diff options
author | Kai Kang <kai.kang@windriver.com> | 2017-07-12 09:25:05 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-07-17 13:49:02 +0100 |
commit | 9ee6a0a6599d081767b63382a576e67aed12cf4d (patch) | |
tree | 4d6f8c4f4cadd1549948f967bee99fc833af337e /meta/recipes-connectivity | |
parent | 26aaa6cca9de678fa6d6e89902d14aff9cf3c8b0 (diff) | |
download | openembedded-core-contrib-9ee6a0a6599d081767b63382a576e67aed12cf4d.tar.gz |
bind: 9.10.3-P3 -> 9.10.5-P3
Upgrade bind from 9.10.3-P3 to 9.10.5-P3
* Update md5sum of LIC_FILES_CHKSUM that it update year in file COPYRIGHT
* Remvoe mips1-not-support-opcode.diff which has been merged
* Remove CVE patches that there are backported from upstream
* Use python3 for build and make sure install .py files to right directory
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Diffstat (limited to 'meta/recipes-connectivity')
13 files changed, 61 insertions, 2443 deletions
diff --git a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch index 805cbb3315a..1e23c0f56b7 100644 --- a/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch +++ b/meta/recipes-connectivity/bind/bind/0001-build-use-pkg-config-to-find-libxml2.patch @@ -7,15 +7,19 @@ Signed-off-by: Ross Burton <ross.burton@intel.com> Update context for version 9.10.3-P2. Signed-off-by: Kai Kang <kai.kang@windriver.com> + +Update context for version 9.10.5-P3. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> --- configure.in | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/configure.in b/configure.in -index 0db826d..75819eb 100644 +index 4da73a4..6f2a754 100644 --- a/configure.in +++ b/configure.in -@@ -2107,26 +2107,9 @@ case "$use_libxml2" in +@@ -2282,26 +2282,9 @@ case "$use_libxml2" in DST_LIBXML2_INC="" ;; auto|yes) @@ -25,7 +29,7 @@ index 0db826d..75819eb 100644 - libxml2_cflags=`xml2-config --cflags` - ;; - *) -- if test "$use_libxml2" = "yes" ; then +- if test "yes" = "$use_libxml2" ; then - AC_MSG_RESULT(no) - AC_MSG_ERROR(required libxml2 version not available) - else diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch deleted file mode 100644 index 2149bd180dc..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1285.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 70037e040e587329cec82123e12b9f4f7c945f67 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Thu, 18 Feb 2016 12:11:27 +1100 -Subject: [PATCH] 4318. [security] Malformed control messages can - trigger assertions in named and rndc. (CVE-2016-1285) - [RT #41666] - -(cherry picked from commit a2b15b3305acd52179e6f3dc7d073b07fbc40b8e) - -CVE: CVE-2016-1285 -Upstream-Status: Backport -[Removed doc/arm/notes.xml changes from upstream patch] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - CHANGES | 3 +++ - bin/named/control.c | 2 +- - bin/named/controlconf.c | 2 +- - bin/rndc/rndc.c | 8 ++++---- - doc/arm/notes.xml | 11 +++++++++++ - lib/isccc/cc.c | 14 +++++++------- - 6 files changed, 27 insertions(+), 13 deletions(-) - -diff --git a/CHANGES b/CHANGES -index b9bd9ef..2c727d5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4318. [security] Malformed control messages can trigger assertions -+ in named and rndc. (CVE-2016-1285) [RT #41666] -+ - --- 9.10.3-P3 released --- - - 4288. [bug] Fixed a regression in resolver.c:possibly_mark() -diff --git a/bin/named/control.c b/bin/named/control.c -index 8554335..81340ca 100644 ---- a/bin/named/control.c -+++ b/bin/named/control.c -@@ -69,7 +69,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) { - #endif - - data = isccc_alist_lookup(message, "_data"); -- if (data == NULL) { -+ if (!isccc_alist_alistp(data)) { - /* - * No data section. - */ -diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c -index 765afdd..a39ab8b 100644 ---- a/bin/named/controlconf.c -+++ b/bin/named/controlconf.c -@@ -402,7 +402,7 @@ control_recvmessage(isc_task_t *task, isc_event_t *event) { - * Limit exposure to replay attacks. - */ - _ctrl = isccc_alist_lookup(request, "_ctrl"); -- if (_ctrl == NULL) { -+ if (!isccc_alist_alistp(_ctrl)) { - log_invalid(&conn->ccmsg, ISC_R_FAILURE); - goto cleanup_request; - } -diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c -index cb17050..b6e05c8 100644 ---- a/bin/rndc/rndc.c -+++ b/bin/rndc/rndc.c -@@ -255,8 +255,8 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - data = isccc_alist_lookup(response, "_data"); -- if (data == NULL) -- fatal("no data section in response"); -+ if (!isccc_alist_alistp(data)) -+ fatal("bad or missing data section in response"); - result = isccc_cc_lookupstring(data, "err", &errormsg); - if (result == ISC_R_SUCCESS) { - failed = ISC_TRUE; -@@ -321,8 +321,8 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) { - isccc_cc_fromwire(&source, &response, algorithm, &secret)); - - _ctrl = isccc_alist_lookup(response, "_ctrl"); -- if (_ctrl == NULL) -- fatal("_ctrl section missing"); -+ if (!isccc_alist_alistp(_ctrl)) -+ fatal("bad or missing ctrl section in response"); - nonce = 0; - if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS) - nonce = 0; -diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c -index 47a3b74..2bb961e 100644 ---- a/lib/isccc/cc.c -+++ b/lib/isccc/cc.c -@@ -403,13 +403,13 @@ verify(isccc_sexpr_t *alist, unsigned char *data, unsigned int length, - * Extract digest. - */ - _auth = isccc_alist_lookup(alist, "_auth"); -- if (_auth == NULL) -+ if (!isccc_alist_alistp(_auth)) - return (ISC_R_FAILURE); - if (algorithm == ISCCC_ALG_HMACMD5) - hmac = isccc_alist_lookup(_auth, "hmd5"); - else - hmac = isccc_alist_lookup(_auth, "hsha"); -- if (hmac == NULL) -+ if (!isccc_sexpr_binaryp(hmac)) - return (ISC_R_FAILURE); - /* - * Compute digest. -@@ -728,7 +728,7 @@ isccc_cc_createack(isccc_sexpr_t *message, isc_boolean_t ok, - REQUIRE(ackp != NULL && *ackp == NULL); - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupuint32(_ctrl, "_tim", &t) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -773,7 +773,7 @@ isccc_cc_isack(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_ack", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -786,7 +786,7 @@ isccc_cc_isreply(isccc_sexpr_t *message) - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL) -+ if (!isccc_alist_alistp(_ctrl)) - return (ISC_FALSE); - if (isccc_cc_lookupstring(_ctrl, "_rpl", NULL) == ISC_R_SUCCESS) - return (ISC_TRUE); -@@ -806,7 +806,7 @@ isccc_cc_createresponse(isccc_sexpr_t *message, isccc_time_t now, - - _ctrl = isccc_alist_lookup(message, "_ctrl"); - _data = isccc_alist_lookup(message, "_data"); -- if (_ctrl == NULL || _data == NULL || -+ if (!isccc_alist_alistp(_ctrl) || !isccc_alist_alistp(_data) || - isccc_cc_lookupuint32(_ctrl, "_ser", &serial) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_data, "type", &type) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); -@@ -995,7 +995,7 @@ isccc_cc_checkdup(isccc_symtab_t *symtab, isccc_sexpr_t *message, - isccc_sexpr_t *_ctrl; - - _ctrl = isccc_alist_lookup(message, "_ctrl"); -- if (_ctrl == NULL || -+ if (!isccc_alist_alistp(_ctrl) || - isccc_cc_lookupstring(_ctrl, "_ser", &_ser) != ISC_R_SUCCESS || - isccc_cc_lookupstring(_ctrl, "_tim", &_tim) != ISC_R_SUCCESS) - return (ISC_R_FAILURE); --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch deleted file mode 100644 index ae5cc48d9cc..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_1.patch +++ /dev/null @@ -1,79 +0,0 @@ -From a3d327bf1ceaaeabb20223d8de85166e940b9f12 Mon Sep 17 00:00:00 2001 -From: Mukund Sivaraman <muks@isc.org> -Date: Mon, 22 Feb 2016 12:22:43 +0530 -Subject: [PATCH] Fix resolver assertion failure due to improper DNAME handling - (CVE-2016-1286) (#41753) - -(cherry picked from commit 5995fec51cc8bb7e53804e4936e60aa1537f3673) - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -[Removed doc/arm/notes.xml changes from upstream patch.] - -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- -diff -ruN a/CHANGES b/CHANGES ---- a/CHANGES 2016-04-13 07:28:44.940873629 +0200 -+++ b/CHANGES 2016-04-13 07:38:38.923167851 +0200 -@@ -1,3 +1,7 @@ -+4319. [security] Fix resolver assertion failure due to improper -+ DNAME handling when parsing fetch reply messages. -+ (CVE-2016-1286) [RT #41753] -+ - 4318. [security] Malformed control messages can trigger assertions - in named and rndc. (CVE-2016-1285) [RT #41666] - -diff -ruN a/lib/dns/resolver.c b/lib/dns/resolver.c ---- a/lib/dns/resolver.c 2016-04-13 07:28:43.088953790 +0200 -+++ b/lib/dns/resolver.c 2016-04-13 07:38:20.411968925 +0200 -@@ -6967,21 +6967,26 @@ - isc_boolean_t found_dname = ISC_FALSE; - dns_name_t *dname_name; - -+ /* -+ * Only pass DNAME or RRSIG(DNAME). -+ */ -+ if (rdataset->type != dns_rdatatype_dname && -+ (rdataset->type != dns_rdatatype_rrsig || -+ rdataset->covers != dns_rdatatype_dname)) -+ continue; -+ -+ /* -+ * If we're not chaining, then the DNAME and -+ * its signature should not be external. -+ */ -+ if (!chaining && external) { -+ log_formerr(fctx, "external DNAME"); -+ return (DNS_R_FORMERR); -+ } -+ - found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- /* -- * We're looking for something else, -- * but we found a DNAME. -- * -- * If we're not chaining, then the -- * DNAME should not be external. -- */ -- if (!chaining && external) { -- log_formerr(fctx, -- "external DNAME"); -- return (DNS_R_FORMERR); -- } - found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); -@@ -7010,9 +7015,7 @@ - &fctx->domain)) { - return (DNS_R_SERVFAIL); - } -- } else if (rdataset->type == dns_rdatatype_rrsig -- && rdataset->covers == -- dns_rdatatype_dname) { -+ } else { - /* - * We've found a signature that - * covers the DNAME. diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch deleted file mode 100644 index 5f5cb0d340f..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-1286_2.patch +++ /dev/null @@ -1,317 +0,0 @@ -From 7602be276a73a6eb5431c5acd9718e68a55e8b61 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Mon, 29 Feb 2016 07:16:48 +1100 -Subject: [PATCH] Part 2 of: 4319. [security] Fix resolver assertion - failure due to improper DNAME handling when parsing - fetch reply messages. (CVE-2016-1286) [RT #41753] - -CVE: CVE-2016-1286 -Upstream-Status: Backport - -(cherry picked from commit 2de89ee9de8c8da9dc153a754b02dcdbb7fe2374) -Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> ---- - lib/dns/resolver.c | 192 ++++++++++++++++++++++++++--------------------------- - 1 file changed, 93 insertions(+), 99 deletions(-) - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 70aba87..41e9df4 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -6074,14 +6074,11 @@ cname_target(dns_rdataset_t *rdataset, dns_name_t *tname) { - } - - static inline isc_result_t --dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, -- dns_name_t *oname, dns_fixedname_t *fixeddname) -+dname_target(dns_rdataset_t *rdataset, dns_name_t *qname, -+ unsigned int nlabels, dns_fixedname_t *fixeddname) - { - isc_result_t result; - dns_rdata_t rdata = DNS_RDATA_INIT; -- unsigned int nlabels; -- int order; -- dns_namereln_t namereln; - dns_rdata_dname_t dname; - dns_fixedname_t prefix; - -@@ -6096,21 +6093,6 @@ dname_target(fetchctx_t *fctx, dns_rdataset_t *rdataset, dns_name_t *qname, - if (result != ISC_R_SUCCESS) - return (result); - -- /* -- * Get the prefix of qname. -- */ -- namereln = dns_name_fullcompare(qname, oname, &order, &nlabels); -- if (namereln != dns_namereln_subdomain) { -- char qbuf[DNS_NAME_FORMATSIZE]; -- char obuf[DNS_NAME_FORMATSIZE]; -- -- dns_rdata_freestruct(&dname); -- dns_name_format(qname, qbuf, sizeof(qbuf)); -- dns_name_format(oname, obuf, sizeof(obuf)); -- log_formerr(fctx, "unrelated DNAME in answer: " -- "%s is not in %s", qbuf, obuf); -- return (DNS_R_FORMERR); -- } - dns_fixedname_init(&prefix); - dns_name_split(qname, nlabels, dns_fixedname_name(&prefix), NULL); - dns_fixedname_init(fixeddname); -@@ -6736,13 +6718,13 @@ static isc_result_t - answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; -- dns_name_t *name, *qname, tname, *ns_name; -+ dns_name_t *name, *dname, *qname, tname, *ns_name; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, chaining, aa, found, want_chaining; - isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; - unsigned int aflag; - dns_rdatatype_t type; -- dns_fixedname_t dname, fqname; -+ dns_fixedname_t fdname, fqname; - dns_view_t *view; - - FCTXTRACE("answer_response"); -@@ -6770,10 +6752,15 @@ answer_response(fetchctx_t *fctx) { - view = fctx->res->view; - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -+ dns_namereln_t namereln; -+ int order; -+ unsigned int nlabels; -+ - name = NULL; - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); -- if (dns_name_equal(name, qname)) { -+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -@@ -6898,10 +6885,11 @@ answer_response(fetchctx_t *fctx) { - */ - INSIST(!external); - if (aflag == -- DNS_RDATASETATTR_ANSWER) -+ DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_ANSWER; -+ name->attributes |= -+ DNS_NAMEATTR_ANSWER; -+ } - rdataset->attributes |= aflag; - if (aa) - rdataset->trust = -@@ -6956,6 +6944,8 @@ answer_response(fetchctx_t *fctx) { - if (wanted_chaining) - chaining = ISC_TRUE; - } else { -+ dns_rdataset_t *dnameset = NULL; -+ - /* - * Look for a DNAME (or its SIG). Anything else is - * ignored. -@@ -6963,10 +6953,8 @@ answer_response(fetchctx_t *fctx) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); - rdataset != NULL; -- rdataset = ISC_LIST_NEXT(rdataset, link)) { -- isc_boolean_t found_dname = ISC_FALSE; -- dns_name_t *dname_name; -- -+ rdataset = ISC_LIST_NEXT(rdataset, link)) -+ { - /* - * Only pass DNAME or RRSIG(DNAME). - */ -@@ -6980,20 +6968,41 @@ answer_response(fetchctx_t *fctx) { - * its signature should not be external. - */ - if (!chaining && external) { -- log_formerr(fctx, "external DNAME"); -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(name, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(&fctx->domain, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "external DNAME or " -+ "RRSIG covering DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); -+ return (DNS_R_FORMERR); -+ } -+ -+ if (namereln != dns_namereln_subdomain) { -+ char qbuf[DNS_NAME_FORMATSIZE]; -+ char obuf[DNS_NAME_FORMATSIZE]; -+ -+ dns_name_format(qname, qbuf, -+ sizeof(qbuf)); -+ dns_name_format(name, obuf, -+ sizeof(obuf)); -+ log_formerr(fctx, "unrelated DNAME " -+ "in answer: %s is " -+ "not in %s", qbuf, obuf); - return (DNS_R_FORMERR); - } - -- found = ISC_FALSE; - aflag = 0; - if (rdataset->type == dns_rdatatype_dname) { -- found = ISC_TRUE; - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(fctx, rdataset, -- qname, name, -- &dname); -+ result = dname_target(rdataset, qname, -+ nlabels, &fdname); - if (result == ISC_R_NOSPACE) { - /* - * We can't construct the -@@ -7005,14 +7014,12 @@ answer_response(fetchctx_t *fctx) { - } else if (result != ISC_R_SUCCESS) - return (result); - else -- found_dname = ISC_TRUE; -+ dnameset = rdataset; - -- dname_name = dns_fixedname_name(&dname); -+ dname = dns_fixedname_name(&fdname); - if (!is_answertarget_allowed(view, -- qname, -- rdataset->type, -- dname_name, -- &fctx->domain)) { -+ qname, rdataset->type, -+ dname, &fctx->domain)) { - return (DNS_R_SERVFAIL); - } - } else { -@@ -7020,73 +7027,60 @@ answer_response(fetchctx_t *fctx) { - * We've found a signature that - * covers the DNAME. - */ -- found = ISC_TRUE; - aflag = DNS_RDATASETATTR_ANSWERSIG; - } - -- if (found) { -+ /* -+ * We've found an answer to our -+ * question. -+ */ -+ name->attributes |= DNS_NAMEATTR_CACHE; -+ rdataset->attributes |= DNS_RDATASETATTR_CACHE; -+ rdataset->trust = dns_trust_answer; -+ if (!chaining) { - /* -- * We've found an answer to our -- * question. -+ * This data is "the" answer to -+ * our question only if we're -+ * not chaining. - */ -- name->attributes |= -- DNS_NAMEATTR_CACHE; -- rdataset->attributes |= -- DNS_RDATASETATTR_CACHE; -- rdataset->trust = dns_trust_answer; -- if (!chaining) { -- /* -- * This data is "the" answer -- * to our question only if -- * we're not chaining. -- */ -- INSIST(!external); -- if (aflag == -- DNS_RDATASETATTR_ANSWER) -- have_answer = ISC_TRUE; -+ INSIST(!external); -+ if (aflag == DNS_RDATASETATTR_ANSWER) { -+ have_answer = ISC_TRUE; - name->attributes |= - DNS_NAMEATTR_ANSWER; -- rdataset->attributes |= aflag; -- if (aa) -- rdataset->trust = -- dns_trust_authanswer; -- } else if (external) { -- rdataset->attributes |= -- DNS_RDATASETATTR_EXTERNAL; -- } -- -- /* -- * DNAME chaining. -- */ -- if (found_dname) { -- /* -- * Copy the dname into the -- * qname fixed name. -- * -- * Although we check for -- * failure of the copy -- * operation, in practice it -- * should never fail since -- * we already know that the -- * result fits in a fixedname. -- */ -- dns_fixedname_init(&fqname); -- result = dns_name_copy( -- dns_fixedname_name(&dname), -- dns_fixedname_name(&fqname), -- NULL); -- if (result != ISC_R_SUCCESS) -- return (result); -- wanted_chaining = ISC_TRUE; -- name->attributes |= -- DNS_NAMEATTR_CHAINING; -- rdataset->attributes |= -- DNS_RDATASETATTR_CHAINING; -- qname = dns_fixedname_name( -- &fqname); - } -+ rdataset->attributes |= aflag; -+ if (aa) -+ rdataset->trust = -+ dns_trust_authanswer; -+ } else if (external) { -+ rdataset->attributes |= -+ DNS_RDATASETATTR_EXTERNAL; - } - } -+ -+ /* -+ * DNAME chaining. -+ */ -+ if (dnameset != NULL) { -+ /* -+ * Copy the dname into the qname fixed name. -+ * -+ * Although we check for failure of the copy -+ * operation, in practice it should never fail -+ * since we already know that the result fits -+ * in a fixedname. -+ */ -+ dns_fixedname_init(&fqname); -+ qname = dns_fixedname_name(&fqname); -+ result = dns_name_copy(dname, qname, NULL); -+ if (result != ISC_R_SUCCESS) -+ return (result); -+ wanted_chaining = ISC_TRUE; -+ name->attributes |= DNS_NAMEATTR_CHAINING; -+ dnameset->attributes |= -+ DNS_RDATASETATTR_CHAINING; -+ } - if (wanted_chaining) - chaining = ISC_TRUE; - } --- -1.9.1 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch deleted file mode 100644 index 1b84d46b78d..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2088.patch +++ /dev/null @@ -1,247 +0,0 @@ -CVE-2016-2088 - -Backport commit d7ff9a1c41bf0ba9773cb3adb08b48b9fd57c956 from the -v9_10_3_patch branch. - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2088 -https://kb.isc.org/article/AA-01351 - -CVE: CVE-2016-2088 -Upstream-Status: Backport -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> - - -Original commit message from Mark Andrews <marka@isc.org> below: - -4322. [security] Duplicate EDNS COOKIE options in a response could - trigger an assertion failure. (CVE-2016-2088) - [RT #41809] - -(cherry picked from commit 455c0848f80a8acda27aad1466c72987cafaa029) -(cherry picked from commit 7cd300abd6ee8b8ee8730593daf742ba53f90bc3) ---- - CHANGES | 4 ++++ - bin/dig/dighost.c | 9 +++++++++ - bin/named/client.c | 33 +++++++++++++++++++++++---------- - doc/arm/notes.xml | 7 +++++++ - lib/dns/resolver.c | 14 +++++++++++++- - 5 files changed, 56 insertions(+), 11 deletions(-) - -diff --git a/CHANGES b/CHANGES -index c5b5d2b..d2e3360 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4322. [security] Duplicate EDNS COOKIE options in a response could -+ trigger an assertion failure. (CVE-2016-2088) -+ [RT #41809] -+ - 4319. [security] Fix resolver assertion failure due to improper - DNAME handling when parsing fetch reply messages. - (CVE-2016-1286) [RT #41753] -diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c -index ca82f8e..340904f 100644 ---- a/bin/dig/dighost.c -+++ b/bin/dig/dighost.c -@@ -3458,6 +3458,7 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - isc_buffer_t optbuf; - isc_uint16_t optcode, optlen; - dns_rdataset_t *opt = msg->opt; -+ isc_boolean_t seen_cookie = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -3470,7 +3471,15 @@ process_opt(dig_lookup_t *l, dns_message_t *msg) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - process_sit(l, msg, &optbuf, optlen); -+ seen_cookie = ISC_TRUE; - break; - default: - isc_buffer_forward(&optbuf, optlen); -diff --git a/bin/named/client.c b/bin/named/client.c -index 683305c..0d7331a 100644 ---- a/bin/named/client.c -+++ b/bin/named/client.c -@@ -120,7 +120,10 @@ - */ - #endif - --#define SIT_SIZE 24U /* 8 + 4 + 4 + 8 */ -+#define COOKIE_SIZE 24U /* 8 + 4 + 4 + 8 */ -+ -+#define WANTNSID(x) (((x)->attributes & NS_CLIENTATTR_WANTNSID) != 0) -+#define WANTEXPIRE(x) (((x)->attributes & NS_CLIENTATTR_WANTEXPIRE) != 0) - - /*% nameserver client manager structure */ - struct ns_clientmgr { -@@ -1395,7 +1398,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - { - char nsid[BUFSIZ], *nsidp; - #ifdef ISC_PLATFORM_USESIT -- unsigned char sit[SIT_SIZE]; -+ unsigned char sit[COOKIE_SIZE]; - #endif - isc_result_t result; - dns_view_t *view; -@@ -1420,7 +1423,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - flags = client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE; - - /* Set EDNS options if applicable */ -- if ((client->attributes & NS_CLIENTATTR_WANTNSID) != 0 && -+ if (WANTNSID(client) && - (ns_g_server->server_id != NULL || - ns_g_server->server_usehostname)) { - if (ns_g_server->server_usehostname) { -@@ -1453,7 +1456,7 @@ ns_client_addopt(ns_client_t *client, dns_message_t *message, - - INSIST(count < DNS_EDNSOPTIONS); - ednsopts[count].code = DNS_OPT_COOKIE; -- ednsopts[count].length = SIT_SIZE; -+ ednsopts[count].length = COOKIE_SIZE; - ednsopts[count].value = sit; - count++; - } -@@ -1661,19 +1664,26 @@ compute_sit(ns_client_t *client, isc_uint32_t when, isc_uint32_t nonce, - - static void - process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { -- unsigned char dbuf[SIT_SIZE]; -+ unsigned char dbuf[COOKIE_SIZE]; - unsigned char *old; - isc_stdtime_t now; - isc_uint32_t when; - isc_uint32_t nonce; - isc_buffer_t db; - -+ /* -+ * If we have already seen a ECS option skip this ECS option. -+ */ -+ if ((client->attributes & NS_CLIENTATTR_WANTSIT) != 0) { -+ isc_buffer_forward(buf, optlen); -+ return; -+ } - client->attributes |= NS_CLIENTATTR_WANTSIT; - - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitopt); - -- if (optlen != SIT_SIZE) { -+ if (optlen != COOKIE_SIZE) { - /* - * Not our token. - */ -@@ -1717,14 +1727,13 @@ process_sit(ns_client_t *client, isc_buffer_t *buf, size_t optlen) { - isc_buffer_init(&db, dbuf, sizeof(dbuf)); - compute_sit(client, when, nonce, &db); - -- if (!isc_safe_memequal(old, dbuf, SIT_SIZE)) { -+ if (!isc_safe_memequal(old, dbuf, COOKIE_SIZE)) { - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitnomatch); - return; - } - isc_stats_increment(ns_g_server->nsstats, - dns_nsstatscounter_sitmatch); -- - client->attributes |= NS_CLIENTATTR_HAVESIT; - } - #endif -@@ -1783,7 +1792,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - optlen = isc_buffer_getuint16(&optbuf); - switch (optcode) { - case DNS_OPT_NSID: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTNSID(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_nsidopt); - client->attributes |= NS_CLIENTATTR_WANTNSID; - isc_buffer_forward(&optbuf, optlen); -@@ -1794,7 +1805,9 @@ process_opt(ns_client_t *client, dns_rdataset_t *opt) { - break; - #endif - case DNS_OPT_EXPIRE: -- isc_stats_increment(ns_g_server->nsstats, -+ if (!WANTEXPIRE(client)) -+ isc_stats_increment( -+ ns_g_server->nsstats, - dns_nsstatscounter_expireopt); - client->attributes |= NS_CLIENTATTR_WANTEXPIRE; - isc_buffer_forward(&optbuf, optlen); -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index ebf4f55..095eb5b 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -51,6 +51,13 @@ - <title>Security Fixes</title> - <itemizedlist> - <listitem> -+ <para> -+ Duplicate EDNS COOKIE options in a response could trigger -+ an assertion failure. This flaw is disclosed in CVE-2016-2088. -+ [RT #41809] -+ </para> -+ </listitem> -+ <listitem> - <para> - Specific APL data could trigger an INSIST. This flaw - was discovered by Brian Mitchell and is disclosed in -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index a797e3f..ba1ae23 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -7502,7 +7502,9 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - unsigned char *sit; - dns_adbaddrinfo_t *addrinfo; - unsigned char cookie[8]; -+ isc_boolean_t seen_cookie = ISC_FALSE; - #endif -+ isc_boolean_t seen_nsid = ISC_FALSE; - - result = dns_rdataset_first(opt); - if (result == ISC_R_SUCCESS) { -@@ -7516,14 +7518,23 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - INSIST(optlen <= isc_buffer_remaininglength(&optbuf)); - switch (optcode) { - case DNS_OPT_NSID: -- if (query->options & DNS_FETCHOPT_WANTNSID) -+ if (!seen_nsid && -+ query->options & DNS_FETCHOPT_WANTNSID) - log_nsid(&optbuf, optlen, query, - ISC_LOG_DEBUG(3), - query->fctx->res->mctx); - isc_buffer_forward(&optbuf, optlen); -+ seen_nsid = ISC_TRUE; - break; - #ifdef ISC_PLATFORM_USESIT - case DNS_OPT_COOKIE: -+ /* -+ * Only process the first cookie option. -+ */ -+ if (seen_cookie) { -+ isc_buffer_forward(&optbuf, optlen); -+ break; -+ } - sit = isc_buffer_current(&optbuf); - compute_cc(query, cookie, sizeof(cookie)); - INSIST(query->fctx->rmessage->sitbad == 0 && -@@ -7541,6 +7552,7 @@ process_opt(resquery_t *query, dns_rdataset_t *opt) { - isc_buffer_forward(&optbuf, optlen); - inc_stats(query->fctx->res, - dns_resstatscounter_sitin); -+ seen_cookie = ISC_TRUE; - break; - #endif - default: --- -2.1.4 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch deleted file mode 100644 index 5393063c567..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2775.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 9d8aba8a7778721ae2cee6e4670a8e6be6590b05 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Wed, 12 Oct 2016 19:52:59 +0900 -Subject: [PATCH] -4406. [security] getrrsetbyname with a non absolute name could - trigger an infinite recursion bug in lwresd - and named with lwres configured if when combined - with a search list entry the resulting name is - too long. (CVE-2016-2775) [RT #42694] - -Backport commit 38cc2d14e218e536e0102fa70deef99461354232 from the -v9.11.0_patch branch. - -CVE: CVE-2016-2775 -Upstream-Status: Backport - -Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> - ---- - CHANGES | 6 ++++++ - bin/named/lwdgrbn.c | 16 ++++++++++------ - bin/tests/system/lwresd/lwtest.c | 9 ++++++++- - 3 files changed, 24 insertions(+), 7 deletions(-) - -diff --git a/CHANGES b/CHANGES -index d2e3360..d0a9d12 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,9 @@ -+4406. [security] getrrsetbyname with a non absolute name could -+ trigger an infinite recursion bug in lwresd -+ and named with lwres configured if when combined -+ with a search list entry the resulting name is -+ too long. (CVE-2016-2775) [RT #42694] -+ - 4322. [security] Duplicate EDNS COOKIE options in a response could - trigger an assertion failure. (CVE-2016-2088) - [RT #41809] -diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c -index 3e7b15b..e1e9adc 100644 ---- a/bin/named/lwdgrbn.c -+++ b/bin/named/lwdgrbn.c -@@ -403,14 +403,18 @@ start_lookup(ns_lwdclient_t *client) { - INSIST(client->lookup == NULL); - - dns_fixedname_init(&absname); -- result = ns_lwsearchctx_current(&client->searchctx, -- dns_fixedname_name(&absname)); -+ - /* -- * This will return failure if relative name + suffix is too long. -- * In this case, just go on to the next entry in the search path. -+ * Perform search across all search domains until success -+ * is returned. Return in case of failure. - */ -- if (result != ISC_R_SUCCESS) -- start_lookup(client); -+ while (ns_lwsearchctx_current(&client->searchctx, -+ dns_fixedname_name(&absname)) != ISC_R_SUCCESS) { -+ if (ns_lwsearchctx_next(&client->searchctx) != ISC_R_SUCCESS) { -+ ns_lwdclient_errorpktsend(client, LWRES_R_FAILURE); -+ return; -+ } -+ } - - result = dns_lookup_create(cm->mctx, - dns_fixedname_name(&absname), -diff --git a/bin/tests/system/lwresd/lwtest.c b/bin/tests/system/lwresd/lwtest.c -index ad9b551..3eb4a66 100644 ---- a/bin/tests/system/lwresd/lwtest.c -+++ b/bin/tests/system/lwresd/lwtest.c -@@ -768,7 +768,14 @@ main(void) { - test_getrrsetbyname("e.example1.", 1, 2, 1, 1, 1); - test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1); - test_getrrsetbyname("", 1, 1, 0, 0, 0); -- -+ test_getrrsetbyname("123456789.123456789.123456789.123456789." -+ "123456789.123456789.123456789.123456789." -+ "123456789.123456789.123456789.123456789." -+ "123456789.123456789.123456789.123456789." -+ "123456789.123456789.123456789.123456789." -+ "123456789.123456789.123456789.123456789." -+ "123456789", 1, 1, 0, 0, 0); -+ - if (fails == 0) - printf("I:ok\n"); - return (fails); --- -2.7.4 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch deleted file mode 100644 index 738bf600589..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-2776.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 1171111657081970585f9f0e03b476358c33a6c0 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Wed, 12 Oct 2016 20:36:52 +0900 -Subject: [PATCH] -4467. [security] It was possible to trigger an assertion when - rendering a message. (CVE-2016-2776) [RT #43139] - -Backport commit 2bd0922cf995b9ac205fc83baf7e220b95c6bf12 from the -v9.11.0_patch branch. - -CVE: CVE-2016-2776 -Upstream-Status: Backport - -Signed-off-by: zhengruoqin <zhengrq.fnst@cn.fujitsu.com> - ---- - CHANGES | 3 +++ - lib/dns/message.c | 42 +++++++++++++++++++++++++++++++----------- - 2 files changed, 34 insertions(+), 11 deletions(-) - -diff --git a/CHANGES b/CHANGES -index d0a9d12..5c8c61a 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4467. [security] It was possible to trigger an assertion when -+ rendering a message. (CVE-2016-2776) [RT #43139] -+ - 4406. [security] getrrsetbyname with a non absolute name could - trigger an infinite recursion bug in lwresd - and named with lwres configured if when combined -diff --git a/lib/dns/message.c b/lib/dns/message.c -index 6b5b4bb..b74dc81 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1754,7 +1754,7 @@ dns_message_renderbegin(dns_message_t *msg, dns_compress_t *cctx, - if (r.length < DNS_MESSAGE_HEADERLEN) - return (ISC_R_NOSPACE); - -- if (r.length < msg->reserved) -+ if (r.length - DNS_MESSAGE_HEADERLEN < msg->reserved) - return (ISC_R_NOSPACE); - - /* -@@ -1895,8 +1895,29 @@ norender_rdataset(const dns_rdataset_t *rdataset, unsigned int options, - - return (ISC_TRUE); - } -- - #endif -+ -+static isc_result_t -+renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name, -+ dns_compress_t *cctx, isc_buffer_t *target, -+ unsigned int reserved, unsigned int options, unsigned int *countp) -+{ -+ isc_result_t result; -+ -+ /* -+ * Shrink the space in the buffer by the reserved amount. -+ */ -+ if (target->length - target->used < reserved) -+ return (ISC_R_NOSPACE); -+ -+ target->length -= reserved; -+ result = dns_rdataset_towire(rdataset, owner_name, -+ cctx, target, options, countp); -+ target->length += reserved; -+ -+ return (result); -+} -+ - isc_result_t - dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, - unsigned int options) -@@ -1939,6 +1960,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid, - /* - * Shrink the space in the buffer by the reserved amount. - */ -+ if (msg->buffer->length - msg->buffer->used < msg->reserved) -+ return (ISC_R_NOSPACE); - msg->buffer->length -= msg->reserved; - - total = 0; -@@ -2214,9 +2237,8 @@ dns_message_renderend(dns_message_t *msg) { - * Render. - */ - count = 0; -- result = dns_rdataset_towire(msg->opt, dns_rootname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->opt, dns_rootname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); -@@ -2232,9 +2254,8 @@ dns_message_renderend(dns_message_t *msg) { - if (result != ISC_R_SUCCESS) - return (result); - count = 0; -- result = dns_rdataset_towire(msg->tsig, msg->tsigname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->tsig, msg->tsigname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); -@@ -2255,9 +2276,8 @@ dns_message_renderend(dns_message_t *msg) { - * the owner name of a SIG(0) is irrelevant, and will not - * be set in a message being rendered. - */ -- result = dns_rdataset_towire(msg->sig0, dns_rootname, -- msg->cctx, msg->buffer, 0, -- &count); -+ result = renderset(msg->sig0, dns_rootname, msg->cctx, -+ msg->buffer, msg->reserved, 0, &count); - msg->counts[DNS_SECTION_ADDITIONAL] += count; - if (result != ISC_R_SUCCESS) - return (result); --- -2.7.4 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch deleted file mode 100644 index 75bc211cb61..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch +++ /dev/null @@ -1,1090 +0,0 @@ -From 1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Wed, 2 Nov 2016 17:31:27 +1100 -Subject: [PATCH] 4504. [security] Allow the maximum number of records in a - zone to be specified. This provides a control for issues raised in - CVE-2016-6170. [RT #42143] - -(cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e) - -Upstream-Status: Backport -[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f] - -CVE: CVE-2016-6170 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - CHANGES | 4 + - bin/named/config.c | 1 + - bin/named/named.conf.docbook | 3 + - bin/named/update.c | 16 +++ - bin/named/zoneconf.c | 7 ++ - bin/tests/system/nsupdate/clean.sh | 1 + - bin/tests/system/nsupdate/ns3/named.conf | 7 ++ - bin/tests/system/nsupdate/ns3/too-big.test.db.in | 10 ++ - bin/tests/system/nsupdate/setup.sh | 2 + - bin/tests/system/nsupdate/tests.sh | 15 +++ - bin/tests/system/xfer/clean.sh | 1 + - bin/tests/system/xfer/ns1/axfr-too-big.db | 10 ++ - bin/tests/system/xfer/ns1/ixfr-too-big.db.in | 13 +++ - bin/tests/system/xfer/ns1/named.conf | 11 ++ - bin/tests/system/xfer/ns6/named.conf | 14 +++ - bin/tests/system/xfer/setup.sh | 2 + - bin/tests/system/xfer/tests.sh | 26 +++++ - doc/arm/Bv9ARM-book.xml | 21 ++++ - doc/arm/notes.xml | 9 ++ - lib/bind9/check.c | 2 + - lib/dns/db.c | 13 +++ - lib/dns/ecdb.c | 3 +- - lib/dns/include/dns/db.h | 20 ++++ - lib/dns/include/dns/rdataslab.h | 13 +++ - lib/dns/include/dns/result.h | 6 +- - lib/dns/include/dns/zone.h | 28 ++++- - lib/dns/rbtdb.c | 127 +++++++++++++++++++++-- - lib/dns/rdataslab.c | 13 +++ - lib/dns/result.c | 9 +- - lib/dns/sdb.c | 3 +- - lib/dns/sdlz.c | 3 +- - lib/dns/xfrin.c | 22 +++- - lib/dns/zone.c | 23 +++- - lib/isccfg/namedconf.c | 1 + - 34 files changed, 444 insertions(+), 15 deletions(-) - create mode 100644 bin/tests/system/nsupdate/ns3/too-big.test.db.in - create mode 100644 bin/tests/system/xfer/ns1/axfr-too-big.db - create mode 100644 bin/tests/system/xfer/ns1/ixfr-too-big.db.in - -diff --git a/CHANGES b/CHANGES -index 41cfce5..97d2e60 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,7 @@ -+4504. [security] Allow the maximum number of records in a zone to -+ be specified. This provides a control for issues -+ raised in CVE-2016-6170. [RT #42143] -+ - 4489. [security] It was possible to trigger assertions when processing - a response. (CVE-2016-8864) [RT #43465] - -diff --git a/bin/named/config.c b/bin/named/config.c -index f06348c..c24e334 100644 ---- a/bin/named/config.c -+++ b/bin/named/config.c -@@ -209,6 +209,7 @@ options {\n\ - max-transfer-time-out 120;\n\ - max-transfer-idle-in 60;\n\ - max-transfer-idle-out 60;\n\ -+ max-records 0;\n\ - max-retry-time 1209600; /* 2 weeks */\n\ - min-retry-time 500;\n\ - max-refresh-time 2419200; /* 4 weeks */\n\ -diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook -index 4c99a61..c2d173a 100644 ---- a/bin/named/named.conf.docbook -+++ b/bin/named/named.conf.docbook -@@ -338,6 +338,7 @@ options { - }; - - max-journal-size <replaceable>size_no_default</replaceable>; -+ max-records <replaceable>integer</replaceable>; - max-transfer-time-in <replaceable>integer</replaceable>; - max-transfer-time-out <replaceable>integer</replaceable>; - max-transfer-idle-in <replaceable>integer</replaceable>; -@@ -527,6 +528,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> - }; - - max-journal-size <replaceable>size_no_default</replaceable>; -+ max-records <replaceable>integer</replaceable>; - max-transfer-time-in <replaceable>integer</replaceable>; - max-transfer-time-out <replaceable>integer</replaceable>; - max-transfer-idle-in <replaceable>integer</replaceable>; -@@ -624,6 +626,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> - }; - - max-journal-size <replaceable>size_no_default</replaceable>; -+ max-records <replaceable>integer</replaceable>; - max-transfer-time-in <replaceable>integer</replaceable>; - max-transfer-time-out <replaceable>integer</replaceable>; - max-transfer-idle-in <replaceable>integer</replaceable>; -diff --git a/bin/named/update.c b/bin/named/update.c -index 83b1a05..cc2a611 100644 ---- a/bin/named/update.c -+++ b/bin/named/update.c -@@ -2455,6 +2455,8 @@ update_action(isc_task_t *task, isc_event_t *event) { - isc_boolean_t had_dnskey; - dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone); - dns_ttl_t maxttl = 0; -+ isc_uint32_t maxrecords; -+ isc_uint64_t records; - - INSIST(event->ev_type == DNS_EVENT_UPDATE); - -@@ -3138,6 +3140,20 @@ update_action(isc_task_t *task, isc_event_t *event) { - } - } - -+ maxrecords = dns_zone_getmaxrecords(zone); -+ if (maxrecords != 0U) { -+ result = dns_db_getsize(db, ver, &records, NULL); -+ if (result == ISC_R_SUCCESS && records > maxrecords) { -+ update_log(client, zone, ISC_LOG_ERROR, -+ "records in zone (%" -+ ISC_PRINT_QUADFORMAT -+ "u) exceeds max-records (%u)", -+ records, maxrecords); -+ result = DNS_R_TOOMANYRECORDS; -+ goto failure; -+ } -+ } -+ - journalfile = dns_zone_getjournal(zone); - if (journalfile != NULL) { - update_log(client, zone, LOGLEVEL_DEBUG, -diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c -index 4ee3dfe..14dd8ce 100644 ---- a/bin/named/zoneconf.c -+++ b/bin/named/zoneconf.c -@@ -978,6 +978,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, - dns_zone_setmaxttl(raw, maxttl); - } - -+ obj = NULL; -+ result = ns_config_get(maps, "max-records", &obj); -+ INSIST(result == ISC_R_SUCCESS && obj != NULL); -+ dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj)); -+ if (zone != mayberaw) -+ dns_zone_setmaxrecords(zone, 0); -+ - if (raw != NULL && filename != NULL) { - #define SIGNED ".signed" - size_t signedlen = strlen(filename) + sizeof(SIGNED); -diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh -index aaefc02..ea25545 100644 ---- a/bin/tests/system/nsupdate/clean.sh -+++ b/bin/tests/system/nsupdate/clean.sh -@@ -32,6 +32,7 @@ rm -f ns3/example.db.jnl ns3/example.db - rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test. - rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test. - rm -f ns3/K* -+rm -f ns3/too-big.test.db - rm -f dig.out.* - rm -f jp.out.ns3.* - rm -f Kxxx.* -diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf -index 2abd522..68ff27a 100644 ---- a/bin/tests/system/nsupdate/ns3/named.conf -+++ b/bin/tests/system/nsupdate/ns3/named.conf -@@ -60,3 +60,10 @@ zone "dnskey.test" { - allow-update { any; }; - file "dnskey.test.db.signed"; - }; -+ -+zone "too-big.test" { -+ type master; -+ allow-update { any; }; -+ max-records 3; -+ file "too-big.test.db"; -+}; -diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in -new file mode 100644 -index 0000000..7ff1e4a ---- /dev/null -+++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in -@@ -0,0 +1,10 @@ -+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+$TTL 10 -+too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600 -+too-big.test. IN NS too-big.test. -+too-big.test. IN A 10.53.0.3 -diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh -index 828255e..43c4094 100644 ---- a/bin/tests/system/nsupdate/setup.sh -+++ b/bin/tests/system/nsupdate/setup.sh -@@ -27,12 +27,14 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE - rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk - rm -f ns2/update.bk ns2/update.alt.bk - rm -f ns3/example.db.jnl -+rm -f ns3/too-big.test.db.jnl - - cp -f ns1/example1.db ns1/example.db - sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db - sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db - sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db - cp -f ns3/example.db.in ns3/example.db -+cp -f ns3/too-big.test.db.in ns3/too-big.test.db - - # update_test.pl has its own zone file because it - # requires a specific NS record set. -diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh -index 78d501e..0a6bbd3 100755 ---- a/bin/tests/system/nsupdate/tests.sh -+++ b/bin/tests/system/nsupdate/tests.sh -@@ -581,5 +581,20 @@ if [ $ret -ne 0 ]; then - status=1 - fi - -+n=`expr $n + 1` -+echo "I:check that adding too many records is blocked ($n)" -+ret=0 -+$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1 -+server 10.53.0.3 5300 -+zone too-big.test. -+update add r1.too-big.test 3600 IN TXT r1.too-big.test -+send -+EOF -+grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1 -+DIG +tcp @10.53.0.3 -p 5300 r1.too-big.test TXT > dig.out.ns3.test$n -+grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1 -+grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1 -+[ $ret = 0 ] || { echo I:failed; status=1; } -+ - echo "I:exit status: $status" - exit $status -diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh -index 48aa159..da62a33 100644 ---- a/bin/tests/system/xfer/clean.sh -+++ b/bin/tests/system/xfer/clean.sh -@@ -36,3 +36,4 @@ rm -f ns7/*.db ns7/*.bk ns7/*.jnl - rm -f */named.memstats - rm -f */named.run - rm -f */ans.run -+rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl -diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db -new file mode 100644 -index 0000000..d43760d ---- /dev/null -+++ b/bin/tests/system/xfer/ns1/axfr-too-big.db -@@ -0,0 +1,10 @@ -+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+$TTL 3600 -+@ IN SOA . . 0 0 0 0 0 -+@ IN NS . -+$GENERATE 1-29 host$ A 1.2.3.$ -diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in -new file mode 100644 -index 0000000..318bb77 ---- /dev/null -+++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in -@@ -0,0 +1,13 @@ -+; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") -+; -+; This Source Code Form is subject to the terms of the Mozilla Public -+; License, v. 2.0. If a copy of the MPL was not distributed with this -+; file, You can obtain one at http://mozilla.org/MPL/2.0/. -+ -+$TTL 3600 -+@ IN SOA . . 0 0 0 0 0 -+@ IN NS ns1 -+@ IN NS ns6 -+ns1 IN A 10.53.0.1 -+ns6 IN A 10.53.0.6 -+$GENERATE 1-25 host$ A 1.2.3.$ -diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf -index 07dad85..1d29292 100644 ---- a/bin/tests/system/xfer/ns1/named.conf -+++ b/bin/tests/system/xfer/ns1/named.conf -@@ -44,3 +44,14 @@ zone "slave" { - type master; - file "slave.db"; - }; -+ -+zone "axfr-too-big" { -+ type master; -+ file "axfr-too-big.db"; -+}; -+ -+zone "ixfr-too-big" { -+ type master; -+ allow-update { any; }; -+ file "ixfr-too-big.db"; -+}; -diff --git a/bin/tests/system/xfer/ns6/named.conf b/bin/tests/system/xfer/ns6/named.conf -index c9421b1..a12a92c 100644 ---- a/bin/tests/system/xfer/ns6/named.conf -+++ b/bin/tests/system/xfer/ns6/named.conf -@@ -52,3 +52,17 @@ zone "slave" { - masters { 10.53.0.1; }; - file "slave.bk"; - }; -+ -+zone "axfr-too-big" { -+ type slave; -+ max-records 30; -+ masters { 10.53.0.1; }; -+ file "axfr-too-big.bk"; -+}; -+ -+zone "ixfr-too-big" { -+ type slave; -+ max-records 30; -+ masters { 10.53.0.1; }; -+ file "ixfr-too-big.bk"; -+}; -diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh -index 56ca901..c55abf8 100644 ---- a/bin/tests/system/xfer/setup.sh -+++ b/bin/tests/system/xfer/setup.sh -@@ -33,3 +33,5 @@ cp -f ns4/named.conf.base ns4/named.conf - - cp ns2/slave.db.in ns2/slave.db - touch -t 200101010000 ns2/slave.db -+ -+cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db -diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh -index 67b2a1a..fe33f0a 100644 ---- a/bin/tests/system/xfer/tests.sh -+++ b/bin/tests/system/xfer/tests.sh -@@ -368,5 +368,31 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && { - status=1 - } - -+n=`expr $n + 1` -+echo "I:test that a zone with too many records is rejected (AXFR) ($n)" -+tmp=0 -+grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 -+if test $tmp != 0 ; then echo "I:failed"; fi -+status=`expr $status + $tmp` -+ -+n=`expr $n + 1` -+echo "I:test that a zone with too many records is rejected (IXFR) ($n)" -+tmp=0 -+grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1 -+$NSUPDATE << EOF -+zone ixfr-too-big -+server 10.53.0.1 5300 -+update add the-31st-record.ixfr-too-big 0 TXT this is it -+send -+EOF -+for i in 1 2 3 4 5 6 7 8 -+do -+ grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break -+ sleep 1 -+done -+grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1 -+if test $tmp != 0 ; then echo "I:failed"; fi -+status=`expr $status + $tmp` -+ - echo "I:exit status: $status" - exit $status -diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml -index 848b582..0369505 100644 ---- a/doc/arm/Bv9ARM-book.xml -+++ b/doc/arm/Bv9ARM-book.xml -@@ -4858,6 +4858,7 @@ badresp:1,adberr:0,findfail:0,valfail:0] - <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional> - <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional> - <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional> -+ <optional> max-records <replaceable>number</replaceable>; </optional> - <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional> - <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional> - <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional> -@@ -8164,6 +8165,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; - </varlistentry> - - <varlistentry> -+ <term><command>max-records</command></term> -+ <listitem> -+ <para> -+ The maximum number of records permitted in a zone. -+ The default is zero which means unlimited. -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ <varlistentry> - <term><command>host-statistics-max</command></term> - <listitem> - <para> -@@ -12056,6 +12067,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea - </varlistentry> - - <varlistentry> -+ <term><command>max-records</command></term> -+ <listitem> -+ <para> -+ See the description of -+ <command>max-records</command> in <xref linkend="server_resource_limits"/>. -+ </para> -+ </listitem> -+ </varlistentry> -+ -+ <varlistentry> - <term><command>max-transfer-time-in</command></term> - <listitem> - <para> -diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml -index 095eb5b..36495e7 100644 ---- a/doc/arm/notes.xml -+++ b/doc/arm/notes.xml -@@ -52,6 +52,15 @@ - <itemizedlist> - <listitem> - <para> -+ Added the ability to specify the maximum number of records -+ permitted in a zone (max-records #;). This provides a mechanism -+ to block overly large zone transfers, which is a potential risk -+ with slave zones from other parties, as described in CVE-2016-6170. -+ [RT #42143] -+ </para> -+ </listitem> -+ <listitem> -+ <para> - Duplicate EDNS COOKIE options in a response could trigger - an assertion failure. This flaw is disclosed in CVE-2016-2088. - [RT #41809] -diff --git a/lib/bind9/check.c b/lib/bind9/check.c -index b8c05dd..edb7534 100644 ---- a/lib/bind9/check.c -+++ b/lib/bind9/check.c -@@ -1510,6 +1510,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, - REDIRECTZONE }, - { "masters", SLAVEZONE | STUBZONE | REDIRECTZONE }, - { "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE }, -+ { "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE | -+ STATICSTUBZONE | REDIRECTZONE }, - { "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE }, - { "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE }, - { "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE }, -diff --git a/lib/dns/db.c b/lib/dns/db.c -index 7e4f357..ced94a5 100644 ---- a/lib/dns/db.c -+++ b/lib/dns/db.c -@@ -999,6 +999,19 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, - } - - isc_result_t -+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, -+ isc_uint64_t *bytes) -+{ -+ REQUIRE(DNS_DB_VALID(db)); -+ REQUIRE(dns_db_iszone(db) == ISC_TRUE); -+ -+ if (db->methods->getsize != NULL) -+ return ((db->methods->getsize)(db, version, records, bytes)); -+ -+ return (ISC_R_NOTFOUND); -+} -+ -+isc_result_t - dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, - isc_stdtime_t resign) - { -diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c -index 553a339..b5d04d2 100644 ---- a/lib/dns/ecdb.c -+++ b/lib/dns/ecdb.c -@@ -587,7 +587,8 @@ static dns_dbmethods_t ecdb_methods = { - NULL, /* findnodeext */ - NULL, /* findext */ - NULL, /* setcachestats */ -- NULL /* hashsize */ -+ NULL, /* hashsize */ -+ NULL /* getsize */ - }; - - static isc_result_t -diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h -index a4a4482..aff42d6 100644 ---- a/lib/dns/include/dns/db.h -+++ b/lib/dns/include/dns/db.h -@@ -195,6 +195,8 @@ typedef struct dns_dbmethods { - dns_rdataset_t *sigrdataset); - isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats); - unsigned int (*hashsize)(dns_db_t *db); -+ isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version, -+ isc_uint64_t *records, isc_uint64_t *bytes); - } dns_dbmethods_t; - - typedef isc_result_t -@@ -1485,6 +1487,24 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, - */ - - isc_result_t -+dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, -+ isc_uint64_t *bytes); -+/*%< -+ * Get the number of records in the given version of the database as well -+ * as the number bytes used to store those records. -+ * -+ * Requires: -+ * \li 'db' is a valid zone database. -+ * \li 'version' is NULL or a valid version. -+ * \li 'records' is NULL or a pointer to return the record count in. -+ * \li 'bytes' is NULL or a pointer to return the byte count in. -+ * -+ * Returns: -+ * \li #ISC_R_SUCCESS -+ * \li #ISC_R_NOTIMPLEMENTED -+ */ -+ -+isc_result_t - dns_db_findnsec3node(dns_db_t *db, dns_name_t *name, - isc_boolean_t create, dns_dbnode_t **nodep); - /*%< -diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h -index 3ac44b8..2e1e759 100644 ---- a/lib/dns/include/dns/rdataslab.h -+++ b/lib/dns/include/dns/rdataslab.h -@@ -104,6 +104,7 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen, - * Ensures: - *\li 'rdataset' is associated and points to a valid rdataest. - */ -+ - unsigned int - dns_rdataslab_size(unsigned char *slab, unsigned int reservelen); - /*%< -@@ -116,6 +117,18 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen); - *\li The number of bytes in the slab, including the reservelen. - */ - -+unsigned int -+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen); -+/*%< -+ * Return the number of records in the rdataslab -+ * -+ * Requires: -+ *\li 'slab' points to a slab. -+ * -+ * Returns: -+ *\li The number of records in the slab. -+ */ -+ - isc_result_t - dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab, - unsigned int reservelen, isc_mem_t *mctx, -diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h -index 7d11c2b..93d1fd5 100644 ---- a/lib/dns/include/dns/result.h -+++ b/lib/dns/include/dns/result.h -@@ -157,8 +157,12 @@ - #define DNS_R_BADCDS (ISC_RESULTCLASS_DNS + 111) - #define DNS_R_BADCDNSKEY (ISC_RESULTCLASS_DNS + 112) - #define DNS_R_OPTERR (ISC_RESULTCLASS_DNS + 113) -+#define DNS_R_BADDNSTAP (ISC_RESULTCLASS_DNS + 114) -+#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115) -+#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116) -+#define DNS_R_TOOMANYRECORDS (ISC_RESULTCLASS_DNS + 117) - --#define DNS_R_NRESULTS 114 /*%< Number of results */ -+#define DNS_R_NRESULTS 118 /*%< Number of results */ - - /* - * DNS wire format rcodes. -diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h -index a9367f1..227540b 100644 ---- a/lib/dns/include/dns/zone.h -+++ b/lib/dns/include/dns/zone.h -@@ -296,6 +296,32 @@ dns_zone_getfile(dns_zone_t *zone); - */ - - void -+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t records); -+/*%< -+ * Sets the maximim number of records permitted in a zone. -+ * 0 implies unlimited. -+ * -+ * Requires: -+ *\li 'zone' to be valid initialised zone. -+ * -+ * Returns: -+ *\li void -+ */ -+ -+isc_uint32_t -+dns_zone_getmaxrecords(dns_zone_t *zone); -+/*%< -+ * Gets the maximim number of records permitted in a zone. -+ * 0 implies unlimited. -+ * -+ * Requires: -+ *\li 'zone' to be valid initialised zone. -+ * -+ * Returns: -+ *\li isc_uint32_t maxrecords. -+ */ -+ -+void - dns_zone_setmaxttl(dns_zone_t *zone, isc_uint32_t maxttl); - /*%< - * Sets the max ttl of the zone. -@@ -316,7 +342,7 @@ dns_zone_getmaxttl(dns_zone_t *zone); - *\li 'zone' to be valid initialised zone. - * - * Returns: -- *\li isc_uint32_t maxttl. -+ *\li dns_ttl_t maxttl. - */ - - isc_result_t -diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c -index 62becfc..72d722f 100644 ---- a/lib/dns/rbtdb.c -+++ b/lib/dns/rbtdb.c -@@ -209,6 +209,7 @@ typedef isc_uint64_t rbtdb_serial_t; - #define free_rbtdb_callback free_rbtdb_callback64 - #define free_rdataset free_rdataset64 - #define getnsec3parameters getnsec3parameters64 -+#define getsize getsize64 - #define getoriginnode getoriginnode64 - #define getrrsetstats getrrsetstats64 - #define getsigningtime getsigningtime64 -@@ -589,6 +590,13 @@ typedef struct rbtdb_version { - isc_uint16_t iterations; - isc_uint8_t salt_length; - unsigned char salt[DNS_NSEC3_SALTSIZE]; -+ -+ /* -+ * records and bytes are covered by rwlock. -+ */ -+ isc_rwlock_t rwlock; -+ isc_uint64_t records; -+ isc_uint64_t bytes; - } rbtdb_version_t; - - typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t; -@@ -1130,6 +1138,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) { - INSIST(refs == 0); - UNLINK(rbtdb->open_versions, rbtdb->current_version, link); - isc_refcount_destroy(&rbtdb->current_version->references); -+ isc_rwlock_destroy(&rbtdb->current_version->rwlock); - isc_mem_put(rbtdb->common.mctx, rbtdb->current_version, - sizeof(rbtdb_version_t)); - } -@@ -1383,6 +1392,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial, - - static isc_result_t - newversion(dns_db_t *db, dns_dbversion_t **versionp) { -+ isc_result_t result; - dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; - rbtdb_version_t *version; - -@@ -1415,13 +1425,28 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) { - version->salt_length = 0; - memset(version->salt, 0, sizeof(version->salt)); - } -- rbtdb->next_serial++; -- rbtdb->future_version = version; -- } -+ result = isc_rwlock_init(&version->rwlock, 0, 0); -+ if (result != ISC_R_SUCCESS) { -+ isc_refcount_destroy(&version->references); -+ isc_mem_put(rbtdb->common.mctx, version, -+ sizeof(*version)); -+ version = NULL; -+ } else { -+ RWLOCK(&rbtdb->current_version->rwlock, -+ isc_rwlocktype_read); -+ version->records = rbtdb->current_version->records; -+ version->bytes = rbtdb->current_version->bytes; -+ RWUNLOCK(&rbtdb->current_version->rwlock, -+ isc_rwlocktype_read); -+ rbtdb->next_serial++; -+ rbtdb->future_version = version; -+ } -+ } else -+ result = ISC_R_NOMEMORY; - RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write); - - if (version == NULL) -- return (ISC_R_NOMEMORY); -+ return (result); - - *versionp = version; - -@@ -2681,6 +2706,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) { - - if (cleanup_version != NULL) { - INSIST(EMPTY(cleanup_version->changed_list)); -+ isc_rwlock_destroy(&cleanup_version->rwlock); - isc_mem_put(rbtdb->common.mctx, cleanup_version, - sizeof(*cleanup_version)); - } -@@ -6254,6 +6280,26 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, - else - rbtnode->data = newheader; - newheader->next = topheader->next; -+ if (rbtversion != NULL) -+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write); -+ if (rbtversion != NULL && !header_nx) { -+ rbtversion->records -= -+ dns_rdataslab_count((unsigned char *)header, -+ sizeof(*header)); -+ rbtversion->bytes -= -+ dns_rdataslab_size((unsigned char *)header, -+ sizeof(*header)); -+ } -+ if (rbtversion != NULL && !newheader_nx) { -+ rbtversion->records += -+ dns_rdataslab_count((unsigned char *)newheader, -+ sizeof(*newheader)); -+ rbtversion->bytes += -+ dns_rdataslab_size((unsigned char *)newheader, -+ sizeof(*newheader)); -+ } -+ if (rbtversion != NULL) -+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); - if (loading) { - /* - * There are no other references to 'header' when -@@ -6355,6 +6401,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion, - newheader->down = NULL; - rbtnode->data = newheader; - } -+ if (rbtversion != NULL && !newheader_nx) { -+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write); -+ rbtversion->records += -+ dns_rdataslab_count((unsigned char *)newheader, -+ sizeof(*newheader)); -+ rbtversion->bytes += -+ dns_rdataslab_size((unsigned char *)newheader, -+ sizeof(*newheader)); -+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write); -+ } - idx = newheader->node->locknum; - if (IS_CACHE(rbtdb)) { - ISC_LIST_PREPEND(rbtdb->rdatasets[idx], -@@ -6811,6 +6867,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - */ - newheader->additional_auth = NULL; - newheader->additional_glue = NULL; -+ rbtversion->records += -+ dns_rdataslab_count((unsigned char *)newheader, -+ sizeof(*newheader)); -+ rbtversion->bytes += -+ dns_rdataslab_size((unsigned char *)newheader, -+ sizeof(*newheader)); - } else if (result == DNS_R_NXRRSET) { - /* - * This subtraction would remove all of the rdata; -@@ -6846,6 +6908,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version, - * topheader. - */ - INSIST(rbtversion->serial >= topheader->serial); -+ rbtversion->records -= -+ dns_rdataslab_count((unsigned char *)header, -+ sizeof(*header)); -+ rbtversion->bytes -= -+ dns_rdataslab_size((unsigned char *)header, -+ sizeof(*header)); - if (topheader_prev != NULL) - topheader_prev->next = newheader; - else -@@ -7172,6 +7240,7 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, - unsigned char *limit = ((unsigned char *) base) + filesize; - unsigned char *p; - size_t size; -+ unsigned int count; - - REQUIRE(rbtnode != NULL); - -@@ -7179,6 +7248,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize, - p = (unsigned char *) header; - - size = dns_rdataslab_size(p, sizeof(*header)); -+ count = dns_rdataslab_count(p, sizeof(*header));; -+ rbtdb->current_version->records += count; -+ rbtdb->current_version->bytes += size; - isc_crc64_update(crc, p, size); - #ifdef DEBUG - hexdump("hashing header", p, sizeof(rdatasetheader_t)); -@@ -7777,6 +7849,33 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash, - } - - static isc_result_t -+getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records, -+ isc_uint64_t *bytes) -+{ -+ dns_rbtdb_t *rbtdb; -+ isc_result_t result = ISC_R_SUCCESS; -+ rbtdb_version_t *rbtversion = version; -+ -+ rbtdb = (dns_rbtdb_t *)db; -+ -+ REQUIRE(VALID_RBTDB(rbtdb)); -+ INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb); -+ -+ if (rbtversion == NULL) -+ rbtversion = rbtdb->current_version; -+ -+ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read); -+ if (records != NULL) -+ *records = rbtversion->records; -+ -+ if (bytes != NULL) -+ *bytes = rbtversion->bytes; -+ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read); -+ -+ return (result); -+} -+ -+static isc_result_t - setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) { - dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db; - isc_stdtime_t oldresign; -@@ -7972,7 +8071,8 @@ static dns_dbmethods_t zone_methods = { - NULL, - NULL, - NULL, -- hashsize -+ hashsize, -+ getsize - }; - - static dns_dbmethods_t cache_methods = { -@@ -8018,7 +8118,8 @@ static dns_dbmethods_t cache_methods = { - NULL, - NULL, - setcachestats, -- hashsize -+ hashsize, -+ NULL - }; - - isc_result_t -@@ -8310,6 +8411,20 @@ dns_rbtdb_create - rbtdb->current_version->salt_length = 0; - memset(rbtdb->current_version->salt, 0, - sizeof(rbtdb->current_version->salt)); -+ result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0); -+ if (result != ISC_R_SUCCESS) { -+ isc_refcount_destroy(&rbtdb->current_version->references); -+ isc_mem_put(mctx, rbtdb->current_version, -+ sizeof(*rbtdb->current_version)); -+ rbtdb->current_version = NULL; -+ isc_refcount_decrement(&rbtdb->references, NULL); -+ isc_refcount_destroy(&rbtdb->references); -+ free_rbtdb(rbtdb, ISC_FALSE, NULL); -+ return (result); -+ } -+ -+ rbtdb->current_version->records = 0; -+ rbtdb->current_version->bytes = 0; - rbtdb->future_version = NULL; - ISC_LIST_INIT(rbtdb->open_versions); - /* -diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c -index e29dc84..63e3728 100644 ---- a/lib/dns/rdataslab.c -+++ b/lib/dns/rdataslab.c -@@ -523,6 +523,19 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) { - return ((unsigned int)(current - slab)); - } - -+unsigned int -+dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) { -+ unsigned int count; -+ unsigned char *current; -+ -+ REQUIRE(slab != NULL); -+ -+ current = slab + reservelen; -+ count = *current++ * 256; -+ count += *current++; -+ return (count); -+} -+ - /* - * Make the dns_rdata_t 'rdata' refer to the slab item - * beginning at '*current', which is part of a slab of type -diff --git a/lib/dns/result.c b/lib/dns/result.c -index 7be4f57..a621909 100644 ---- a/lib/dns/result.c -+++ b/lib/dns/result.c -@@ -167,11 +167,16 @@ static const char *text[DNS_R_NRESULTS] = { - "covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */ - "bad CDS", /*%< 111 DNS_R_BADCSD */ - "bad CDNSKEY", /*%< 112 DNS_R_BADCDNSKEY */ -- "malformed OPT option" /*%< 113 DNS_R_OPTERR */ -+ "malformed OPT option", /*%< 113 DNS_R_OPTERR */ -+ "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP */ -+ -+ "TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */ -+ "SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */ -+ "too many records", /*%< 117 DNS_R_TOOMANYRECORDS */ - }; - - static const char *rcode_text[DNS_R_NRCODERESULTS] = { -- "NOERROR", /*%< 0 DNS_R_NOEROR */ -+ "NOERROR", /*%< 0 DNS_R_NOERROR */ - "FORMERR", /*%< 1 DNS_R_FORMERR */ - "SERVFAIL", /*%< 2 DNS_R_SERVFAIL */ - "NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */ -diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c -index abfeeb0..19397e0 100644 ---- a/lib/dns/sdb.c -+++ b/lib/dns/sdb.c -@@ -1298,7 +1298,8 @@ static dns_dbmethods_t sdb_methods = { - findnodeext, - findext, - NULL, /* setcachestats */ -- NULL /* hashsize */ -+ NULL, /* hashsize */ -+ NULL /* getsize */ - }; - - static isc_result_t -diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c -index b1198a4..0e3163d 100644 ---- a/lib/dns/sdlz.c -+++ b/lib/dns/sdlz.c -@@ -1269,7 +1269,8 @@ static dns_dbmethods_t sdlzdb_methods = { - findnodeext, - findext, - NULL, /* setcachestats */ -- NULL /* hashsize */ -+ NULL, /* hashsize */ -+ NULL /* getsize */ - }; - - /* -diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c -index 2a6c1b4..ac566e1 100644 ---- a/lib/dns/xfrin.c -+++ b/lib/dns/xfrin.c -@@ -149,6 +149,9 @@ struct dns_xfrin_ctx { - unsigned int nrecs; /*%< Number of records recvd */ - isc_uint64_t nbytes; /*%< Number of bytes received */ - -+ unsigned int maxrecords; /*%< The maximum number of -+ records set for the zone */ -+ - isc_time_t start; /*%< Start time of the transfer */ - isc_time_t end; /*%< End time of the transfer */ - -@@ -309,10 +312,18 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, - static isc_result_t - axfr_apply(dns_xfrin_ctx_t *xfr) { - isc_result_t result; -+ isc_uint64_t records; - - CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private)); - xfr->difflen = 0; - dns_diff_clear(&xfr->diff); -+ if (xfr->maxrecords != 0U) { -+ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL); -+ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) { -+ result = DNS_R_TOOMANYRECORDS; -+ goto failure; -+ } -+ } - result = ISC_R_SUCCESS; - failure: - return (result); -@@ -396,6 +407,7 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op, - static isc_result_t - ixfr_apply(dns_xfrin_ctx_t *xfr) { - isc_result_t result; -+ isc_uint64_t records; - - if (xfr->ver == NULL) { - CHECK(dns_db_newversion(xfr->db, &xfr->ver)); -@@ -403,6 +415,13 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) { - CHECK(dns_journal_begin_transaction(xfr->ixfr.journal)); - } - CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver)); -+ if (xfr->maxrecords != 0U) { -+ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL); -+ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) { -+ result = DNS_R_TOOMANYRECORDS; -+ goto failure; -+ } -+ } - if (xfr->ixfr.journal != NULL) { - result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff); - if (result != ISC_R_SUCCESS) -@@ -759,7 +778,7 @@ xfrin_reset(dns_xfrin_ctx_t *xfr) { - - static void - xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) { -- if (result != DNS_R_UPTODATE) { -+ if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) { - xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s", - msg, isc_result_totext(result)); - if (xfr->is_ixfr) -@@ -852,6 +871,7 @@ xfrin_create(isc_mem_t *mctx, - xfr->nmsg = 0; - xfr->nrecs = 0; - xfr->nbytes = 0; -+ xfr->maxrecords = dns_zone_getmaxrecords(zone); - isc_time_now(&xfr->start); - - xfr->tsigkey = NULL; -diff --git a/lib/dns/zone.c b/lib/dns/zone.c -index 90e558d..2b0d8e4 100644 ---- a/lib/dns/zone.c -+++ b/lib/dns/zone.c -@@ -253,6 +253,8 @@ struct dns_zone { - isc_uint32_t maxretry; - isc_uint32_t minretry; - -+ isc_uint32_t maxrecords; -+ - isc_sockaddr_t *masters; - isc_dscp_t *masterdscps; - dns_name_t **masterkeynames; -@@ -10088,6 +10090,20 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) { - zone->maxretry = val; - } - -+isc_uint32_t -+dns_zone_getmaxrecords(dns_zone_t *zone) { -+ REQUIRE(DNS_ZONE_VALID(zone)); -+ -+ return (zone->maxrecords); -+} -+ -+void -+dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t val) { -+ REQUIRE(DNS_ZONE_VALID(zone)); -+ -+ zone->maxrecords = val; -+} -+ - static isc_boolean_t - notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name, - isc_sockaddr_t *addr, dns_tsigkey_t *key) -@@ -14431,7 +14447,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { - DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR); - - TIME_NOW(&now); -- switch (result) { -+ switch (xfrresult) { - case ISC_R_SUCCESS: - DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY); - /*FALLTHROUGH*/ -@@ -14558,6 +14574,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { - DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR); - goto same_master; - -+ case DNS_R_TOOMANYRECORDS: -+ DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime); -+ inc_stats(zone, dns_zonestatscounter_xfrfail); -+ break; -+ - default: - next_master: - /* -diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c -index 780ab46..e7ff1cc 100644 ---- a/lib/isccfg/namedconf.c -+++ b/lib/isccfg/namedconf.c -@@ -1679,6 +1679,7 @@ zone_clauses[] = { - { "masterfile-format", &cfg_type_masterformat, 0 }, - { "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE }, - { "max-journal-size", &cfg_type_sizenodefault, 0 }, -+ { "max-records", &cfg_type_uint32, 0 }, - { "max-refresh-time", &cfg_type_uint32, 0 }, - { "max-retry-time", &cfg_type_uint32, 0 }, - { "max-transfer-idle-in", &cfg_type_uint32, 0 }, --- -2.7.4 - diff --git a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch deleted file mode 100644 index b52d6800ff5..00000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch +++ /dev/null @@ -1,219 +0,0 @@ -From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001 -From: Mark Andrews <marka@isc.org> -Date: Fri, 21 Oct 2016 14:55:10 +1100 -Subject: [PATCH] 4489. [security] It was possible to trigger assertions when - processing a response. (CVE-2016-8864) [RT #43465] - -(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca) - -Upstream-Status: Backport -[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8] - -CVE: CVE-2016-8864 - -Signed-off-by: Yi Zhao <yi.zhao@windriver.com> ---- - CHANGES | 3 +++ - lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++----------------- - 2 files changed, 50 insertions(+), 22 deletions(-) - -diff --git a/CHANGES b/CHANGES -index 5c8c61a..41cfce5 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -1,3 +1,6 @@ -+4489. [security] It was possible to trigger assertions when processing -+ a response. (CVE-2016-8864) [RT #43465] -+ - 4467. [security] It was possible to trigger an assertion when - rendering a message. (CVE-2016-2776) [RT #43139] - -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index ba1ae23..13c8b44 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name, - valarg->addrinfo = addrinfo; - - if (!ISC_LIST_EMPTY(fctx->validators)) -- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0); -+ valoptions |= DNS_VALIDATOR_DEFER; -+ else -+ valoptions &= ~DNS_VALIDATOR_DEFER; - - result = dns_validator_create(fctx->res->view, name, type, rdataset, - sigrdataset, fctx->rmessage, -@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, - rdataset, - sigrdataset, - valoptions, task); -- /* -- * Defer any further validations. -- * This prevents multiple validators -- * from manipulating fctx->rmessage -- * simultaneously. -- */ -- valoptions |= DNS_VALIDATOR_DEFER; - } - } else if (CHAINING(rdataset)) { - if (rdataset->type == dns_rdatatype_cname) -@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo, - eresult == DNS_R_NCACHENXRRSET); - } - event->result = eresult; -+ if (adbp != NULL && *adbp != NULL) { -+ if (anodep != NULL && *anodep != NULL) -+ dns_db_detachnode(*adbp, anodep); -+ dns_db_detach(adbp); -+ } - dns_db_attach(fctx->cache, adbp); - dns_db_transfernode(fctx->cache, &node, anodep); - clone_results(fctx); -@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, - fctx->attributes |= FCTX_ATTR_HAVEANSWER; - if (event != NULL) { - event->result = eresult; -+ if (adbp != NULL && *adbp != NULL) { -+ if (anodep != NULL && *anodep != NULL) -+ dns_db_detachnode(*adbp, anodep); -+ dns_db_detach(adbp); -+ } - dns_db_attach(fctx->cache, adbp); - dns_db_transfernode(fctx->cache, &node, anodep); - clone_results(fctx); -@@ -6718,13 +6723,15 @@ static isc_result_t - answer_response(fetchctx_t *fctx) { - isc_result_t result; - dns_message_t *message; -- dns_name_t *name, *dname, *qname, tname, *ns_name; -+ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name; -+ dns_name_t *cname = NULL; - dns_rdataset_t *rdataset, *ns_rdataset; - isc_boolean_t done, external, chaining, aa, found, want_chaining; -- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining; -+ isc_boolean_t have_answer, found_cname, found_dname, found_type; -+ isc_boolean_t wanted_chaining; - unsigned int aflag; - dns_rdatatype_t type; -- dns_fixedname_t fdname, fqname; -+ dns_fixedname_t fdname, fqname, fqdname; - dns_view_t *view; - - FCTXTRACE("answer_response"); -@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) { - - done = ISC_FALSE; - found_cname = ISC_FALSE; -+ found_dname = ISC_FALSE; - found_type = ISC_FALSE; - chaining = ISC_FALSE; - have_answer = ISC_FALSE; -@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) { - aa = ISC_TRUE; - else - aa = ISC_FALSE; -- qname = &fctx->name; -+ dqname = qname = &fctx->name; - type = fctx->type; - view = fctx->res->view; -+ dns_fixedname_init(&fqdname); - result = dns_message_firstname(message, DNS_SECTION_ANSWER); - while (!done && result == ISC_R_SUCCESS) { -- dns_namereln_t namereln; -+ dns_namereln_t namereln, dnamereln; - int order; - unsigned int nlabels; - -@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) { - dns_message_currentname(message, DNS_SECTION_ANSWER, &name); - external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain)); - namereln = dns_name_fullcompare(qname, name, &order, &nlabels); -+ dnamereln = dns_name_fullcompare(dqname, name, &order, -+ &nlabels); - if (namereln == dns_namereln_equal) { - wanted_chaining = ISC_FALSE; - for (rdataset = ISC_LIST_HEAD(name->list); -@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) { - } - } else if (rdataset->type == dns_rdatatype_rrsig - && rdataset->covers == -- dns_rdatatype_cname -+ dns_rdatatype_cname - && !found_type) { - /* - * We're looking for something else, -@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) { - * a CNAME or DNAME). - */ - INSIST(!external); -- if (aflag == -- DNS_RDATASETATTR_ANSWER) { -+ if ((rdataset->type != -+ dns_rdatatype_cname) || -+ !found_dname || -+ (aflag == -+ DNS_RDATASETATTR_ANSWER)) -+ { - have_answer = ISC_TRUE; -+ if (rdataset->type == -+ dns_rdatatype_cname) -+ cname = name; - name->attributes |= -- DNS_NAMEATTR_ANSWER; -+ DNS_NAMEATTR_ANSWER; - } - rdataset->attributes |= aflag; - if (aa) -@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) { - return (DNS_R_FORMERR); - } - -- if (namereln != dns_namereln_subdomain) { -+ if (dnamereln != dns_namereln_subdomain) { - char qbuf[DNS_NAME_FORMATSIZE]; - char obuf[DNS_NAME_FORMATSIZE]; - -- dns_name_format(qname, qbuf, -+ dns_name_format(dqname, qbuf, - sizeof(qbuf)); - dns_name_format(name, obuf, - sizeof(obuf)); -@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) { - want_chaining = ISC_TRUE; - POST(want_chaining); - aflag = DNS_RDATASETATTR_ANSWER; -- result = dname_target(rdataset, qname, -+ result = dname_target(rdataset, dqname, - nlabels, &fdname); - if (result == ISC_R_NOSPACE) { - /* -@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) { - - dname = dns_fixedname_name(&fdname); - if (!is_answertarget_allowed(view, -- qname, rdataset->type, -- dname, &fctx->domain)) { -+ dqname, rdataset->type, -+ dname, &fctx->domain)) -+ { - return (DNS_R_SERVFAIL); - } -+ dqname = dns_fixedname_name(&fqdname); -+ dns_name_copy(dname, dqname, NULL); - } else { - /* - * We've found a signature that -@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) { - INSIST(!external); - if (aflag == DNS_RDATASETATTR_ANSWER) { - have_answer = ISC_TRUE; -+ found_dname = ISC_TRUE; -+ if (cname != NULL) -+ cname->attributes &= -+ ~DNS_NAMEATTR_ANSWER; - name->attributes |= - DNS_NAMEATTR_ANSWER; - } --- -2.7.4 - diff --git a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch index 096d5d84fc9..8bc4ea30f8c 100644 --- a/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch +++ b/meta/recipes-connectivity/bind/bind/bind-confgen-build-unix.o-once.patch @@ -17,24 +17,28 @@ problem. Upstream-Status: Pending Signed-off-by: Robert Yang <liezhi.yang@windriver.com> + +Update context(trailing whitespace) for version 9.10.5-P3. + +Signed-off-by: Kai Kang <kai.kang@windriver.com> --- bin/confgen/Makefile.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/confgen/Makefile.in b/bin/confgen/Makefile.in -index 8b3e5aa..4868a24 100644 +index dca272f..02becce 100644 --- a/bin/confgen/Makefile.in +++ b/bin/confgen/Makefile.in @@ -74,11 +74,11 @@ rndc-confgen.@O@: rndc-confgen.c ddns-confgen.@O@: ddns-confgen.c ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c --rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} +-rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} +rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ ${FINALBUILDCMD} --ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} +-ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS} +ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${CONFDEPLIBS} $(SUBDIRS) export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \ ${FINALBUILDCMD} diff --git a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff b/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff deleted file mode 100644 index 2930796b6af..00000000000 --- a/meta/recipes-connectivity/bind/bind/mips1-not-support-opcode.diff +++ /dev/null @@ -1,104 +0,0 @@ -bind: port a patch to fix a build failure - -mips1 does not support ll and sc instructions, and lead to below error, now -we port a patch from debian to fix it -[http://security.debian.org/debian-security/pool/updates/main/b/bind9/bind9_9.8.4.dfsg.P1-6+nmu2+deb7u1.diff.gz] - -| {standard input}: Assembler messages: -| {standard input}:47: Error: Opcode not supported on this processor: mips1 (mips1) `ll $3,0($6)' -| {standard input}:50: Error: Opcode not supported on this processor: mips1 (mips1) `sc $3,0($6)' - -Upstream-Status: Pending - -Signed-off-by: Roy Li <rongqing.li@windriver.com> - ---- bind9-9.8.4.dfsg.P1.orig/lib/isc/mips/include/isc/atomic.h -+++ bind9-9.8.4.dfsg.P1/lib/isc/mips/include/isc/atomic.h -@@ -31,18 +31,20 @@ - isc_atomic_xadd(isc_int32_t *p, int val) { - isc_int32_t orig; - -- /* add is a cheat, since MIPS has no mov instruction */ -- __asm__ volatile ( -- "1:" -- "ll $3, %1\n" -- "add %0, $0, $3\n" -- "add $3, $3, %2\n" -- "sc $3, %1\n" -- "beq $3, 0, 1b" -- : "=&r"(orig) -- : "m"(*p), "r"(val) -- : "memory", "$3" -- ); -+ __asm__ __volatile__ ( -+ " .set push \n" -+ " .set mips2 \n" -+ " .set noreorder \n" -+ " .set noat \n" -+ "1: ll $1, %1 \n" -+ " addu %0, $1, %2 \n" -+ " sc %0, %1 \n" -+ " beqz %0, 1b \n" -+ " move %0, $1 \n" -+ " .set pop \n" -+ : "=&r" (orig), "+R" (*p) -+ : "r" (val) -+ : "memory"); - - return (orig); - } -@@ -52,16 +54,7 @@ - */ - static inline void - isc_atomic_store(isc_int32_t *p, isc_int32_t val) { -- __asm__ volatile ( -- "1:" -- "ll $3, %0\n" -- "add $3, $0, %1\n" -- "sc $3, %0\n" -- "beq $3, 0, 1b" -- : -- : "m"(*p), "r"(val) -- : "memory", "$3" -- ); -+ *p = val; - } - - /* -@@ -72,20 +65,23 @@ - static inline isc_int32_t - isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { - isc_int32_t orig; -+ isc_int32_t tmp; - -- __asm__ volatile( -- "1:" -- "ll $3, %1\n" -- "add %0, $0, $3\n" -- "bne $3, %2, 2f\n" -- "add $3, $0, %3\n" -- "sc $3, %1\n" -- "beq $3, 0, 1b\n" -- "2:" -- : "=&r"(orig) -- : "m"(*p), "r"(cmpval), "r"(val) -- : "memory", "$3" -- ); -+ __asm__ __volatile__ ( -+ " .set push \n" -+ " .set mips2 \n" -+ " .set noreorder \n" -+ " .set noat \n" -+ "1: ll $1, %1 \n" -+ " bne $1, %3, 2f \n" -+ " move %2, %4 \n" -+ " sc %2, %1 \n" -+ " beqz %2, 1b \n" -+ "2: move %0, $1 \n" -+ " .set pop \n" -+ : "=&r"(orig), "+R" (*p), "=r" (tmp) -+ : "r"(cmpval), "r"(val) -+ : "memory"); - - return (orig); - } diff --git a/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch new file mode 100644 index 00000000000..9829f15881d --- /dev/null +++ b/meta/recipes-connectivity/bind/bind/use-python3-and-fix-install-lib-path.patch @@ -0,0 +1,36 @@ +Use python3 rather default python which maybe links to python2 for oe. And add +option for setup.py to install files to right directory. + +Upstream-Status: Inappropriate [OE specific] + +Signed-off-by: Kai Kang <kai.kang@windriver.com> +--- +diff --git a/bin/python/Makefile.in b/bin/python/Makefile.in +index a43a3c1..2e727f2 100644 +--- a/bin/python/Makefile.in ++++ b/bin/python/Makefile.in +@@ -55,9 +55,9 @@ install:: ${TARGETS} installdirs + ${INSTALL_DATA} ${srcdir}/dnssec-coverage.8 ${DESTDIR}${mandir}/man8 + if test -n "${PYTHON}" ; then \ + if test -n "${DESTDIR}" ; then \ +- ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} ; \ ++ ${PYTHON} ${srcdir}/setup.py install --root=${DESTDIR} --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \ + else \ +- ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} ; \ ++ ${PYTHON} ${srcdir}/setup.py install --prefix=${prefix} --install-lib=${PYTHON_SITEPACKAGES_DIR} ; \ + fi \ + fi + +diff --git a/configure.in b/configure.in +index 314bb90..867923e 100644 +--- a/configure.in ++++ b/configure.in +@@ -227,7 +227,7 @@ AC_ARG_WITH(python, + [ --with-python=PATH specify path to python interpreter], + use_python="$withval", use_python="unspec") + +-python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7" ++python="python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7" + + testargparse='try: import argparse + except: exit(1)' diff --git a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb index 7eb79b0ea0d..e6e1e8d068f 100644 --- a/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb +++ b/meta/recipes-connectivity/bind/bind_9.10.5-P3.bb @@ -3,14 +3,13 @@ HOMEPAGE = "http://www.isc.org/sw/bind/" SECTION = "console/network" LICENSE = "ISC & BSD" -LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=0a95f52a0ab6c5f52dedc9a45e7abb3f" +LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=dba46507446198119bcde32a4feaab43" DEPENDS = "openssl libcap" SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://conf.patch \ file://make-etc-initd-bind-stop-work.patch \ - file://mips1-not-support-opcode.diff \ file://dont-test-on-host.patch \ file://generate-rndc-key.sh \ file://named.service \ @@ -21,21 +20,14 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \ file://bind-ensure-searching-for-json-headers-searches-sysr.patch \ file://0001-gen.c-extend-DIRNAMESIZE-from-256-to-512.patch \ file://0001-lib-dns-gen.c-fix-too-long-error.patch \ - file://CVE-2016-1285.patch \ - file://CVE-2016-1286_1.patch \ - file://CVE-2016-1286_2.patch \ - file://CVE-2016-2088.patch \ - file://CVE-2016-2775.patch \ - file://CVE-2016-2776.patch \ - file://CVE-2016-8864.patch \ - file://CVE-2016-6170.patch \ + file://use-python3-and-fix-install-lib-path.patch \ " UPSTREAM_CHECK_URI = "ftp://ftp.isc.org/isc/bind9/" UPSTREAM_CHECK_REGEX = "(?P<pver>9(\.\d+)+(-P\d+)*)/" -SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a" -SRC_URI[sha256sum] = "690810d1fbb72afa629e74638d19cd44e28d2b2e5eb63f55c705ad85d1a4cb83" +SRC_URI[md5sum] = "d79cafbd9ac76239ee532dd89d05cc83" +SRC_URI[sha256sum] = "8d7e96b5b0bbac7b900d4c4bbb82e0956b4e509433c5fa392bb72a929b96606a" ENABLE_IPV6 = "--enable-ipv6=${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'yes', 'no', d)}" EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ @@ -44,7 +36,10 @@ EXTRA_OECONF = " ${ENABLE_IPV6} --with-libtool --enable-threads \ --sysconfdir=${sysconfdir}/bind \ --with-openssl=${STAGING_LIBDIR}/.. \ " -inherit autotools update-rc.d systemd useradd pkgconfig + +inherit autotools update-rc.d systemd useradd pkgconfig python3-dir + +export PYTHON_SITEPACKAGES_DIR # PACKAGECONFIGs readline and libedit should NOT be set at same time PACKAGECONFIG ?= "readline" @@ -70,7 +65,7 @@ RDEPENDS_${PN}-dev = "" PACKAGE_BEFORE_PN += "${PN}-utils" FILES_${PN}-utils = "${bindir}/host ${bindir}/dig" FILES_${PN}-dev += "${bindir}/isc-config.h" -FILES_${PN} += "${sbindir}/generate-rndc-key.sh" +FILES_${PN} += "${sbindir}/generate-rndc-key.sh ${PYTHON_SITEPACKAGES_DIR}" do_install_prepend() { # clean host path in isc-config.sh before the hardlink created @@ -107,6 +102,8 @@ do_install_append() { install -d ${D}${sysconfdir}/tmpfiles.d echo "d /run/named 0755 bind bind - -" > ${D}${sysconfdir}/tmpfiles.d/bind.conf fi + + rm -f ${D}${PYTHON_SITEPACKAGES_DIR}/isc/*.pyc } CONFFILES_${PN} = " \ |