summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKai Kang <kai.kang@windriver.com>2017-07-12 09:25:05 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-07-17 14:01:39 +0100
commit39f74e11fda240c39135c5f12ed24cc8f0364c72 (patch)
tree8cc55d435d41368d4e1169dd7f868689039be6cf
parente6c05f57a5ee2eb74f69b8e9367cfd9b36f023a8 (diff)
downloadpoky-39f74e11fda240c39135c5f12ed24cc8f0364c72.tar.gz
bind: 9.10.3-P3 -> 9.10.5-P3
Upgrade bind from 9.10.3-P3 to 9.10.5-P3 * Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT * Remvoe mips1-not-support-opcode.diff which has been merged * Remove CVE patches that there are backported from upstream * Use python3 for build and make sure install .py files to right directory (From OE-Core rev: 9ee6a0a6599d081767b63382a576e67aed12cf4d) Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch10
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch154
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch79
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch317
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch247
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch90
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch123
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch1090
-rw-r--r--meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch219
-rw-r--r--meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch10
-rw-r--r--meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff104
-rw-r--r--meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch36
-rw-r--r--meta/recipes-connectivity/bind/bind_9.10.5-P3.bb (renamed from meta/recipes-connectivity/bind/bind_9.10.3-P3.bb)25
13 files changed, 61 insertions, 2443 deletions
diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
index 805cbb3315..1e23c0f56b 100644
--- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
+++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch
@@ -7,15 +7,19 @@ Signed-off-by: Ross Burton <ross.burton@intel.com>
7Update context for version 9.10.3-P2. 7Update context for version 9.10.3-P2.
8 8
9Signed-off-by: Kai Kang <kai.kang@windriver.com> 9Signed-off-by: Kai Kang <kai.kang@windriver.com>
10
11Update context for version 9.10.5-P3.
12
13Signed-off-by: Kai Kang <kai.kang@windriver.com>
10--- 14---
11 configure.in | 23 +++-------------------- 15 configure.in | 23 +++--------------------
12 1 file changed, 3 insertions(+), 20 deletions(-) 16 1 file changed, 3 insertions(+), 20 deletions(-)
13 17
14diff --git a/configure.in b/configure.in 18diff --git a/configure.in b/configure.in
15index 0db826d..75819eb 100644 19index 4da73a4..6f2a754 100644
16--- a/configure.in 20--- a/configure.in
17+++ b/configure.in 21+++ b/configure.in
18@@ -2107,26 +2107,9 @@ case "$use_libxml2" in 22@@ -2282,26 +2282,9 @@ case "$use_libxml2" in
19 DST_LIBXML2_INC="" 23 DST_LIBXML2_INC=""
20 ;; 24 ;;
21 auto|yes) 25 auto|yes)
@@ -25,7 +29,7 @@ index 0db826d..75819eb 100644
25- libxml2_cflags=`xml2-config --cflags` 29- libxml2_cflags=`xml2-config --cflags`
26- ;; 30- ;;
27- *) 31- *)
28- if test "$use_libxml2" = "yes" ; then 32- if test "yes" = "$use_libxml2" ; then
29- AC_MSG_RESULT(no) 33- AC_MSG_RESULT(no)
30- AC_MSG_ERROR(required libxml2 version not available) 34- AC_MSG_ERROR(required libxml2 version not available)
31- else 35- else
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
deleted file mode 100644
index 2149bd180d..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch
+++ /dev/null
@@ -1,154 +0,0 @@
1From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Thu, 18 Feb 2016 12:11:27 +1100
4Subject: [PATCH] 4318. [security] Malformed control messages can
5 trigger assertions in named and rndc. (CVE-2016-1285)
6 [RT #41666]
7
8(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e)
9
10CVE: CVE-2016-1285
11Upstream-Status: Backport
12[Removed doc/arm/notes.xml changes from upstream patch]
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16 CHANGES | 3 +++
17 bin/named/control.c | 2 +-
18 bin/named/controlconf.c | 2 +-
19 bin/rndc/rndc.c | 8 ++++----
20 doc/arm/notes.xml | 11 +++++++++++
21 lib/isccc/cc.c | 14 +++++++-------
22 6 files changed, 27 insertions(+), 13 deletions(-)
23
24diff --git a/CHANGES b/CHANGES
25index b9bd9ef..2c727d5 100644
26--- a/CHANGES
27+++ b/CHANGES
28@@ -1,3 +1,6 @@
29+4318. [security] Malformed control messages can trigger assertions
30+ in named and rndc. (CVE-2016-1285) [RT #41666]
31+
32 --- 9.10.3-P3 released ---
33
34 4288. [bug] Fixed a regression in resolver.c:possibly_mark()
35diff --git a/bin/named/control.c b/bin/named/control.c
36index 8554335..81340ca 100644
37--- a/bin/named/control.c
38+++ b/bin/named/control.c
39@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
40 #endif
41
42 data = isccc_alist_lookup(message, "_data");
43- if (data == NULL) {
44+ if (!isccc_alist_alistp(data)) {
45 /*
46 * No data section.
47 */
48diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
49index 765afdd..a39ab8b 100644
50--- a/bin/named/controlconf.c
51+++ b/bin/named/controlconf.c
52@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) {
53 * Limit exposure to replay attacks.
54 */
55 _ctrl = isccc_alist_lookup(request, "_ctrl");
56- if (_ctrl == NULL) {
57+ if (!isccc_alist_alistp(_ctrl)) {
58 log_invalid(&conn->ccmsg, ISC_R_FAILURE);
59 goto cleanup_request;
60 }
61diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
62index cb17050..b6e05c8 100644
63--- a/bin/rndc/rndc.c
64+++ b/bin/rndc/rndc.c
65@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
66 isccc_cc_fromwire(&source, &response, algorithm, &secret));
67
68 data = isccc_alist_lookup(response, "_data");
69- if (data == NULL)
70- fatal("no data section in response");
71+ if (!isccc_alist_alistp(data))
72+ fatal("bad or missing data section in response");
73 result = isccc_cc_lookupstring(data, "err", &errormsg);
74 if (result == ISC_R_SUCCESS) {
75 failed = ISC_TRUE;
76@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
77 isccc_cc_fromwire(&source, &response, algorithm, &secret));
78
79 _ctrl = isccc_alist_lookup(response, "_ctrl");
80- if (_ctrl == NULL)
81- fatal("_ctrl section missing");
82+ if (!isccc_alist_alistp(_ctrl))
83+ fatal("bad or missing ctrl section in response");
84 nonce = 0;
85 if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
86 nonce = 0;
87diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
88index 47a3b74..2bb961e 100644
89--- a/lib/isccc/cc.c
90+++ b/lib/isccc/cc.c
91@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length,
92 * Extract digest.
93 */
94 _auth = isccc_alist_lookup(alist, "_auth");
95- if (_auth == NULL)
96+ if (!isccc_alist_alistp(_auth))
97 return (ISC_R_FAILURE);
98 if (algorithm == ISCCC_ALG_HMACMD5)
99 hmac = isccc_alist_lookup(_auth, "hmd5");
100 else
101 hmac = isccc_alist_lookup(_auth, "hsha");
102- if (hmac == NULL)
103+ if (!isccc_sexpr_binaryp(hmac))
104 return (ISC_R_FAILURE);
105 /*
106 * Compute digest.
107@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok,
108 REQUIRE(ackp != NULL && *ackp == NULL);
109
110 _ctrl = isccc_alist_lookup(message, "_ctrl");
111- if (_ctrl == NULL ||
112+ if (!isccc_alist_alistp(_ctrl) ||
113 isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
114 isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS)
115 return (ISC_R_FAILURE);
116@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message)
117 isccc_sexpr_t *_ctrl;
118
119 _ctrl = isccc_alist_lookup(message, "_ctrl");
120- if (_ctrl == NULL)
121+ if (!isccc_alist_alistp(_ctrl))
122 return (ISC_FALSE);
123 if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS)
124 return (ISC_TRUE);
125@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message)
126 isccc_sexpr_t *_ctrl;
127
128 _ctrl = isccc_alist_lookup(message, "_ctrl");
129- if (_ctrl == NULL)
130+ if (!isccc_alist_alistp(_ctrl))
131 return (ISC_FALSE);
132 if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS)
133 return (ISC_TRUE);
134@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now,
135
136 _ctrl = isccc_alist_lookup(message, "_ctrl");
137 _data = isccc_alist_lookup(message, "_data");
138- if (_ctrl == NULL || _data == NULL ||
139+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) ||
140 isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS ||
141 isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS)
142 return (ISC_R_FAILURE);
143@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message,
144 isccc_sexpr_t *_ctrl;
145
146 _ctrl = isccc_alist_lookup(message, "_ctrl");
147- if (_ctrl == NULL ||
148+ if (!isccc_alist_alistp(_ctrl) ||
149 isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS ||
150 isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS)
151 return (ISC_R_FAILURE);
152--
1531.9.1
154
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
deleted file mode 100644
index ae5cc48d9c..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
+++ /dev/null
@@ -1,79 +0,0 @@
1From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001
2From: Mukund Sivaraman <muks@isc.org>
3Date: Mon, 22 Feb 2016 12:22:43 +0530
4Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling
5 (CVE-2016-1286) (#41753)
6
7(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673)
8
9CVE: CVE-2016-1286
10Upstream-Status: Backport
11
12[Removed doc/arm/notes.xml changes from upstream patch.]
13
14Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
15---
16diff -ruN a/CHANGES b/CHANGES
17--- a/CHANGES 2016-04-13 07:28:44.940873629 +0200
18+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200
19@@ -1,3 +1,7 @@
20+4319. [security] Fix resolver assertion failure due to improper
21+ DNAME handling when parsing fetch reply messages.
22+ (CVE-2016-1286) [RT #41753]
23+
24 4318. [security] Malformed control messages can trigger assertions
25 in named and rndc. (CVE-2016-1285) [RT #41666]
26
27diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c
28--- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200
29+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200
30@@ -6967,21 +6967,26 @@
31 isc_boolean_t found_dname = ISC_FALSE;
32 dns_name_t *dname_name;
33
34+ /*
35+ * Only pass DNAME or RRSIG(DNAME).
36+ */
37+ if (rdataset->type != dns_rdatatype_dname &&
38+ (rdataset->type != dns_rdatatype_rrsig ||
39+ rdataset->covers != dns_rdatatype_dname))
40+ continue;
41+
42+ /*
43+ * If we're not chaining, then the DNAME and
44+ * its signature should not be external.
45+ */
46+ if (!chaining && external) {
47+ log_formerr(fctx, "external DNAME");
48+ return (DNS_R_FORMERR);
49+ }
50+
51 found = ISC_FALSE;
52 aflag = 0;
53 if (rdataset->type == dns_rdatatype_dname) {
54- /*
55- * We're looking for something else,
56- * but we found a DNAME.
57- *
58- * If we're not chaining, then the
59- * DNAME should not be external.
60- */
61- if (!chaining && external) {
62- log_formerr(fctx,
63- "external DNAME");
64- return (DNS_R_FORMERR);
65- }
66 found = ISC_TRUE;
67 want_chaining = ISC_TRUE;
68 POST(want_chaining);
69@@ -7010,9 +7015,7 @@
70 &fctx->domain)) {
71 return (DNS_R_SERVFAIL);
72 }
73- } else if (rdataset->type == dns_rdatatype_rrsig
74- && rdataset->covers ==
75- dns_rdatatype_dname) {
76+ } else {
77 /*
78 * We've found a signature that
79 * covers the DNAME.
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
deleted file mode 100644
index 5f5cb0d340..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
+++ /dev/null
@@ -1,317 +0,0 @@
1From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Mon, 29 Feb 2016 07:16:48 +1100
4Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion
5 failure due to improper DNAME handling when parsing
6 fetch reply messages. (CVE-2016-1286) [RT #41753]
7
8CVE: CVE-2016-1286
9Upstream-Status: Backport
10
11(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374)
12Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
13---
14 lib/dns/resolver.c | 192 ++++++++++++++++++++++++++---------------------------
15 1 file changed, 93 insertions(+), 99 deletions(-)
16
17diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
18index 70aba87..41e9df4 100644
19--- a/lib/dns/resolver.c
20+++ b/lib/dns/resolver.c
21@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) {
22 }
23
24 static inline isc_result_t
25-dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
26- dns_name_t *oname, dns_fixedname_t *fixeddname)
27+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname,
28+ unsigned int nlabels, dns_fixedname_t *fixeddname)
29 {
30 isc_result_t result;
31 dns_rdata_t rdata = DNS_RDATA_INIT;
32- unsigned int nlabels;
33- int order;
34- dns_namereln_t namereln;
35 dns_rdata_dname_t dname;
36 dns_fixedname_t prefix;
37
38@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname,
39 if (result != ISC_R_SUCCESS)
40 return (result);
41
42- /*
43- * Get the prefix of qname.
44- */
45- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels);
46- if (namereln != dns_namereln_subdomain) {
47- char qbuf[DNS_NAME_FORMATSIZE];
48- char obuf[DNS_NAME_FORMATSIZE];
49-
50- dns_rdata_freestruct(&dname);
51- dns_name_format(qname, qbuf, sizeof(qbuf));
52- dns_name_format(oname, obuf, sizeof(obuf));
53- log_formerr(fctx, "unrelated DNAME in answer: "
54- "%s is not in %s", qbuf, obuf);
55- return (DNS_R_FORMERR);
56- }
57 dns_fixedname_init(&prefix);
58 dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL);
59 dns_fixedname_init(fixeddname);
60@@ -6736,13 +6718,13 @@ static isc_result_t
61 answer_response(fetchctx_t *fctx) {
62 isc_result_t result;
63 dns_message_t *message;
64- dns_name_t *name, *qname, tname, *ns_name;
65+ dns_name_t *name, *dname, *qname, tname, *ns_name;
66 dns_rdataset_t *rdataset, *ns_rdataset;
67 isc_boolean_t done, external, chaining, aa, found, want_chaining;
68 isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
69 unsigned int aflag;
70 dns_rdatatype_t type;
71- dns_fixedname_t dname, fqname;
72+ dns_fixedname_t fdname, fqname;
73 dns_view_t *view;
74
75 FCTXTRACE("answer_response");
76@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) {
77 view = fctx->res->view;
78 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
79 while (!done && result == ISC_R_SUCCESS) {
80+ dns_namereln_t namereln;
81+ int order;
82+ unsigned int nlabels;
83+
84 name = NULL;
85 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
86 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
87- if (dns_name_equal(name, qname)) {
88+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
89+ if (namereln == dns_namereln_equal) {
90 wanted_chaining = ISC_FALSE;
91 for (rdataset = ISC_LIST_HEAD(name->list);
92 rdataset != NULL;
93@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) {
94 */
95 INSIST(!external);
96 if (aflag ==
97- DNS_RDATASETATTR_ANSWER)
98+ DNS_RDATASETATTR_ANSWER) {
99 have_answer = ISC_TRUE;
100- name->attributes |=
101- DNS_NAMEATTR_ANSWER;
102+ name->attributes |=
103+ DNS_NAMEATTR_ANSWER;
104+ }
105 rdataset->attributes |= aflag;
106 if (aa)
107 rdataset->trust =
108@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) {
109 if (wanted_chaining)
110 chaining = ISC_TRUE;
111 } else {
112+ dns_rdataset_t *dnameset = NULL;
113+
114 /*
115 * Look for a DNAME (or its SIG). Anything else is
116 * ignored.
117@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) {
118 wanted_chaining = ISC_FALSE;
119 for (rdataset = ISC_LIST_HEAD(name->list);
120 rdataset != NULL;
121- rdataset = ISC_LIST_NEXT(rdataset, link)) {
122- isc_boolean_t found_dname = ISC_FALSE;
123- dns_name_t *dname_name;
124-
125+ rdataset = ISC_LIST_NEXT(rdataset, link))
126+ {
127 /*
128 * Only pass DNAME or RRSIG(DNAME).
129 */
130@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) {
131 * its signature should not be external.
132 */
133 if (!chaining && external) {
134- log_formerr(fctx, "external DNAME");
135+ char qbuf[DNS_NAME_FORMATSIZE];
136+ char obuf[DNS_NAME_FORMATSIZE];
137+
138+ dns_name_format(name, qbuf,
139+ sizeof(qbuf));
140+ dns_name_format(&fctx->domain, obuf,
141+ sizeof(obuf));
142+ log_formerr(fctx, "external DNAME or "
143+ "RRSIG covering DNAME "
144+ "in answer: %s is "
145+ "not in %s", qbuf, obuf);
146+ return (DNS_R_FORMERR);
147+ }
148+
149+ if (namereln != dns_namereln_subdomain) {
150+ char qbuf[DNS_NAME_FORMATSIZE];
151+ char obuf[DNS_NAME_FORMATSIZE];
152+
153+ dns_name_format(qname, qbuf,
154+ sizeof(qbuf));
155+ dns_name_format(name, obuf,
156+ sizeof(obuf));
157+ log_formerr(fctx, "unrelated DNAME "
158+ "in answer: %s is "
159+ "not in %s", qbuf, obuf);
160 return (DNS_R_FORMERR);
161 }
162
163- found = ISC_FALSE;
164 aflag = 0;
165 if (rdataset->type == dns_rdatatype_dname) {
166- found = ISC_TRUE;
167 want_chaining = ISC_TRUE;
168 POST(want_chaining);
169 aflag = DNS_RDATASETATTR_ANSWER;
170- result = dname_target(fctx, rdataset,
171- qname, name,
172- &dname);
173+ result = dname_target(rdataset, qname,
174+ nlabels, &fdname);
175 if (result == ISC_R_NOSPACE) {
176 /*
177 * We can't construct the
178@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) {
179 } else if (result != ISC_R_SUCCESS)
180 return (result);
181 else
182- found_dname = ISC_TRUE;
183+ dnameset = rdataset;
184
185- dname_name = dns_fixedname_name(&dname);
186+ dname = dns_fixedname_name(&fdname);
187 if (!is_answertarget_allowed(view,
188- qname,
189- rdataset->type,
190- dname_name,
191- &fctx->domain)) {
192+ qname, rdataset->type,
193+ dname, &fctx->domain)) {
194 return (DNS_R_SERVFAIL);
195 }
196 } else {
197@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) {
198 * We've found a signature that
199 * covers the DNAME.
200 */
201- found = ISC_TRUE;
202 aflag = DNS_RDATASETATTR_ANSWERSIG;
203 }
204
205- if (found) {
206+ /*
207+ * We've found an answer to our
208+ * question.
209+ */
210+ name->attributes |= DNS_NAMEATTR_CACHE;
211+ rdataset->attributes |= DNS_RDATASETATTR_CACHE;
212+ rdataset->trust = dns_trust_answer;
213+ if (!chaining) {
214 /*
215- * We've found an answer to our
216- * question.
217+ * This data is "the" answer to
218+ * our question only if we're
219+ * not chaining.
220 */
221- name->attributes |=
222- DNS_NAMEATTR_CACHE;
223- rdataset->attributes |=
224- DNS_RDATASETATTR_CACHE;
225- rdataset->trust = dns_trust_answer;
226- if (!chaining) {
227- /*
228- * This data is "the" answer
229- * to our question only if
230- * we're not chaining.
231- */
232- INSIST(!external);
233- if (aflag ==
234- DNS_RDATASETATTR_ANSWER)
235- have_answer = ISC_TRUE;
236+ INSIST(!external);
237+ if (aflag == DNS_RDATASETATTR_ANSWER) {
238+ have_answer = ISC_TRUE;
239 name->attributes |=
240 DNS_NAMEATTR_ANSWER;
241- rdataset->attributes |= aflag;
242- if (aa)
243- rdataset->trust =
244- dns_trust_authanswer;
245- } else if (external) {
246- rdataset->attributes |=
247- DNS_RDATASETATTR_EXTERNAL;
248- }
249-
250- /*
251- * DNAME chaining.
252- */
253- if (found_dname) {
254- /*
255- * Copy the dname into the
256- * qname fixed name.
257- *
258- * Although we check for
259- * failure of the copy
260- * operation, in practice it
261- * should never fail since
262- * we already know that the
263- * result fits in a fixedname.
264- */
265- dns_fixedname_init(&fqname);
266- result = dns_name_copy(
267- dns_fixedname_name(&dname),
268- dns_fixedname_name(&fqname),
269- NULL);
270- if (result != ISC_R_SUCCESS)
271- return (result);
272- wanted_chaining = ISC_TRUE;
273- name->attributes |=
274- DNS_NAMEATTR_CHAINING;
275- rdataset->attributes |=
276- DNS_RDATASETATTR_CHAINING;
277- qname = dns_fixedname_name(
278- &fqname);
279 }
280+ rdataset->attributes |= aflag;
281+ if (aa)
282+ rdataset->trust =
283+ dns_trust_authanswer;
284+ } else if (external) {
285+ rdataset->attributes |=
286+ DNS_RDATASETATTR_EXTERNAL;
287 }
288 }
289+
290+ /*
291+ * DNAME chaining.
292+ */
293+ if (dnameset != NULL) {
294+ /*
295+ * Copy the dname into the qname fixed name.
296+ *
297+ * Although we check for failure of the copy
298+ * operation, in practice it should never fail
299+ * since we already know that the result fits
300+ * in a fixedname.
301+ */
302+ dns_fixedname_init(&fqname);
303+ qname = dns_fixedname_name(&fqname);
304+ result = dns_name_copy(dname, qname, NULL);
305+ if (result != ISC_R_SUCCESS)
306+ return (result);
307+ wanted_chaining = ISC_TRUE;
308+ name->attributes |= DNS_NAMEATTR_CHAINING;
309+ dnameset->attributes |=
310+ DNS_RDATASETATTR_CHAINING;
311+ }
312 if (wanted_chaining)
313 chaining = ISC_TRUE;
314 }
315--
3161.9.1
317
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
deleted file mode 100644
index 1b84d46b78..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch
+++ /dev/null
@@ -1,247 +0,0 @@
1CVE-2016-2088
2
3Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the
4v9_10_3_patch branch.
5
6https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088
7https://kb.isc.org/article/AA-01351
8
9CVE: CVE-2016-2088
10Upstream-Status: Backport
11Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
12
13
14Original commit message from Mark Andrews <marka@isc.org> below:
15
164322. [security] Duplicate EDNS COOKIE options in a response could
17 trigger an assertion failure. (CVE-2016-2088)
18 [RT #41809]
19
20(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029)
21(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3)
22---
23 CHANGES | 4 ++++
24 bin/dig/dighost.c | 9 +++++++++
25 bin/named/client.c | 33 +++++++++++++++++++++++----------
26 doc/arm/notes.xml | 7 +++++++
27 lib/dns/resolver.c | 14 +++++++++++++-
28 5 files changed, 56 insertions(+), 11 deletions(-)
29
30diff --git a/CHANGES b/CHANGES
31index c5b5d2b..d2e3360 100644
32--- a/CHANGES
33+++ b/CHANGES
34@@ -1,3 +1,7 @@
35+4322. [security] Duplicate EDNS COOKIE options in a response could
36+ trigger an assertion failure. (CVE-2016-2088)
37+ [RT #41809]
38+
39 4319. [security] Fix resolver assertion failure due to improper
40 DNAME handling when parsing fetch reply messages.
41 (CVE-2016-1286) [RT #41753]
42diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
43index ca82f8e..340904f 100644
44--- a/bin/dig/dighost.c
45+++ b/bin/dig/dighost.c
46@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
47 isc_buffer_t optbuf;
48 isc_uint16_t optcode, optlen;
49 dns_rdataset_t *opt = msg->opt;
50+ isc_boolean_t seen_cookie = ISC_FALSE;
51
52 result = dns_rdataset_first(opt);
53 if (result == ISC_R_SUCCESS) {
54@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) {
55 optlen = isc_buffer_getuint16(&optbuf);
56 switch (optcode) {
57 case DNS_OPT_COOKIE:
58+ /*
59+ * Only process the first cookie option.
60+ */
61+ if (seen_cookie) {
62+ isc_buffer_forward(&optbuf, optlen);
63+ break;
64+ }
65 process_sit(l, msg, &optbuf, optlen);
66+ seen_cookie = ISC_TRUE;
67 break;
68 default:
69 isc_buffer_forward(&optbuf, optlen);
70diff --git a/bin/named/client.c b/bin/named/client.c
71index 683305c..0d7331a 100644
72--- a/bin/named/client.c
73+++ b/bin/named/client.c
74@@ -120,7 +120,10 @@
75 */
76 #endif
77
78-#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */
79+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */
80+
81+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0)
82+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0)
83
84 /*% nameserver client manager structure */
85 struct ns_clientmgr {
86@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
87 {
88 char nsid[BUFSIZ], *nsidp;
89 #ifdef ISC_PLATFORM_USESIT
90- unsigned char sit[SIT_SIZE];
91+ unsigned char sit[COOKIE_SIZE];
92 #endif
93 isc_result_t result;
94 dns_view_t *view;
95@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
96 flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE;
97
98 /* Set EDNS options if applicable */
99- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 &&
100+ if (WANTNSID(client) &&
101 (ns_g_server->server_id != NULL ||
102 ns_g_server->server_usehostname)) {
103 if (ns_g_server->server_usehostname) {
104@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message,
105
106 INSIST(count < DNS_EDNSOPTIONS);
107 ednsopts[count].code = DNS_OPT_COOKIE;
108- ednsopts[count].length = SIT_SIZE;
109+ ednsopts[count].length = COOKIE_SIZE;
110 ednsopts[count].value = sit;
111 count++;
112 }
113@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce,
114
115 static void
116 process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
117- unsigned char dbuf[SIT_SIZE];
118+ unsigned char dbuf[COOKIE_SIZE];
119 unsigned char *old;
120 isc_stdtime_t now;
121 isc_uint32_t when;
122 isc_uint32_t nonce;
123 isc_buffer_t db;
124
125+ /*
126+ * If we have already seen a ECS option skip this ECS option.
127+ */
128+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) {
129+ isc_buffer_forward(buf, optlen);
130+ return;
131+ }
132 client->attributes |= NS_CLIENTATTR_WANTSIT;
133
134 isc_stats_increment(ns_g_server->nsstats,
135 dns_nsstatscounter_sitopt);
136
137- if (optlen != SIT_SIZE) {
138+ if (optlen != COOKIE_SIZE) {
139 /*
140 * Not our token.
141 */
142@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) {
143 isc_buffer_init(&db, dbuf, sizeof(dbuf));
144 compute_sit(client, when, nonce, &db);
145
146- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) {
147+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) {
148 isc_stats_increment(ns_g_server->nsstats,
149 dns_nsstatscounter_sitnomatch);
150 return;
151 }
152 isc_stats_increment(ns_g_server->nsstats,
153 dns_nsstatscounter_sitmatch);
154-
155 client->attributes |= NS_CLIENTATTR_HAVESIT;
156 }
157 #endif
158@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
159 optlen = isc_buffer_getuint16(&optbuf);
160 switch (optcode) {
161 case DNS_OPT_NSID:
162- isc_stats_increment(ns_g_server->nsstats,
163+ if (!WANTNSID(client))
164+ isc_stats_increment(
165+ ns_g_server->nsstats,
166 dns_nsstatscounter_nsidopt);
167 client->attributes |= NS_CLIENTATTR_WANTNSID;
168 isc_buffer_forward(&optbuf, optlen);
169@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) {
170 break;
171 #endif
172 case DNS_OPT_EXPIRE:
173- isc_stats_increment(ns_g_server->nsstats,
174+ if (!WANTEXPIRE(client))
175+ isc_stats_increment(
176+ ns_g_server->nsstats,
177 dns_nsstatscounter_expireopt);
178 client->attributes |= NS_CLIENTATTR_WANTEXPIRE;
179 isc_buffer_forward(&optbuf, optlen);
180diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
181index ebf4f55..095eb5b 100644
182--- a/doc/arm/notes.xml
183+++ b/doc/arm/notes.xml
184@@ -51,6 +51,13 @@
185 <title>Security Fixes</title>
186 <itemizedlist>
187 <listitem>
188+ <para>
189+ Duplicate EDNS COOKIE options in a response could trigger
190+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
191+ [RT #41809]
192+ </para>
193+ </listitem>
194+ <listitem>
195 <para>
196 Specific APL data could trigger an INSIST. This flaw
197 was discovered by Brian Mitchell and is disclosed in
198diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
199index a797e3f..ba1ae23 100644
200--- a/lib/dns/resolver.c
201+++ b/lib/dns/resolver.c
202@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
203 unsigned char *sit;
204 dns_adbaddrinfo_t *addrinfo;
205 unsigned char cookie[8];
206+ isc_boolean_t seen_cookie = ISC_FALSE;
207 #endif
208+ isc_boolean_t seen_nsid = ISC_FALSE;
209
210 result = dns_rdataset_first(opt);
211 if (result == ISC_R_SUCCESS) {
212@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
213 INSIST(optlen <= isc_buffer_remaininglength(&optbuf));
214 switch (optcode) {
215 case DNS_OPT_NSID:
216- if (query->options & DNS_FETCHOPT_WANTNSID)
217+ if (!seen_nsid &&
218+ query->options & DNS_FETCHOPT_WANTNSID)
219 log_nsid(&optbuf, optlen, query,
220 ISC_LOG_DEBUG(3),
221 query->fctx->res->mctx);
222 isc_buffer_forward(&optbuf, optlen);
223+ seen_nsid = ISC_TRUE;
224 break;
225 #ifdef ISC_PLATFORM_USESIT
226 case DNS_OPT_COOKIE:
227+ /*
228+ * Only process the first cookie option.
229+ */
230+ if (seen_cookie) {
231+ isc_buffer_forward(&optbuf, optlen);
232+ break;
233+ }
234 sit = isc_buffer_current(&optbuf);
235 compute_cc(query, cookie, sizeof(cookie));
236 INSIST(query->fctx->rmessage->sitbad == 0 &&
237@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) {
238 isc_buffer_forward(&optbuf, optlen);
239 inc_stats(query->fctx->res,
240 dns_resstatscounter_sitin);
241+ seen_cookie = ISC_TRUE;
242 break;
243 #endif
244 default:
245--
2462.1.4
247
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
deleted file mode 100644
index 5393063c56..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch
+++ /dev/null
@@ -1,90 +0,0 @@
1From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 12 Oct 2016 19:52:59 +0900
4Subject: [PATCH]
54406. [security] getrrsetbyname with a non absolute name could
6 trigger an infinite recursion bug in lwresd
7 and named with lwres configured if when combined
8 with a search list entry the resulting name is
9 too long. (CVE-2016-2775) [RT #42694]
10
11Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the
12v9.11.0_patch branch.
13
14CVE: CVE-2016-2775
15Upstream-Status: Backport
16
17Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
18
19---
20 CHANGES | 6 ++++++
21 bin/named/lwdgrbn.c | 16 ++++++++++------
22 bin/tests/system/lwresd/lwtest.c | 9 ++++++++-
23 3 files changed, 24 insertions(+), 7 deletions(-)
24
25diff --git a/CHANGES b/CHANGES
26index d2e3360..d0a9d12 100644
27--- a/CHANGES
28+++ b/CHANGES
29@@ -1,3 +1,9 @@
30+4406. [security] getrrsetbyname with a non absolute name could
31+ trigger an infinite recursion bug in lwresd
32+ and named with lwres configured if when combined
33+ with a search list entry the resulting name is
34+ too long. (CVE-2016-2775) [RT #42694]
35+
36 4322. [security] Duplicate EDNS COOKIE options in a response could
37 trigger an assertion failure. (CVE-2016-2088)
38 [RT #41809]
39diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
40index 3e7b15b..e1e9adc 100644
41--- a/bin/named/lwdgrbn.c
42+++ b/bin/named/lwdgrbn.c
43@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) {
44 INSIST(client->lookup == NULL);
45
46 dns_fixedname_init(&absname);
47- result = ns_lwsearchctx_current(&client->searchctx,
48- dns_fixedname_name(&absname));
49+
50 /*
51- * This will return failure if relative name + suffix is too long.
52- * In this case, just go on to the next entry in the search path.
53+ * Perform search across all search domains until success
54+ * is returned. Return in case of failure.
55 */
56- if (result != ISC_R_SUCCESS)
57- start_lookup(client);
58+ while (ns_lwsearchctx_current(&client->searchctx,
59+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) {
60+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) {
61+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE);
62+ return;
63+ }
64+ }
65
66 result = dns_lookup_create(cm->mctx,
67 dns_fixedname_name(&absname),
68diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c
69index ad9b551..3eb4a66 100644
70--- a/bin/tests/system/lwresd/lwtest.c
71+++ b/bin/tests/system/lwresd/lwtest.c
72@@ -768,7 +768,14 @@ main(void) {
73 test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1);
74 test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
75 test_getrrsetbyname("", 1, 1, 0, 0, 0);
76-
77+ test_getrrsetbyname("123456789.123456789.123456789.123456789."
78+ "123456789.123456789.123456789.123456789."
79+ "123456789.123456789.123456789.123456789."
80+ "123456789.123456789.123456789.123456789."
81+ "123456789.123456789.123456789.123456789."
82+ "123456789.123456789.123456789.123456789."
83+ "123456789", 1, 1, 0, 0, 0);
84+
85 if (fails == 0)
86 printf("I:ok\n");
87 return (fails);
88--
892.7.4
90
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
deleted file mode 100644
index 738bf60058..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch
+++ /dev/null
@@ -1,123 +0,0 @@
1From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 12 Oct 2016 20:36:52 +0900
4Subject: [PATCH]
54467. [security] It was possible to trigger an assertion when
6 rendering a message. (CVE-2016-2776) [RT #43139]
7
8Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the
9v9.11.0_patch branch.
10
11CVE: CVE-2016-2776
12Upstream-Status: Backport
13
14Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com>
15
16---
17 CHANGES | 3 +++
18 lib/dns/message.c | 42 +++++++++++++++++++++++++++++++-----------
19 2 files changed, 34 insertions(+), 11 deletions(-)
20
21diff --git a/CHANGES b/CHANGES
22index d0a9d12..5c8c61a 100644
23--- a/CHANGES
24+++ b/CHANGES
25@@ -1,3 +1,6 @@
26+4467. [security] It was possible to trigger an assertion when
27+ rendering a message. (CVE-2016-2776) [RT #43139]
28+
29 4406. [security] getrrsetbyname with a non absolute name could
30 trigger an infinite recursion bug in lwresd
31 and named with lwres configured if when combined
32diff --git a/lib/dns/message.c b/lib/dns/message.c
33index 6b5b4bb..b74dc81 100644
34--- a/lib/dns/message.c
35+++ b/lib/dns/message.c
36@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx,
37 if (r.length < DNS_MESSAGE_HEADERLEN)
38 return (ISC_R_NOSPACE);
39
40- if (r.length < msg->reserved)
41+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved)
42 return (ISC_R_NOSPACE);
43
44 /*
45@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options,
46
47 return (ISC_TRUE);
48 }
49-
50 #endif
51+
52+static isc_result_t
53+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
54+ dns_compress_t *cctx, isc_buffer_t *target,
55+ unsigned int reserved, unsigned int options, unsigned int *countp)
56+{
57+ isc_result_t result;
58+
59+ /*
60+ * Shrink the space in the buffer by the reserved amount.
61+ */
62+ if (target->length - target->used < reserved)
63+ return (ISC_R_NOSPACE);
64+
65+ target->length -= reserved;
66+ result = dns_rdataset_towire(rdataset, owner_name,
67+ cctx, target, options, countp);
68+ target->length += reserved;
69+
70+ return (result);
71+}
72+
73 isc_result_t
74 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
75 unsigned int options)
76@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
77 /*
78 * Shrink the space in the buffer by the reserved amount.
79 */
80+ if (msg->buffer->length - msg->buffer->used < msg->reserved)
81+ return (ISC_R_NOSPACE);
82 msg->buffer->length -= msg->reserved;
83
84 total = 0;
85@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) {
86 * Render.
87 */
88 count = 0;
89- result = dns_rdataset_towire(msg->opt, dns_rootname,
90- msg->cctx, msg->buffer, 0,
91- &count);
92+ result = renderset(msg->opt, dns_rootname, msg->cctx,
93+ msg->buffer, msg->reserved, 0, &count);
94 msg->counts[DNS_SECTION_ADDITIONAL] += count;
95 if (result != ISC_R_SUCCESS)
96 return (result);
97@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) {
98 if (result != ISC_R_SUCCESS)
99 return (result);
100 count = 0;
101- result = dns_rdataset_towire(msg->tsig, msg->tsigname,
102- msg->cctx, msg->buffer, 0,
103- &count);
104+ result = renderset(msg->tsig, msg->tsigname, msg->cctx,
105+ msg->buffer, msg->reserved, 0, &count);
106 msg->counts[DNS_SECTION_ADDITIONAL] += count;
107 if (result != ISC_R_SUCCESS)
108 return (result);
109@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) {
110 * the owner name of a SIG(0) is irrelevant, and will not
111 * be set in a message being rendered.
112 */
113- result = dns_rdataset_towire(msg->sig0, dns_rootname,
114- msg->cctx, msg->buffer, 0,
115- &count);
116+ result = renderset(msg->sig0, dns_rootname, msg->cctx,
117+ msg->buffer, msg->reserved, 0, &count);
118 msg->counts[DNS_SECTION_ADDITIONAL] += count;
119 if (result != ISC_R_SUCCESS)
120 return (result);
121--
1222.7.4
123
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
deleted file mode 100644
index 75bc211cb6..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
+++ /dev/null
@@ -1,1090 +0,0 @@
1From 1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Wed, 2 Nov 2016 17:31:27 +1100
4Subject: [PATCH] 4504. [security] Allow the maximum number of records in a
5 zone to be specified. This provides a control for issues raised in
6 CVE-2016-6170. [RT #42143]
7
8(cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e)
9
10Upstream-Status: Backport
11[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f]
12
13CVE: CVE-2016-6170
14
15Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
16---
17 CHANGES | 4 +
18 bin/named/config.c | 1 +
19 bin/named/named.conf.docbook | 3 +
20 bin/named/update.c | 16 +++
21 bin/named/zoneconf.c | 7 ++
22 bin/tests/system/nsupdate/clean.sh | 1 +
23 bin/tests/system/nsupdate/ns3/named.conf | 7 ++
24 bin/tests/system/nsupdate/ns3/too-big.test.db.in | 10 ++
25 bin/tests/system/nsupdate/setup.sh | 2 +
26 bin/tests/system/nsupdate/tests.sh | 15 +++
27 bin/tests/system/xfer/clean.sh | 1 +
28 bin/tests/system/xfer/ns1/axfr-too-big.db | 10 ++
29 bin/tests/system/xfer/ns1/ixfr-too-big.db.in | 13 +++
30 bin/tests/system/xfer/ns1/named.conf | 11 ++
31 bin/tests/system/xfer/ns6/named.conf | 14 +++
32 bin/tests/system/xfer/setup.sh | 2 +
33 bin/tests/system/xfer/tests.sh | 26 +++++
34 doc/arm/Bv9ARM-book.xml | 21 ++++
35 doc/arm/notes.xml | 9 ++
36 lib/bind9/check.c | 2 +
37 lib/dns/db.c | 13 +++
38 lib/dns/ecdb.c | 3 +-
39 lib/dns/include/dns/db.h | 20 ++++
40 lib/dns/include/dns/rdataslab.h | 13 +++
41 lib/dns/include/dns/result.h | 6 +-
42 lib/dns/include/dns/zone.h | 28 ++++-
43 lib/dns/rbtdb.c | 127 +++++++++++++++++++++--
44 lib/dns/rdataslab.c | 13 +++
45 lib/dns/result.c | 9 +-
46 lib/dns/sdb.c | 3 +-
47 lib/dns/sdlz.c | 3 +-
48 lib/dns/xfrin.c | 22 +++-
49 lib/dns/zone.c | 23 +++-
50 lib/isccfg/namedconf.c | 1 +
51 34 files changed, 444 insertions(+), 15 deletions(-)
52 create mode 100644 bin/tests/system/nsupdate/ns3/too-big.test.db.in
53 create mode 100644 bin/tests/system/xfer/ns1/axfr-too-big.db
54 create mode 100644 bin/tests/system/xfer/ns1/ixfr-too-big.db.in
55
56diff --git a/CHANGES b/CHANGES
57index 41cfce5..97d2e60 100644
58--- a/CHANGES
59+++ b/CHANGES
60@@ -1,3 +1,7 @@
61+4504. [security] Allow the maximum number of records in a zone to
62+ be specified. This provides a control for issues
63+ raised in CVE-2016-6170. [RT #42143]
64+
65 4489. [security] It was possible to trigger assertions when processing
66 a response. (CVE-2016-8864) [RT #43465]
67
68diff --git a/bin/named/config.c b/bin/named/config.c
69index f06348c..c24e334 100644
70--- a/bin/named/config.c
71+++ b/bin/named/config.c
72@@ -209,6 +209,7 @@ options {\n\
73 max-transfer-time-out 120;\n\
74 max-transfer-idle-in 60;\n\
75 max-transfer-idle-out 60;\n\
76+ max-records 0;\n\
77 max-retry-time 1209600; /* 2 weeks */\n\
78 min-retry-time 500;\n\
79 max-refresh-time 2419200; /* 4 weeks */\n\
80diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
81index 4c99a61..c2d173a 100644
82--- a/bin/named/named.conf.docbook
83+++ b/bin/named/named.conf.docbook
84@@ -338,6 +338,7 @@ options {
85 };
86
87 max-journal-size <replaceable>size_no_default</replaceable>;
88+ max-records <replaceable>integer</replaceable>;
89 max-transfer-time-in <replaceable>integer</replaceable>;
90 max-transfer-time-out <replaceable>integer</replaceable>;
91 max-transfer-idle-in <replaceable>integer</replaceable>;
92@@ -527,6 +528,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
93 };
94
95 max-journal-size <replaceable>size_no_default</replaceable>;
96+ max-records <replaceable>integer</replaceable>;
97 max-transfer-time-in <replaceable>integer</replaceable>;
98 max-transfer-time-out <replaceable>integer</replaceable>;
99 max-transfer-idle-in <replaceable>integer</replaceable>;
100@@ -624,6 +626,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
101 };
102
103 max-journal-size <replaceable>size_no_default</replaceable>;
104+ max-records <replaceable>integer</replaceable>;
105 max-transfer-time-in <replaceable>integer</replaceable>;
106 max-transfer-time-out <replaceable>integer</replaceable>;
107 max-transfer-idle-in <replaceable>integer</replaceable>;
108diff --git a/bin/named/update.c b/bin/named/update.c
109index 83b1a05..cc2a611 100644
110--- a/bin/named/update.c
111+++ b/bin/named/update.c
112@@ -2455,6 +2455,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
113 isc_boolean_t had_dnskey;
114 dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
115 dns_ttl_t maxttl = 0;
116+ isc_uint32_t maxrecords;
117+ isc_uint64_t records;
118
119 INSIST(event->ev_type == DNS_EVENT_UPDATE);
120
121@@ -3138,6 +3140,20 @@ update_action(isc_task_t *task, isc_event_t *event) {
122 }
123 }
124
125+ maxrecords = dns_zone_getmaxrecords(zone);
126+ if (maxrecords != 0U) {
127+ result = dns_db_getsize(db, ver, &records, NULL);
128+ if (result == ISC_R_SUCCESS && records > maxrecords) {
129+ update_log(client, zone, ISC_LOG_ERROR,
130+ "records in zone (%"
131+ ISC_PRINT_QUADFORMAT
132+ "u) exceeds max-records (%u)",
133+ records, maxrecords);
134+ result = DNS_R_TOOMANYRECORDS;
135+ goto failure;
136+ }
137+ }
138+
139 journalfile = dns_zone_getjournal(zone);
140 if (journalfile != NULL) {
141 update_log(client, zone, LOGLEVEL_DEBUG,
142diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
143index 4ee3dfe..14dd8ce 100644
144--- a/bin/named/zoneconf.c
145+++ b/bin/named/zoneconf.c
146@@ -978,6 +978,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
147 dns_zone_setmaxttl(raw, maxttl);
148 }
149
150+ obj = NULL;
151+ result = ns_config_get(maps, "max-records", &obj);
152+ INSIST(result == ISC_R_SUCCESS && obj != NULL);
153+ dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj));
154+ if (zone != mayberaw)
155+ dns_zone_setmaxrecords(zone, 0);
156+
157 if (raw != NULL && filename != NULL) {
158 #define SIGNED ".signed"
159 size_t signedlen = strlen(filename) + sizeof(SIGNED);
160diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
161index aaefc02..ea25545 100644
162--- a/bin/tests/system/nsupdate/clean.sh
163+++ b/bin/tests/system/nsupdate/clean.sh
164@@ -32,6 +32,7 @@ rm -f ns3/example.db.jnl ns3/example.db
165 rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
166 rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test.
167 rm -f ns3/K*
168+rm -f ns3/too-big.test.db
169 rm -f dig.out.*
170 rm -f jp.out.ns3.*
171 rm -f Kxxx.*
172diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf
173index 2abd522..68ff27a 100644
174--- a/bin/tests/system/nsupdate/ns3/named.conf
175+++ b/bin/tests/system/nsupdate/ns3/named.conf
176@@ -60,3 +60,10 @@ zone "dnskey.test" {
177 allow-update { any; };
178 file "dnskey.test.db.signed";
179 };
180+
181+zone "too-big.test" {
182+ type master;
183+ allow-update { any; };
184+ max-records 3;
185+ file "too-big.test.db";
186+};
187diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
188new file mode 100644
189index 0000000..7ff1e4a
190--- /dev/null
191+++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
192@@ -0,0 +1,10 @@
193+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
194+;
195+; This Source Code Form is subject to the terms of the Mozilla Public
196+; License, v. 2.0. If a copy of the MPL was not distributed with this
197+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
198+
199+$TTL 10
200+too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600
201+too-big.test. IN NS too-big.test.
202+too-big.test. IN A 10.53.0.3
203diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
204index 828255e..43c4094 100644
205--- a/bin/tests/system/nsupdate/setup.sh
206+++ b/bin/tests/system/nsupdate/setup.sh
207@@ -27,12 +27,14 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
208 rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
209 rm -f ns2/update.bk ns2/update.alt.bk
210 rm -f ns3/example.db.jnl
211+rm -f ns3/too-big.test.db.jnl
212
213 cp -f ns1/example1.db ns1/example.db
214 sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
215 sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
216 sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
217 cp -f ns3/example.db.in ns3/example.db
218+cp -f ns3/too-big.test.db.in ns3/too-big.test.db
219
220 # update_test.pl has its own zone file because it
221 # requires a specific NS record set.
222diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
223index 78d501e..0a6bbd3 100755
224--- a/bin/tests/system/nsupdate/tests.sh
225+++ b/bin/tests/system/nsupdate/tests.sh
226@@ -581,5 +581,20 @@ if [ $ret -ne 0 ]; then
227 status=1
228 fi
229
230+n=`expr $n + 1`
231+echo "I:check that adding too many records is blocked ($n)"
232+ret=0
233+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
234+server 10.53.0.3 5300
235+zone too-big.test.
236+update add r1.too-big.test 3600 IN TXT r1.too-big.test
237+send
238+EOF
239+grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
240+DIG +tcp @10.53.0.3 -p 5300 r1.too-big.test TXT > dig.out.ns3.test$n
241+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
242+grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
243+[ $ret = 0 ] || { echo I:failed; status=1; }
244+
245 echo "I:exit status: $status"
246 exit $status
247diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
248index 48aa159..da62a33 100644
249--- a/bin/tests/system/xfer/clean.sh
250+++ b/bin/tests/system/xfer/clean.sh
251@@ -36,3 +36,4 @@ rm -f ns7/*.db ns7/*.bk ns7/*.jnl
252 rm -f */named.memstats
253 rm -f */named.run
254 rm -f */ans.run
255+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
256diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db
257new file mode 100644
258index 0000000..d43760d
259--- /dev/null
260+++ b/bin/tests/system/xfer/ns1/axfr-too-big.db
261@@ -0,0 +1,10 @@
262+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
263+;
264+; This Source Code Form is subject to the terms of the Mozilla Public
265+; License, v. 2.0. If a copy of the MPL was not distributed with this
266+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
267+
268+$TTL 3600
269+@ IN SOA . . 0 0 0 0 0
270+@ IN NS .
271+$GENERATE 1-29 host$ A 1.2.3.$
272diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
273new file mode 100644
274index 0000000..318bb77
275--- /dev/null
276+++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
277@@ -0,0 +1,13 @@
278+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
279+;
280+; This Source Code Form is subject to the terms of the Mozilla Public
281+; License, v. 2.0. If a copy of the MPL was not distributed with this
282+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
283+
284+$TTL 3600
285+@ IN SOA . . 0 0 0 0 0
286+@ IN NS ns1
287+@ IN NS ns6
288+ns1 IN A 10.53.0.1
289+ns6 IN A 10.53.0.6
290+$GENERATE 1-25 host$ A 1.2.3.$
291diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf
292index 07dad85..1d29292 100644
293--- a/bin/tests/system/xfer/ns1/named.conf
294+++ b/bin/tests/system/xfer/ns1/named.conf
295@@ -44,3 +44,14 @@ zone "slave" {
296 type master;
297 file "slave.db";
298 };
299+
300+zone "axfr-too-big" {
301+ type master;
302+ file "axfr-too-big.db";
303+};
304+
305+zone "ixfr-too-big" {
306+ type master;
307+ allow-update { any; };
308+ file "ixfr-too-big.db";
309+};
310diff --git a/bin/tests/system/xfer/ns6/named.conf b/bin/tests/system/xfer/ns6/named.conf
311index c9421b1..a12a92c 100644
312--- a/bin/tests/system/xfer/ns6/named.conf
313+++ b/bin/tests/system/xfer/ns6/named.conf
314@@ -52,3 +52,17 @@ zone "slave" {
315 masters { 10.53.0.1; };
316 file "slave.bk";
317 };
318+
319+zone "axfr-too-big" {
320+ type slave;
321+ max-records 30;
322+ masters { 10.53.0.1; };
323+ file "axfr-too-big.bk";
324+};
325+
326+zone "ixfr-too-big" {
327+ type slave;
328+ max-records 30;
329+ masters { 10.53.0.1; };
330+ file "ixfr-too-big.bk";
331+};
332diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
333index 56ca901..c55abf8 100644
334--- a/bin/tests/system/xfer/setup.sh
335+++ b/bin/tests/system/xfer/setup.sh
336@@ -33,3 +33,5 @@ cp -f ns4/named.conf.base ns4/named.conf
337
338 cp ns2/slave.db.in ns2/slave.db
339 touch -t 200101010000 ns2/slave.db
340+
341+cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db
342diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
343index 67b2a1a..fe33f0a 100644
344--- a/bin/tests/system/xfer/tests.sh
345+++ b/bin/tests/system/xfer/tests.sh
346@@ -368,5 +368,31 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
347 status=1
348 }
349
350+n=`expr $n + 1`
351+echo "I:test that a zone with too many records is rejected (AXFR) ($n)"
352+tmp=0
353+grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
354+if test $tmp != 0 ; then echo "I:failed"; fi
355+status=`expr $status + $tmp`
356+
357+n=`expr $n + 1`
358+echo "I:test that a zone with too many records is rejected (IXFR) ($n)"
359+tmp=0
360+grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1
361+$NSUPDATE << EOF
362+zone ixfr-too-big
363+server 10.53.0.1 5300
364+update add the-31st-record.ixfr-too-big 0 TXT this is it
365+send
366+EOF
367+for i in 1 2 3 4 5 6 7 8
368+do
369+ grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break
370+ sleep 1
371+done
372+grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
373+if test $tmp != 0 ; then echo "I:failed"; fi
374+status=`expr $status + $tmp`
375+
376 echo "I:exit status: $status"
377 exit $status
378diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
379index 848b582..0369505 100644
380--- a/doc/arm/Bv9ARM-book.xml
381+++ b/doc/arm/Bv9ARM-book.xml
382@@ -4858,6 +4858,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
383 <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
384 <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
385 <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
386+ <optional> max-records <replaceable>number</replaceable>; </optional>
387 <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
388 <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
389 <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
390@@ -8164,6 +8165,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
391 </varlistentry>
392
393 <varlistentry>
394+ <term><command>max-records</command></term>
395+ <listitem>
396+ <para>
397+ The maximum number of records permitted in a zone.
398+ The default is zero which means unlimited.
399+ </para>
400+ </listitem>
401+ </varlistentry>
402+
403+ <varlistentry>
404 <term><command>host-statistics-max</command></term>
405 <listitem>
406 <para>
407@@ -12056,6 +12067,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
408 </varlistentry>
409
410 <varlistentry>
411+ <term><command>max-records</command></term>
412+ <listitem>
413+ <para>
414+ See the description of
415+ <command>max-records</command> in <xref linkend="server_resource_limits"/>.
416+ </para>
417+ </listitem>
418+ </varlistentry>
419+
420+ <varlistentry>
421 <term><command>max-transfer-time-in</command></term>
422 <listitem>
423 <para>
424diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
425index 095eb5b..36495e7 100644
426--- a/doc/arm/notes.xml
427+++ b/doc/arm/notes.xml
428@@ -52,6 +52,15 @@
429 <itemizedlist>
430 <listitem>
431 <para>
432+ Added the ability to specify the maximum number of records
433+ permitted in a zone (max-records #;). This provides a mechanism
434+ to block overly large zone transfers, which is a potential risk
435+ with slave zones from other parties, as described in CVE-2016-6170.
436+ [RT #42143]
437+ </para>
438+ </listitem>
439+ <listitem>
440+ <para>
441 Duplicate EDNS COOKIE options in a response could trigger
442 an assertion failure. This flaw is disclosed in CVE-2016-2088.
443 [RT #41809]
444diff --git a/lib/bind9/check.c b/lib/bind9/check.c
445index b8c05dd..edb7534 100644
446--- a/lib/bind9/check.c
447+++ b/lib/bind9/check.c
448@@ -1510,6 +1510,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
449 REDIRECTZONE },
450 { "masters", SLAVEZONE | STUBZONE | REDIRECTZONE },
451 { "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
452+ { "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE |
453+ STATICSTUBZONE | REDIRECTZONE },
454 { "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
455 { "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
456 { "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
457diff --git a/lib/dns/db.c b/lib/dns/db.c
458index 7e4f357..ced94a5 100644
459--- a/lib/dns/db.c
460+++ b/lib/dns/db.c
461@@ -999,6 +999,19 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
462 }
463
464 isc_result_t
465+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
466+ isc_uint64_t *bytes)
467+{
468+ REQUIRE(DNS_DB_VALID(db));
469+ REQUIRE(dns_db_iszone(db) == ISC_TRUE);
470+
471+ if (db->methods->getsize != NULL)
472+ return ((db->methods->getsize)(db, version, records, bytes));
473+
474+ return (ISC_R_NOTFOUND);
475+}
476+
477+isc_result_t
478 dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
479 isc_stdtime_t resign)
480 {
481diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
482index 553a339..b5d04d2 100644
483--- a/lib/dns/ecdb.c
484+++ b/lib/dns/ecdb.c
485@@ -587,7 +587,8 @@ static dns_dbmethods_t ecdb_methods = {
486 NULL, /* findnodeext */
487 NULL, /* findext */
488 NULL, /* setcachestats */
489- NULL /* hashsize */
490+ NULL, /* hashsize */
491+ NULL /* getsize */
492 };
493
494 static isc_result_t
495diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
496index a4a4482..aff42d6 100644
497--- a/lib/dns/include/dns/db.h
498+++ b/lib/dns/include/dns/db.h
499@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
500 dns_rdataset_t *sigrdataset);
501 isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats);
502 unsigned int (*hashsize)(dns_db_t *db);
503+ isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
504+ isc_uint64_t *records, isc_uint64_t *bytes);
505 } dns_dbmethods_t;
506
507 typedef isc_result_t
508@@ -1485,6 +1487,24 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
509 */
510
511 isc_result_t
512+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
513+ isc_uint64_t *bytes);
514+/*%<
515+ * Get the number of records in the given version of the database as well
516+ * as the number bytes used to store those records.
517+ *
518+ * Requires:
519+ * \li 'db' is a valid zone database.
520+ * \li 'version' is NULL or a valid version.
521+ * \li 'records' is NULL or a pointer to return the record count in.
522+ * \li 'bytes' is NULL or a pointer to return the byte count in.
523+ *
524+ * Returns:
525+ * \li #ISC_R_SUCCESS
526+ * \li #ISC_R_NOTIMPLEMENTED
527+ */
528+
529+isc_result_t
530 dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
531 isc_boolean_t create, dns_dbnode_t **nodep);
532 /*%<
533diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
534index 3ac44b8..2e1e759 100644
535--- a/lib/dns/include/dns/rdataslab.h
536+++ b/lib/dns/include/dns/rdataslab.h
537@@ -104,6 +104,7 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
538 * Ensures:
539 *\li 'rdataset' is associated and points to a valid rdataest.
540 */
541+
542 unsigned int
543 dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
544 /*%<
545@@ -116,6 +117,18 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
546 *\li The number of bytes in the slab, including the reservelen.
547 */
548
549+unsigned int
550+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen);
551+/*%<
552+ * Return the number of records in the rdataslab
553+ *
554+ * Requires:
555+ *\li 'slab' points to a slab.
556+ *
557+ * Returns:
558+ *\li The number of records in the slab.
559+ */
560+
561 isc_result_t
562 dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
563 unsigned int reservelen, isc_mem_t *mctx,
564diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
565index 7d11c2b..93d1fd5 100644
566--- a/lib/dns/include/dns/result.h
567+++ b/lib/dns/include/dns/result.h
568@@ -157,8 +157,12 @@
569 #define DNS_R_BADCDS (ISC_RESULTCLASS_DNS + 111)
570 #define DNS_R_BADCDNSKEY (ISC_RESULTCLASS_DNS + 112)
571 #define DNS_R_OPTERR (ISC_RESULTCLASS_DNS + 113)
572+#define DNS_R_BADDNSTAP (ISC_RESULTCLASS_DNS + 114)
573+#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115)
574+#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116)
575+#define DNS_R_TOOMANYRECORDS (ISC_RESULTCLASS_DNS + 117)
576
577-#define DNS_R_NRESULTS 114 /*%< Number of results */
578+#define DNS_R_NRESULTS 118 /*%< Number of results */
579
580 /*
581 * DNS wire format rcodes.
582diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
583index a9367f1..227540b 100644
584--- a/lib/dns/include/dns/zone.h
585+++ b/lib/dns/include/dns/zone.h
586@@ -296,6 +296,32 @@ dns_zone_getfile(dns_zone_t *zone);
587 */
588
589 void
590+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t records);
591+/*%<
592+ * Sets the maximim number of records permitted in a zone.
593+ * 0 implies unlimited.
594+ *
595+ * Requires:
596+ *\li 'zone' to be valid initialised zone.
597+ *
598+ * Returns:
599+ *\li void
600+ */
601+
602+isc_uint32_t
603+dns_zone_getmaxrecords(dns_zone_t *zone);
604+/*%<
605+ * Gets the maximim number of records permitted in a zone.
606+ * 0 implies unlimited.
607+ *
608+ * Requires:
609+ *\li 'zone' to be valid initialised zone.
610+ *
611+ * Returns:
612+ *\li isc_uint32_t maxrecords.
613+ */
614+
615+void
616 dns_zone_setmaxttl(dns_zone_t *zone, isc_uint32_t maxttl);
617 /*%<
618 * Sets the max ttl of the zone.
619@@ -316,7 +342,7 @@ dns_zone_getmaxttl(dns_zone_t *zone);
620 *\li 'zone' to be valid initialised zone.
621 *
622 * Returns:
623- *\li isc_uint32_t maxttl.
624+ *\li dns_ttl_t maxttl.
625 */
626
627 isc_result_t
628diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
629index 62becfc..72d722f 100644
630--- a/lib/dns/rbtdb.c
631+++ b/lib/dns/rbtdb.c
632@@ -209,6 +209,7 @@ typedef isc_uint64_t rbtdb_serial_t;
633 #define free_rbtdb_callback free_rbtdb_callback64
634 #define free_rdataset free_rdataset64
635 #define getnsec3parameters getnsec3parameters64
636+#define getsize getsize64
637 #define getoriginnode getoriginnode64
638 #define getrrsetstats getrrsetstats64
639 #define getsigningtime getsigningtime64
640@@ -589,6 +590,13 @@ typedef struct rbtdb_version {
641 isc_uint16_t iterations;
642 isc_uint8_t salt_length;
643 unsigned char salt[DNS_NSEC3_SALTSIZE];
644+
645+ /*
646+ * records and bytes are covered by rwlock.
647+ */
648+ isc_rwlock_t rwlock;
649+ isc_uint64_t records;
650+ isc_uint64_t bytes;
651 } rbtdb_version_t;
652
653 typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t;
654@@ -1130,6 +1138,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
655 INSIST(refs == 0);
656 UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
657 isc_refcount_destroy(&rbtdb->current_version->references);
658+ isc_rwlock_destroy(&rbtdb->current_version->rwlock);
659 isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
660 sizeof(rbtdb_version_t));
661 }
662@@ -1383,6 +1392,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
663
664 static isc_result_t
665 newversion(dns_db_t *db, dns_dbversion_t **versionp) {
666+ isc_result_t result;
667 dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
668 rbtdb_version_t *version;
669
670@@ -1415,13 +1425,28 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
671 version->salt_length = 0;
672 memset(version->salt, 0, sizeof(version->salt));
673 }
674- rbtdb->next_serial++;
675- rbtdb->future_version = version;
676- }
677+ result = isc_rwlock_init(&version->rwlock, 0, 0);
678+ if (result != ISC_R_SUCCESS) {
679+ isc_refcount_destroy(&version->references);
680+ isc_mem_put(rbtdb->common.mctx, version,
681+ sizeof(*version));
682+ version = NULL;
683+ } else {
684+ RWLOCK(&rbtdb->current_version->rwlock,
685+ isc_rwlocktype_read);
686+ version->records = rbtdb->current_version->records;
687+ version->bytes = rbtdb->current_version->bytes;
688+ RWUNLOCK(&rbtdb->current_version->rwlock,
689+ isc_rwlocktype_read);
690+ rbtdb->next_serial++;
691+ rbtdb->future_version = version;
692+ }
693+ } else
694+ result = ISC_R_NOMEMORY;
695 RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
696
697 if (version == NULL)
698- return (ISC_R_NOMEMORY);
699+ return (result);
700
701 *versionp = version;
702
703@@ -2681,6 +2706,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
704
705 if (cleanup_version != NULL) {
706 INSIST(EMPTY(cleanup_version->changed_list));
707+ isc_rwlock_destroy(&cleanup_version->rwlock);
708 isc_mem_put(rbtdb->common.mctx, cleanup_version,
709 sizeof(*cleanup_version));
710 }
711@@ -6254,6 +6280,26 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
712 else
713 rbtnode->data = newheader;
714 newheader->next = topheader->next;
715+ if (rbtversion != NULL)
716+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
717+ if (rbtversion != NULL && !header_nx) {
718+ rbtversion->records -=
719+ dns_rdataslab_count((unsigned char *)header,
720+ sizeof(*header));
721+ rbtversion->bytes -=
722+ dns_rdataslab_size((unsigned char *)header,
723+ sizeof(*header));
724+ }
725+ if (rbtversion != NULL && !newheader_nx) {
726+ rbtversion->records +=
727+ dns_rdataslab_count((unsigned char *)newheader,
728+ sizeof(*newheader));
729+ rbtversion->bytes +=
730+ dns_rdataslab_size((unsigned char *)newheader,
731+ sizeof(*newheader));
732+ }
733+ if (rbtversion != NULL)
734+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
735 if (loading) {
736 /*
737 * There are no other references to 'header' when
738@@ -6355,6 +6401,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
739 newheader->down = NULL;
740 rbtnode->data = newheader;
741 }
742+ if (rbtversion != NULL && !newheader_nx) {
743+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
744+ rbtversion->records +=
745+ dns_rdataslab_count((unsigned char *)newheader,
746+ sizeof(*newheader));
747+ rbtversion->bytes +=
748+ dns_rdataslab_size((unsigned char *)newheader,
749+ sizeof(*newheader));
750+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
751+ }
752 idx = newheader->node->locknum;
753 if (IS_CACHE(rbtdb)) {
754 ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
755@@ -6811,6 +6867,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
756 */
757 newheader->additional_auth = NULL;
758 newheader->additional_glue = NULL;
759+ rbtversion->records +=
760+ dns_rdataslab_count((unsigned char *)newheader,
761+ sizeof(*newheader));
762+ rbtversion->bytes +=
763+ dns_rdataslab_size((unsigned char *)newheader,
764+ sizeof(*newheader));
765 } else if (result == DNS_R_NXRRSET) {
766 /*
767 * This subtraction would remove all of the rdata;
768@@ -6846,6 +6908,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
769 * topheader.
770 */
771 INSIST(rbtversion->serial >= topheader->serial);
772+ rbtversion->records -=
773+ dns_rdataslab_count((unsigned char *)header,
774+ sizeof(*header));
775+ rbtversion->bytes -=
776+ dns_rdataslab_size((unsigned char *)header,
777+ sizeof(*header));
778 if (topheader_prev != NULL)
779 topheader_prev->next = newheader;
780 else
781@@ -7172,6 +7240,7 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
782 unsigned char *limit = ((unsigned char *) base) + filesize;
783 unsigned char *p;
784 size_t size;
785+ unsigned int count;
786
787 REQUIRE(rbtnode != NULL);
788
789@@ -7179,6 +7248,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
790 p = (unsigned char *) header;
791
792 size = dns_rdataslab_size(p, sizeof(*header));
793+ count = dns_rdataslab_count(p, sizeof(*header));;
794+ rbtdb->current_version->records += count;
795+ rbtdb->current_version->bytes += size;
796 isc_crc64_update(crc, p, size);
797 #ifdef DEBUG
798 hexdump("hashing header", p, sizeof(rdatasetheader_t));
799@@ -7777,6 +7849,33 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
800 }
801
802 static isc_result_t
803+getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
804+ isc_uint64_t *bytes)
805+{
806+ dns_rbtdb_t *rbtdb;
807+ isc_result_t result = ISC_R_SUCCESS;
808+ rbtdb_version_t *rbtversion = version;
809+
810+ rbtdb = (dns_rbtdb_t *)db;
811+
812+ REQUIRE(VALID_RBTDB(rbtdb));
813+ INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
814+
815+ if (rbtversion == NULL)
816+ rbtversion = rbtdb->current_version;
817+
818+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
819+ if (records != NULL)
820+ *records = rbtversion->records;
821+
822+ if (bytes != NULL)
823+ *bytes = rbtversion->bytes;
824+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
825+
826+ return (result);
827+}
828+
829+static isc_result_t
830 setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
831 dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
832 isc_stdtime_t oldresign;
833@@ -7972,7 +8071,8 @@ static dns_dbmethods_t zone_methods = {
834 NULL,
835 NULL,
836 NULL,
837- hashsize
838+ hashsize,
839+ getsize
840 };
841
842 static dns_dbmethods_t cache_methods = {
843@@ -8018,7 +8118,8 @@ static dns_dbmethods_t cache_methods = {
844 NULL,
845 NULL,
846 setcachestats,
847- hashsize
848+ hashsize,
849+ NULL
850 };
851
852 isc_result_t
853@@ -8310,6 +8411,20 @@ dns_rbtdb_create
854 rbtdb->current_version->salt_length = 0;
855 memset(rbtdb->current_version->salt, 0,
856 sizeof(rbtdb->current_version->salt));
857+ result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0);
858+ if (result != ISC_R_SUCCESS) {
859+ isc_refcount_destroy(&rbtdb->current_version->references);
860+ isc_mem_put(mctx, rbtdb->current_version,
861+ sizeof(*rbtdb->current_version));
862+ rbtdb->current_version = NULL;
863+ isc_refcount_decrement(&rbtdb->references, NULL);
864+ isc_refcount_destroy(&rbtdb->references);
865+ free_rbtdb(rbtdb, ISC_FALSE, NULL);
866+ return (result);
867+ }
868+
869+ rbtdb->current_version->records = 0;
870+ rbtdb->current_version->bytes = 0;
871 rbtdb->future_version = NULL;
872 ISC_LIST_INIT(rbtdb->open_versions);
873 /*
874diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
875index e29dc84..63e3728 100644
876--- a/lib/dns/rdataslab.c
877+++ b/lib/dns/rdataslab.c
878@@ -523,6 +523,19 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
879 return ((unsigned int)(current - slab));
880 }
881
882+unsigned int
883+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) {
884+ unsigned int count;
885+ unsigned char *current;
886+
887+ REQUIRE(slab != NULL);
888+
889+ current = slab + reservelen;
890+ count = *current++ * 256;
891+ count += *current++;
892+ return (count);
893+}
894+
895 /*
896 * Make the dns_rdata_t 'rdata' refer to the slab item
897 * beginning at '*current', which is part of a slab of type
898diff --git a/lib/dns/result.c b/lib/dns/result.c
899index 7be4f57..a621909 100644
900--- a/lib/dns/result.c
901+++ b/lib/dns/result.c
902@@ -167,11 +167,16 @@ static const char *text[DNS_R_NRESULTS] = {
903 "covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */
904 "bad CDS", /*%< 111 DNS_R_BADCSD */
905 "bad CDNSKEY", /*%< 112 DNS_R_BADCDNSKEY */
906- "malformed OPT option" /*%< 113 DNS_R_OPTERR */
907+ "malformed OPT option", /*%< 113 DNS_R_OPTERR */
908+ "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP */
909+
910+ "TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */
911+ "SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */
912+ "too many records", /*%< 117 DNS_R_TOOMANYRECORDS */
913 };
914
915 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
916- "NOERROR", /*%< 0 DNS_R_NOEROR */
917+ "NOERROR", /*%< 0 DNS_R_NOERROR */
918 "FORMERR", /*%< 1 DNS_R_FORMERR */
919 "SERVFAIL", /*%< 2 DNS_R_SERVFAIL */
920 "NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */
921diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
922index abfeeb0..19397e0 100644
923--- a/lib/dns/sdb.c
924+++ b/lib/dns/sdb.c
925@@ -1298,7 +1298,8 @@ static dns_dbmethods_t sdb_methods = {
926 findnodeext,
927 findext,
928 NULL, /* setcachestats */
929- NULL /* hashsize */
930+ NULL, /* hashsize */
931+ NULL /* getsize */
932 };
933
934 static isc_result_t
935diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
936index b1198a4..0e3163d 100644
937--- a/lib/dns/sdlz.c
938+++ b/lib/dns/sdlz.c
939@@ -1269,7 +1269,8 @@ static dns_dbmethods_t sdlzdb_methods = {
940 findnodeext,
941 findext,
942 NULL, /* setcachestats */
943- NULL /* hashsize */
944+ NULL, /* hashsize */
945+ NULL /* getsize */
946 };
947
948 /*
949diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
950index 2a6c1b4..ac566e1 100644
951--- a/lib/dns/xfrin.c
952+++ b/lib/dns/xfrin.c
953@@ -149,6 +149,9 @@ struct dns_xfrin_ctx {
954 unsigned int nrecs; /*%< Number of records recvd */
955 isc_uint64_t nbytes; /*%< Number of bytes received */
956
957+ unsigned int maxrecords; /*%< The maximum number of
958+ records set for the zone */
959+
960 isc_time_t start; /*%< Start time of the transfer */
961 isc_time_t end; /*%< End time of the transfer */
962
963@@ -309,10 +312,18 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
964 static isc_result_t
965 axfr_apply(dns_xfrin_ctx_t *xfr) {
966 isc_result_t result;
967+ isc_uint64_t records;
968
969 CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private));
970 xfr->difflen = 0;
971 dns_diff_clear(&xfr->diff);
972+ if (xfr->maxrecords != 0U) {
973+ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
974+ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
975+ result = DNS_R_TOOMANYRECORDS;
976+ goto failure;
977+ }
978+ }
979 result = ISC_R_SUCCESS;
980 failure:
981 return (result);
982@@ -396,6 +407,7 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
983 static isc_result_t
984 ixfr_apply(dns_xfrin_ctx_t *xfr) {
985 isc_result_t result;
986+ isc_uint64_t records;
987
988 if (xfr->ver == NULL) {
989 CHECK(dns_db_newversion(xfr->db, &xfr->ver));
990@@ -403,6 +415,13 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) {
991 CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
992 }
993 CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
994+ if (xfr->maxrecords != 0U) {
995+ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
996+ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
997+ result = DNS_R_TOOMANYRECORDS;
998+ goto failure;
999+ }
1000+ }
1001 if (xfr->ixfr.journal != NULL) {
1002 result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
1003 if (result != ISC_R_SUCCESS)
1004@@ -759,7 +778,7 @@ xfrin_reset(dns_xfrin_ctx_t *xfr) {
1005
1006 static void
1007 xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
1008- if (result != DNS_R_UPTODATE) {
1009+ if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) {
1010 xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
1011 msg, isc_result_totext(result));
1012 if (xfr->is_ixfr)
1013@@ -852,6 +871,7 @@ xfrin_create(isc_mem_t *mctx,
1014 xfr->nmsg = 0;
1015 xfr->nrecs = 0;
1016 xfr->nbytes = 0;
1017+ xfr->maxrecords = dns_zone_getmaxrecords(zone);
1018 isc_time_now(&xfr->start);
1019
1020 xfr->tsigkey = NULL;
1021diff --git a/lib/dns/zone.c b/lib/dns/zone.c
1022index 90e558d..2b0d8e4 100644
1023--- a/lib/dns/zone.c
1024+++ b/lib/dns/zone.c
1025@@ -253,6 +253,8 @@ struct dns_zone {
1026 isc_uint32_t maxretry;
1027 isc_uint32_t minretry;
1028
1029+ isc_uint32_t maxrecords;
1030+
1031 isc_sockaddr_t *masters;
1032 isc_dscp_t *masterdscps;
1033 dns_name_t **masterkeynames;
1034@@ -10088,6 +10090,20 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
1035 zone->maxretry = val;
1036 }
1037
1038+isc_uint32_t
1039+dns_zone_getmaxrecords(dns_zone_t *zone) {
1040+ REQUIRE(DNS_ZONE_VALID(zone));
1041+
1042+ return (zone->maxrecords);
1043+}
1044+
1045+void
1046+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t val) {
1047+ REQUIRE(DNS_ZONE_VALID(zone));
1048+
1049+ zone->maxrecords = val;
1050+}
1051+
1052 static isc_boolean_t
1053 notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
1054 isc_sockaddr_t *addr, dns_tsigkey_t *key)
1055@@ -14431,7 +14447,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
1056 DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
1057
1058 TIME_NOW(&now);
1059- switch (result) {
1060+ switch (xfrresult) {
1061 case ISC_R_SUCCESS:
1062 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
1063 /*FALLTHROUGH*/
1064@@ -14558,6 +14574,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
1065 DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
1066 goto same_master;
1067
1068+ case DNS_R_TOOMANYRECORDS:
1069+ DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
1070+ inc_stats(zone, dns_zonestatscounter_xfrfail);
1071+ break;
1072+
1073 default:
1074 next_master:
1075 /*
1076diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
1077index 780ab46..e7ff1cc 100644
1078--- a/lib/isccfg/namedconf.c
1079+++ b/lib/isccfg/namedconf.c
1080@@ -1679,6 +1679,7 @@ zone_clauses[] = {
1081 { "masterfile-format", &cfg_type_masterformat, 0 },
1082 { "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
1083 { "max-journal-size", &cfg_type_sizenodefault, 0 },
1084+ { "max-records", &cfg_type_uint32, 0 },
1085 { "max-refresh-time", &cfg_type_uint32, 0 },
1086 { "max-retry-time", &cfg_type_uint32, 0 },
1087 { "max-transfer-idle-in", &cfg_type_uint32, 0 },
1088--
10892.7.4
1090
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
deleted file mode 100644
index b52d6800ff..0000000000
--- a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
+++ /dev/null
@@ -1,219 +0,0 @@
1From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
2From: Mark Andrews <marka@isc.org>
3Date: Fri, 21 Oct 2016 14:55:10 +1100
4Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
5 processing a response. (CVE-2016-8864) [RT #43465]
6
7(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
8
9Upstream-Status: Backport
10[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
11
12CVE: CVE-2016-8864
13
14Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15---
16 CHANGES | 3 +++
17 lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
18 2 files changed, 50 insertions(+), 22 deletions(-)
19
20diff --git a/CHANGES b/CHANGES
21index 5c8c61a..41cfce5 100644
22--- a/CHANGES
23+++ b/CHANGES
24@@ -1,3 +1,6 @@
25+4489. [security] It was possible to trigger assertions when processing
26+ a response. (CVE-2016-8864) [RT #43465]
27+
28 4467. [security] It was possible to trigger an assertion when
29 rendering a message. (CVE-2016-2776) [RT #43139]
30
31diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
32index ba1ae23..13c8b44 100644
33--- a/lib/dns/resolver.c
34+++ b/lib/dns/resolver.c
35@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
36 valarg->addrinfo = addrinfo;
37
38 if (!ISC_LIST_EMPTY(fctx->validators))
39- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
40+ valoptions |= DNS_VALIDATOR_DEFER;
41+ else
42+ valoptions &= ~DNS_VALIDATOR_DEFER;
43
44 result = dns_validator_create(fctx->res->view, name, type, rdataset,
45 sigrdataset, fctx->rmessage,
46@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
47 rdataset,
48 sigrdataset,
49 valoptions, task);
50- /*
51- * Defer any further validations.
52- * This prevents multiple validators
53- * from manipulating fctx->rmessage
54- * simultaneously.
55- */
56- valoptions |= DNS_VALIDATOR_DEFER;
57 }
58 } else if (CHAINING(rdataset)) {
59 if (rdataset->type == dns_rdatatype_cname)
60@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
61 eresult == DNS_R_NCACHENXRRSET);
62 }
63 event->result = eresult;
64+ if (adbp != NULL && *adbp != NULL) {
65+ if (anodep != NULL && *anodep != NULL)
66+ dns_db_detachnode(*adbp, anodep);
67+ dns_db_detach(adbp);
68+ }
69 dns_db_attach(fctx->cache, adbp);
70 dns_db_transfernode(fctx->cache, &node, anodep);
71 clone_results(fctx);
72@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
73 fctx->attributes |= FCTX_ATTR_HAVEANSWER;
74 if (event != NULL) {
75 event->result = eresult;
76+ if (adbp != NULL && *adbp != NULL) {
77+ if (anodep != NULL && *anodep != NULL)
78+ dns_db_detachnode(*adbp, anodep);
79+ dns_db_detach(adbp);
80+ }
81 dns_db_attach(fctx->cache, adbp);
82 dns_db_transfernode(fctx->cache, &node, anodep);
83 clone_results(fctx);
84@@ -6718,13 +6723,15 @@ static isc_result_t
85 answer_response(fetchctx_t *fctx) {
86 isc_result_t result;
87 dns_message_t *message;
88- dns_name_t *name, *dname, *qname, tname, *ns_name;
89+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
90+ dns_name_t *cname = NULL;
91 dns_rdataset_t *rdataset, *ns_rdataset;
92 isc_boolean_t done, external, chaining, aa, found, want_chaining;
93- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
94+ isc_boolean_t have_answer, found_cname, found_dname, found_type;
95+ isc_boolean_t wanted_chaining;
96 unsigned int aflag;
97 dns_rdatatype_t type;
98- dns_fixedname_t fdname, fqname;
99+ dns_fixedname_t fdname, fqname, fqdname;
100 dns_view_t *view;
101
102 FCTXTRACE("answer_response");
103@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
104
105 done = ISC_FALSE;
106 found_cname = ISC_FALSE;
107+ found_dname = ISC_FALSE;
108 found_type = ISC_FALSE;
109 chaining = ISC_FALSE;
110 have_answer = ISC_FALSE;
111@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
112 aa = ISC_TRUE;
113 else
114 aa = ISC_FALSE;
115- qname = &fctx->name;
116+ dqname = qname = &fctx->name;
117 type = fctx->type;
118 view = fctx->res->view;
119+ dns_fixedname_init(&fqdname);
120 result = dns_message_firstname(message, DNS_SECTION_ANSWER);
121 while (!done && result == ISC_R_SUCCESS) {
122- dns_namereln_t namereln;
123+ dns_namereln_t namereln, dnamereln;
124 int order;
125 unsigned int nlabels;
126
127@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
128 dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
129 external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
130 namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
131+ dnamereln = dns_name_fullcompare(dqname, name, &order,
132+ &nlabels);
133 if (namereln == dns_namereln_equal) {
134 wanted_chaining = ISC_FALSE;
135 for (rdataset = ISC_LIST_HEAD(name->list);
136@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
137 }
138 } else if (rdataset->type == dns_rdatatype_rrsig
139 && rdataset->covers ==
140- dns_rdatatype_cname
141+ dns_rdatatype_cname
142 && !found_type) {
143 /*
144 * We're looking for something else,
145@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
146 * a CNAME or DNAME).
147 */
148 INSIST(!external);
149- if (aflag ==
150- DNS_RDATASETATTR_ANSWER) {
151+ if ((rdataset->type !=
152+ dns_rdatatype_cname) ||
153+ !found_dname ||
154+ (aflag ==
155+ DNS_RDATASETATTR_ANSWER))
156+ {
157 have_answer = ISC_TRUE;
158+ if (rdataset->type ==
159+ dns_rdatatype_cname)
160+ cname = name;
161 name->attributes |=
162- DNS_NAMEATTR_ANSWER;
163+ DNS_NAMEATTR_ANSWER;
164 }
165 rdataset->attributes |= aflag;
166 if (aa)
167@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
168 return (DNS_R_FORMERR);
169 }
170
171- if (namereln != dns_namereln_subdomain) {
172+ if (dnamereln != dns_namereln_subdomain) {
173 char qbuf[DNS_NAME_FORMATSIZE];
174 char obuf[DNS_NAME_FORMATSIZE];
175
176- dns_name_format(qname, qbuf,
177+ dns_name_format(dqname, qbuf,
178 sizeof(qbuf));
179 dns_name_format(name, obuf,
180 sizeof(obuf));
181@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
182 want_chaining = ISC_TRUE;
183 POST(want_chaining);
184 aflag = DNS_RDATASETATTR_ANSWER;
185- result = dname_target(rdataset, qname,
186+ result = dname_target(rdataset, dqname,
187 nlabels, &fdname);
188 if (result == ISC_R_NOSPACE) {
189 /*
190@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
191
192 dname = dns_fixedname_name(&fdname);
193 if (!is_answertarget_allowed(view,
194- qname, rdataset->type,
195- dname, &fctx->domain)) {
196+ dqname, rdataset->type,
197+ dname, &fctx->domain))
198+ {
199 return (DNS_R_SERVFAIL);
200 }
201+ dqname = dns_fixedname_name(&fqdname);
202+ dns_name_copy(dname, dqname, NULL);
203 } else {
204 /*
205 * We've found a signature that
206@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
207 INSIST(!external);
208 if (aflag == DNS_RDATASETATTR_ANSWER) {
209 have_answer = ISC_TRUE;
210+ found_dname = ISC_TRUE;
211+ if (cname != NULL)
212+ cname->attributes &=
213+ ~DNS_NAMEATTR_ANSWER;
214 name->attributes |=
215 DNS_NAMEATTR_ANSWER;
216 }
217--
2182.7.4
219
diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
index 096d5d84fc..8bc4ea30f8 100644
--- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
+++ b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch
@@ -17,24 +17,28 @@ problem.
17Upstream-Status: Pending 17Upstream-Status: Pending
18 18
19Signed-off-by: Robert Yang <liezhi.yang@windriver.com> 19Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
20
21Update context(trailing whitespace) for version 9.10.5-P3.
22
23Signed-off-by: Kai Kang <kai.kang@windriver.com>
20--- 24---
21 bin/confgen/Makefile.in | 4 ++-- 25 bin/confgen/Makefile.in | 4 ++--
22 1 file changed, 2 insertions(+), 2 deletions(-) 26 1 file changed, 2 insertions(+), 2 deletions(-)
23 27
24diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in 28diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in
25index 8b3e5aa..4868a24 100644 29index dca272f..02becce 100644
26--- a/bin/confgen/Makefile.in 30--- a/bin/confgen/Makefile.in
27+++ b/bin/confgen/Makefile.in 31+++ b/bin/confgen/Makefile.in
28@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c 32@@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c
29 ddns-confgen.@O@: ddns-confgen.c 33 ddns-confgen.@O@: ddns-confgen.c
30 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c 34 ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
31 35
32-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 36-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
33+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) 37+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
34 export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ 38 export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
35 ${FINALBUILDCMD} 39 ${FINALBUILDCMD}
36 40
37-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} 41-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
38+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) 42+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS)
39 export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ 43 export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
40 ${FINALBUILDCMD} 44 ${FINALBUILDCMD}
diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
deleted file mode 100644
index 2930796b6a..0000000000
--- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff
+++ /dev/null
@@ -1,104 +0,0 @@
1bind: port a patch to fix a build failure
2
3mips1 does not support ll and sc instructions, and lead to below error, now
4we port a patch from debian to fix it
5[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz]
6
7| {standard input}: Assembler messages:
8| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)'
9| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)'
10
11Upstream-Status: Pending
12
13Signed-off-by: Roy Li <rongqing.li@windriver.com>
14
15--- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h
16+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h
17@@ -31,18 +31,20 @@
18 isc_atomic_xadd(isc_int32_t *p, int val) {
19 isc_int32_t orig;
20
21- /* add is a cheat, since MIPS has no mov instruction */
22- __asm__ volatile (
23- "1:"
24- "ll $3, %1\n"
25- "add %0, $0, $3\n"
26- "add $3, $3, %2\n"
27- "sc $3, %1\n"
28- "beq $3, 0, 1b"
29- : "=&r"(orig)
30- : "m"(*p), "r"(val)
31- : "memory", "$3"
32- );
33+ __asm__ __volatile__ (
34+ " .set push \n"
35+ " .set mips2 \n"
36+ " .set noreorder \n"
37+ " .set noat \n"
38+ "1: ll $1, %1 \n"
39+ " addu %0, $1, %2 \n"
40+ " sc %0, %1 \n"
41+ " beqz %0, 1b \n"
42+ " move %0, $1 \n"
43+ " .set pop \n"
44+ : "=&r" (orig), "+R" (*p)
45+ : "r" (val)
46+ : "memory");
47
48 return (orig);
49 }
50@@ -52,16 +54,7 @@
51 */
52 static inline void
53 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
54- __asm__ volatile (
55- "1:"
56- "ll $3, %0\n"
57- "add $3, $0, %1\n"
58- "sc $3, %0\n"
59- "beq $3, 0, 1b"
60- :
61- : "m"(*p), "r"(val)
62- : "memory", "$3"
63- );
64+ *p = val;
65 }
66
67 /*
68@@ -72,20 +65,23 @@
69 static inline isc_int32_t
70 isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) {
71 isc_int32_t orig;
72+ isc_int32_t tmp;
73
74- __asm__ volatile(
75- "1:"
76- "ll $3, %1\n"
77- "add %0, $0, $3\n"
78- "bne $3, %2, 2f\n"
79- "add $3, $0, %3\n"
80- "sc $3, %1\n"
81- "beq $3, 0, 1b\n"
82- "2:"
83- : "=&r"(orig)
84- : "m"(*p), "r"(cmpval), "r"(val)
85- : "memory", "$3"
86- );
87+ __asm__ __volatile__ (
88+ " .set push \n"
89+ " .set mips2 \n"
90+ " .set noreorder \n"
91+ " .set noat \n"
92+ "1: ll $1, %1 \n"
93+ " bne $1, %3, 2f \n"
94+ " move %2, %4 \n"
95+ " sc %2, %1 \n"
96+ " beqz %2, 1b \n"
97+ "2: move %0, $1 \n"
98+ " .set pop \n"
99+ : "=&r"(orig), "+R" (*p), "=r" (tmp)
100+ : "r"(cmpval), "r"(val)
101+ : "memory");
102
103 return (orig);
104 }
diff --git a/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
new file mode 100644
index 0000000000..9829f15881
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch
@@ -0,0 +1,36 @@
1Use python3 rather default python which maybe links to python2 for oe. And add
2option for setup.py to install files to right directory.
3
4Upstream-Status: Inappropriate [OE specific]
5
6Signed-off-by: Kai Kang <kai.kang@windriver.com>
7---
8diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in
9index a43a3c1..2e727f2 100644
10--- a/bin/python/Makefile.in
11+++ b/bin/python/Makefile.in
12@@ -55,9 +55,9 @@ install:: ${TARGETS} installdirs
13 ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8
14 if test -n "${PYTHON}" ; then \
15 if test -n "${DESTDIR}" ; then \
16- ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} ; \
17+ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
18 else \
19- ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} ; \
20+ ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \
21 fi \
22 fi
23
24diff --git a/configure.in b/configure.in
25index 314bb90..867923e 100644
26--- a/configure.in
27+++ b/configure.in
28@@ -227,7 +227,7 @@ AC_ARG_WITH(python,
29 [ --with-python=PATH specify path to python interpreter],
30 use_python="$withval", use_python="unspec")
31
32-python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
33+python="python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
34
35 testargparse='try: import argparse
36 except: exit(1)'
diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
index 7eb79b0ea0..e6e1e8d068 100644
--- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb
@@ -3,14 +3,13 @@ HOMEPAGE = "http://www.isc.org/sw/bind/"
3SECTION = "console/network" 3SECTION = "console/network"
4 4
5LICENSE = "ISC & BSD" 5LICENSE = "ISC & BSD"
6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" 6LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43"
7 7
8DEPENDS = "openssl libcap" 8DEPENDS = "openssl libcap"
9 9
10SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ 10SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
11 file://conf.patch \ 11 file://conf.patch \
12 file://make-etc-initd-bind-stop-work.patch \ 12 file://make-etc-initd-bind-stop-work.patch \
13 file://mips1-not-support-opcode.diff \
14 file://dont-test-on-host.patch \ 13 file://dont-test-on-host.patch \
15 file://generate-rndc-key.sh \ 14 file://generate-rndc-key.sh \
16 file://named.service \ 15 file://named.service \
@@ -21,21 +20,14 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
21 file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ 20 file://bind-ensure-searching-for-json-headers-searches-sysr.patch \
22 file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ 21 file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \
23 file://0001-lib-dns-gen.c-fix-too-long-error.patch \ 22 file://0001-lib-dns-gen.c-fix-too-long-error.patch \
24 file://CVE-2016-1285.patch \ 23 file://use-python3-and-fix-install-lib-path.patch \
25 file://CVE-2016-1286_1.patch \
26 file://CVE-2016-1286_2.patch \
27 file://CVE-2016-2088.patch \
28 file://CVE-2016-2775.patch \
29 file://CVE-2016-2776.patch \
30 file://CVE-2016-8864.patch \
31 file://CVE-2016-6170.patch \
32 " 24 "
33 25
34UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/" 26UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/"
35UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/" 27UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/"
36 28
37SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" 29SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83"
38SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83" 30SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a"
39 31
40ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" 32ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}"
41EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ 33EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
@@ -44,7 +36,10 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \
44 --sysconfdir=${sysconfdir}/bind \ 36 --sysconfdir=${sysconfdir}/bind \
45 --with-openssl=${STAGING_LIBDIR}/.. \ 37 --with-openssl=${STAGING_LIBDIR}/.. \
46 " 38 "
47inherit autotools update-rc.d systemd useradd pkgconfig 39
40inherit autotools update-rc.d systemd useradd pkgconfig python3-dir
41
42export PYTHON_SITEPACKAGES_DIR
48 43
49# PACKAGECONFIGs readline and libedit should NOT be set at same time 44# PACKAGECONFIGs readline and libedit should NOT be set at same time
50PACKAGECONFIG ?= "readline" 45PACKAGECONFIG ?= "readline"
@@ -70,7 +65,7 @@ RDEPENDS_${PN}-dev = ""
70PACKAGE_BEFORE_PN += "${PN}-utils" 65PACKAGE_BEFORE_PN += "${PN}-utils"
71FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" 66FILES_${PN}-utils = "${bindir}/host ${bindir}/dig"
72FILES_${PN}-dev += "${bindir}/isc-config.h" 67FILES_${PN}-dev += "${bindir}/isc-config.h"
73FILES_${PN} += "${sbindir}/generate-rndc-key.sh" 68FILES_${PN} += "${sbindir}/generate-rndc-key.sh ${PYTHON_SITEPACKAGES_DIR}"
74 69
75do_install_prepend() { 70do_install_prepend() {
76 # clean host path in isc-config.sh before the hardlink created 71 # clean host path in isc-config.sh before the hardlink created
@@ -107,6 +102,8 @@ do_install_append() {
107 install -d ${D}${sysconfdir}/tmpfiles.d 102 install -d ${D}${sysconfdir}/tmpfiles.d
108 echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf 103 echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf
109 fi 104 fi
105
106 rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/isc/*.pyc
110} 107}
111 108
112CONFFILES_${PN} = " \ 109CONFFILES_${PN} = " \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-03 14:30:09 +0000