- a/lib/dns/resolver.c
	31	+++ b/lib/dns/resolver.c
	32	@@ -180,6 +180,12 @@
	33	*/
	34	#define NS_FAIL_LIMIT 4
	35	#define NS_RR_LIMIT 5
	36	+/*
	37	+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
	38	+ * any NS RRset encountered, to avoid excessive resource use while processing
	39	+ * large delegations.
	40	+ */
	41	+#define NS_PROCESSING_LIMIT 20
	42
	43	/* Number of hash buckets for zone counters */
	44	#ifndef RES_DOMAIN_BUCKETS
	45	@@ -3318,6 +3324,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
	46	bool need_alternate = false;
	47	bool all_spilled = true;
	48	unsigned int no_addresses = 0;
	49	+ unsigned int ns_processed = 0;
	50
	51	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
	52
	53	@@ -3504,6 +3511,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
	54
	55	dns_rdata_reset(&rdata);
	56	dns_rdata_freestruct(&ns);
	57	+
	58	+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
	59	+ result = ISC_R_NOMORE;
	60	+ break;
	61	+ }
	62	}
	63	if (result != ISC_R_NOMORE) {
	64	return (result);
	65	--
	66	2.34.1
	67