diff options
Diffstat (limited to 'meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch')
-rw-r--r-- | meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch | 206 |
1 files changed, 0 insertions, 206 deletions
diff --git a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch b/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch deleted file mode 100644 index 8f00231919..0000000000 --- a/meta/recipes-connectivity/bind/bind/CVE-2020-8616.patch +++ /dev/null @@ -1,206 +0,0 @@ -Upstream-Status: Backport [https://downloads.isc.org/isc/bind9/9.11.19/patches/CVE-2020-8616.patch] -CVE: CVE-2020-8616 -Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> ---- -diff --git a/lib/dns/adb.c b/lib/dns/adb.c -index 058495f6a5..6b8a9537f0 100644 ---- a/lib/dns/adb.c -+++ b/lib/dns/adb.c -@@ -404,14 +404,13 @@ static void log_quota(dns_adbentry_t *entry, const char *fmt, ...) - */ - #define FIND_WANTEVENT(fn) (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0) - #define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0) --#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \ -- != 0) --#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) \ -- != 0) --#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) --#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) --#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) --#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) -+#define FIND_AVOIDFETCHES(fn) (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) != 0) -+#define FIND_STARTATZONE(fn) (((fn)->options & DNS_ADBFIND_STARTATZONE) != 0) -+#define FIND_HINTOK(fn) (((fn)->options & DNS_ADBFIND_HINTOK) != 0) -+#define FIND_GLUEOK(fn) (((fn)->options & DNS_ADBFIND_GLUEOK) != 0) -+#define FIND_HAS_ADDRS(fn) (!ISC_LIST_EMPTY((fn)->list)) -+#define FIND_RETURNLAME(fn) (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0) -+#define FIND_NOFETCH(fn) (((fn)->options & DNS_ADBFIND_NOFETCH) != 0) - - /* - * These are currently used on simple unsigned ints, so they are -@@ -3155,21 +3154,26 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * Listen to negative cache hints, and don't start - * another query. - */ -- if (NCACHE_RESULT(result) || AUTH_NX(result)) -+ if (NCACHE_RESULT(result) || AUTH_NX(result)) { - goto fetch; -+ } - -- if (!NAME_FETCH_V6(adbname)) -+ if (!NAME_FETCH_V6(adbname)) { - wanted_fetches |= DNS_ADBFIND_INET6; -+ } - } - - fetch: - if ((WANT_INET(wanted_addresses) && NAME_HAS_V4(adbname)) || - (WANT_INET6(wanted_addresses) && NAME_HAS_V6(adbname))) -+ { - have_address = true; -- else -+ } else { - have_address = false; -- if (wanted_fetches != 0 && -- ! (FIND_AVOIDFETCHES(find) && have_address)) { -+ } -+ if (wanted_fetches != 0 && !(FIND_AVOIDFETCHES(find) && have_address) && -+ !FIND_NOFETCH(find)) -+ { - /* - * We're missing at least one address family. Either the - * caller hasn't instructed us to avoid fetches, or we don't -@@ -3177,8 +3181,9 @@ dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, - * be acceptable so we have to launch fetches. - */ - -- if (FIND_STARTATZONE(find)) -+ if (FIND_STARTATZONE(find)) { - start_at_zone = true; -+ } - - /* - * Start V4. -diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h -index 63a13c4e41..edf6e54935 100644 ---- a/lib/dns/include/dns/adb.h -+++ b/lib/dns/include/dns/adb.h -@@ -207,6 +207,10 @@ struct dns_adbfind { - * lame for this query. - */ - #define DNS_ADBFIND_OVERQUOTA 0x00000400 -+/*% -+ * Don't perform a fetch even if there are no address records available. -+ */ -+#define DNS_ADBFIND_NOFETCH 0x00000800 - - /*% - * The answers to queries come back as a list of these. -diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c -index 7c44478a26..0a40859d08 100644 ---- a/lib/dns/resolver.c -+++ b/lib/dns/resolver.c -@@ -172,6 +172,14 @@ - #define DEFAULT_MAX_QUERIES 75 - #endif - -+/* -+ * After NS_FAIL_LIMIT attempts to fetch a name server address, -+ * if the number of addresses in the NS RRset exceeds NS_RR_LIMIT, -+ * stop trying to fetch, in order to avoid wasting resources. -+ */ -+#define NS_FAIL_LIMIT 4 -+#define NS_RR_LIMIT 5 -+ - /* Number of hash buckets for zone counters */ - #ifndef RES_DOMAIN_BUCKETS - #define RES_DOMAIN_BUCKETS 523 -@@ -3130,8 +3138,7 @@ sort_finds(dns_adbfindlist_t *findlist, unsigned int bias) { - static void - findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, - unsigned int options, unsigned int flags, isc_stdtime_t now, -- bool *overquota, bool *need_alternate) --{ -+ bool *overquota, bool *need_alternate, unsigned int *no_addresses) { - dns_adbaddrinfo_t *ai; - dns_adbfind_t *find; - dns_resolver_t *res; -@@ -3219,7 +3226,12 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port, - find->result_v6 != DNS_R_NXDOMAIN) || - (res->dispatches6 == NULL && - find->result_v4 != DNS_R_NXDOMAIN))) -+ { - *need_alternate = true; -+ } -+ if (no_addresses != NULL) { -+ (*no_addresses)++; -+ } - } else { - if ((find->options & DNS_ADBFIND_OVERQUOTA) != 0) { - if (overquota != NULL) -@@ -3270,6 +3282,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - dns_rdata_ns_t ns; - bool need_alternate = false; - bool all_spilled = true; -+ unsigned int no_addresses = 0; - - FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); - -@@ -3437,20 +3450,28 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - * Extract the name from the NS record. - */ - result = dns_rdata_tostruct(&rdata, &ns, NULL); -- if (result != ISC_R_SUCCESS) -+ if (result != ISC_R_SUCCESS) { - continue; -+ } - -- findname(fctx, &ns.name, 0, stdoptions, 0, now, -- &overquota, &need_alternate); -+ if (no_addresses > NS_FAIL_LIMIT && -+ dns_rdataset_count(&fctx->nameservers) > NS_RR_LIMIT) -+ { -+ stdoptions |= DNS_ADBFIND_NOFETCH; -+ } -+ findname(fctx, &ns.name, 0, stdoptions, 0, now, &overquota, -+ &need_alternate, &no_addresses); - -- if (!overquota) -+ if (!overquota) { - all_spilled = false; -+ } - - dns_rdata_reset(&rdata); - dns_rdata_freestruct(&ns); - } -- if (result != ISC_R_NOMORE) -+ if (result != ISC_R_NOMORE) { - return (result); -+ } - - /* - * Do we need to use 6 to 4? -@@ -3465,7 +3486,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { - if (!a->isaddress) { - findname(fctx, &a->_u._n.name, a->_u._n.port, - stdoptions, FCTX_ADDRINFO_FORWARDER, -- now, NULL, NULL); -+ now, NULL, NULL, NULL); - continue; - } - if (isc_sockaddr_pf(&a->_u.addr) != family) -@@ -3827,16 +3827,14 @@ fctx_try(fetchctx_t *fctx, bool retrying, bool badcache) { - } - } - -- if (dns_name_countlabels(&fctx->domain) > 2) { -- result = isc_counter_increment(fctx->qc); -- if (result != ISC_R_SUCCESS) { -- isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -- DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), -- "exceeded max queries resolving '%s'", -- fctx->info); -- fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); -- return; -- } -+ result = isc_counter_increment(fctx->qc); -+ if (result != ISC_R_SUCCESS) { -+ isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, -+ DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), -+ "exceeded max queries resolving '%s'", -+ fctx->info); -+ fctx_done(fctx, DNS_R_SERVFAIL, __LINE__); -+ return; - } - - bucketnum = fctx->bucketnum; |