Blame SOURCES/bind-9.16-CVE-2022-3094-1.patch

7e24df
From 0c0dc08d3ef26b7411cfe089e8144454831e8af5 Mon Sep 17 00:00:00 2001
7e24df
From: Evan Hunt <each@isc.org>
7e24df
Date: Thu, 1 Sep 2022 16:05:04 -0700
7e24df
Subject: [PATCH] add an update quota
7e24df
7e24df
limit the number of simultaneous DNS UPDATE events that can be
7e24df
processed by adding a quota for update and update forwarding.
7e24df
this quota currently, arbitrarily, defaults to 100.
7e24df
7e24df
also add a statistics counter to record when the update quota
7e24df
has been exceeded.
7e24df
7e24df
(cherry picked from commit 7c47254a140c3e9cf383cda73c7b6a55c4782826)
7e24df
---
7e24df
 bin/named/bind9.xsl        |  4 +++-
7e24df
 bin/named/bind9.xsl.h      |  6 +++++-
7e24df
 bin/named/statschannel.c   |  5 +++--
7e24df
 doc/arm/reference.rst      |  5 +++++
7e24df
 lib/ns/include/ns/server.h |  1 +
7e24df
 lib/ns/include/ns/stats.h  |  4 +++-
7e24df
 lib/ns/server.c            |  2 ++
7e24df
 lib/ns/update.c            | 38 +++++++++++++++++++++++++++++++++++++-
7e24df
 8 files changed, 59 insertions(+), 6 deletions(-)
7e24df
7e24df
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
7e24df
index 5078115..194625b 100644
7e24df
--- a/bin/named/bind9.xsl
7e24df
+++ b/bin/named/bind9.xsl
7e24df
@@ -12,7 +12,9 @@
7e24df
 
7e24df
 <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns="http://www.w3.org/1999/xhtml" version="1.0">
7e24df
   <xsl:output method="html" indent="yes" version="4.0"/>
7e24df
-  <xsl:template match="statistics[@version="3.11"]">
7e24df
+  
7e24df
+  
7e24df
+  <xsl:template match="statistics[@version="3.11.1"]">
7e24df
     <html>
7e24df
       <head>
7e24df
         <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
7e24df
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
7e24df
index e30f7f5..b182742 100644
7e24df
--- a/bin/named/bind9.xsl.h
7e24df
+++ b/bin/named/bind9.xsl.h
7e24df
@@ -20,7 +20,11 @@ static char xslmsg[] =
7e24df
 	"
7e24df
 	"xmlns=\"http://www.w3.org/1999/xhtml\" version=\"1.0\">\n"
7e24df
 	" <xsl:output method=\"html\" indent=\"yes\" version=\"4.0\"/>\n"
7e24df
-	" <xsl:template match=\"statistics[@version="3.11"]\">\n"
7e24df
+	" 
7e24df
+	"bin/named/statschannel.c -->\n"
7e24df
+	" 
7e24df
+	"the HTTP endpoints listed below -->\n"
7e24df
+	" <xsl:template match=\"statistics[@version="3.11.1"]\">\n"
7e24df
 	" <html>\n"
7e24df
 	" <head>\n"
7e24df
 	" 
7e24df
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
7e24df
index 832ce93..7361ead 100644
7e24df
--- a/bin/named/statschannel.c
7e24df
+++ b/bin/named/statschannel.c
7e24df
@@ -335,6 +335,7 @@ init_desc(void) {
7e24df
 	SET_NSSTATDESC(reclimitdropped,
7e24df
 		       "queries dropped due to recursive client limit",
7e24df
 		       "RecLimitDropped");
7e24df
+	SET_NSSTATDESC(updatequota, "Update quota exceeded", "UpdateQuota");
7e24df
 
7e24df
 	INSIST(i == ns_statscounter_max);
7e24df
 
7e24df
@@ -2007,7 +2008,7 @@ generatexml(named_server_t *server, uint32_t flags, int *buflen,
7e24df
 					      "href=\"/bind9.xsl\""));
7e24df
 	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
7e24df
 	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
7e24df
-					 ISC_XMLCHAR "3.11"));
7e24df
+					 ISC_XMLCHAR "3.11.1"));
7e24df
 
7e24df
 	/* Set common fields for statistics dump */
7e24df
 	dumparg.type = isc_statsformat_xml;
7e24df
@@ -2876,7 +2877,7 @@ generatejson(named_server_t *server, size_t *msglen, const char **msg,
7e24df
 	/*
7e24df
 	 * These statistics are included no matter which URL we use.
7e24df
 	 */
7e24df
-	obj = json_object_new_string("1.5");
7e24df
+	obj = json_object_new_string("1.5.1");
7e24df
 	CHECKMEM(obj);
7e24df
 	json_object_object_add(bindstats, "json-stats-version", obj);
7e24df
 
7e24df
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
7e24df
index 2d05aec..25c20d7 100644
7e24df
--- a/doc/arm/reference.rst
7e24df
+++ b/doc/arm/reference.rst
7e24df
@@ -6705,6 +6705,11 @@ Name Server Statistics Counters
7e24df
 ``UpdateBadPrereq``
7e24df
     This indicates the number of dynamic updates rejected due to a prerequisite failure.
7e24df
 
7e24df
+``UpdateQuota``
7e24df
+    This indicates the number of times a dynamic update or update
7e24df
+    forwarding request was rejected because the number of pending
7e24df
+    requests exceeded the update quota.
7e24df
+
7e24df
 ``RateDropped``
7e24df
     This indicates the number of responses dropped due to rate limits.
7e24df
 
7e24df
diff --git a/lib/ns/include/ns/server.h b/lib/ns/include/ns/server.h
7e24df
index 6a1f345..0abb579 100644
7e24df
--- a/lib/ns/include/ns/server.h
7e24df
+++ b/lib/ns/include/ns/server.h
7e24df
@@ -84,6 +84,7 @@ struct ns_server {
7e24df
 	isc_quota_t recursionquota;
7e24df
 	isc_quota_t tcpquota;
7e24df
 	isc_quota_t xfroutquota;
7e24df
+	isc_quota_t updquota;
7e24df
 
7e24df
 	/*% Test options and other configurables */
7e24df
 	uint32_t options;
7e24df
diff --git a/lib/ns/include/ns/stats.h b/lib/ns/include/ns/stats.h
7e24df
index 3c08799..95b15d0 100644
7e24df
--- a/lib/ns/include/ns/stats.h
7e24df
+++ b/lib/ns/include/ns/stats.h
7e24df
@@ -106,7 +106,9 @@ enum {
7e24df
 
7e24df
 	ns_statscounter_reclimitdropped = 66,
7e24df
 
7e24df
-	ns_statscounter_max = 67,
7e24df
+	ns_statscounter_updatequota = 67,
7e24df
+
7e24df
+	ns_statscounter_max = 68,
7e24df
 };
7e24df
 
7e24df
 void
7e24df
diff --git a/lib/ns/server.c b/lib/ns/server.c
7e24df
index a970a28..540bc2e 100644
7e24df
--- a/lib/ns/server.c
7e24df
+++ b/lib/ns/server.c
7e24df
@@ -52,6 +52,7 @@ ns_server_create(isc_mem_t *mctx, ns_matchview_t matchingview,
7e24df
 	isc_quota_init(&sctx->xfroutquota, 10);
7e24df
 	isc_quota_init(&sctx->tcpquota, 10);
7e24df
 	isc_quota_init(&sctx->recursionquota, 100);
7e24df
+	isc_quota_init(&sctx->updquota, 100);
7e24df
 
7e24df
 	CHECKFATAL(dns_tkeyctx_create(mctx, &sctx->tkeyctx));
7e24df
 
7e24df
@@ -131,6 +132,7 @@ ns_server_detach(ns_server_t **sctxp) {
7e24df
 			isc_mem_put(sctx->mctx, altsecret, sizeof(*altsecret));
7e24df
 		}
7e24df
 
7e24df
+		isc_quota_destroy(&sctx->updquota);
7e24df
 		isc_quota_destroy(&sctx->recursionquota);
7e24df
 		isc_quota_destroy(&sctx->tcpquota);
7e24df
 		isc_quota_destroy(&sctx->xfroutquota);
7e24df
diff --git a/lib/ns/update.c b/lib/ns/update.c
7e24df
index 546b70a..9a8c309 100644
7e24df
--- a/lib/ns/update.c
7e24df
+++ b/lib/ns/update.c
7e24df
@@ -1544,6 +1544,19 @@ send_update_event(ns_client_t *client, dns_zone_t *zone) {
7e24df
 	update_event_t *event = NULL;
7e24df
 	isc_task_t *zonetask = NULL;
7e24df
 
7e24df
+	result = isc_quota_attach(&client->manager->sctx->updquota,
7e24df
+				  &(isc_quota_t *){ NULL });
7e24df
+	if (result != ISC_R_SUCCESS) {
7e24df
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
7e24df
+			   "update failed: too many DNS UPDATEs queued (%s)",
7e24df
+			   isc_result_totext(result));
7e24df
+		ns_stats_increment(client->manager->sctx->nsstats,
7e24df
+				   ns_statscounter_updatequota);
7e24df
+		ns_client_drop(client, result);
7e24df
+		isc_nmhandle_detach(&client->reqhandle);
7e24df
+		return (DNS_R_DROP);
7e24df
+	}
7e24df
+
7e24df
 	event = (update_event_t *)isc_event_allocate(
7e24df
 		client->mctx, client, DNS_EVENT_UPDATE, update_action, NULL,
7e24df
 		sizeof(*event));
7e24df
@@ -1676,12 +1689,19 @@ failure:
7e24df
 		       dns_zone_gettype(zone) == dns_zone_mirror);
7e24df
 		inc_stats(client, zone, ns_statscounter_updaterej);
7e24df
 	}
7e24df
+
7e24df
 	/*
7e24df
 	 * We failed without having sent an update event to the zone.
7e24df
 	 * We are still in the client task context, so we can
7e24df
 	 * simply give an error response without switching tasks.
7e24df
 	 */
7e24df
-	respond(client, result);
7e24df
+	if (result == DNS_R_DROP) {
7e24df
+		ns_client_drop(client, result);
7e24df
+		isc_nmhandle_detach(&client->reqhandle);
7e24df
+	} else {
7e24df
+		respond(client, result);
7e24df
+	}
7e24df
+
7e24df
 	if (zone != NULL) {
7e24df
 		dns_zone_detach(&zone);
7e24df
 	}
7e24df
@@ -3489,6 +3509,7 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
7e24df
 
7e24df
 	respond(client, uev->result);
7e24df
 
7e24df
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
7e24df
 	isc_event_free(&event);
7e24df
 	isc_nmhandle_detach(&client->updatehandle);
7e24df
 }
7e24df
@@ -3505,6 +3526,8 @@ forward_fail(isc_task_t *task, isc_event_t *event) {
7e24df
 	INSIST(client->nupdates > 0);
7e24df
 	client->nupdates--;
7e24df
 	respond(client, DNS_R_SERVFAIL);
7e24df
+
7e24df
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
7e24df
 	isc_event_free(&event);
7e24df
 	isc_nmhandle_detach(&client->updatehandle);
7e24df
 }
7e24df
@@ -3542,6 +3565,8 @@ forward_done(isc_task_t *task, isc_event_t *event) {
7e24df
 	client->nupdates--;
7e24df
 	ns_client_sendraw(client, uev->answer);
7e24df
 	dns_message_detach(&uev->answer);
7e24df
+
7e24df
+	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
7e24df
 	isc_event_free(&event);
7e24df
 	isc_nmhandle_detach(&client->updatehandle);
7e24df
 }
7e24df
@@ -3576,6 +3601,17 @@ send_forward_event(ns_client_t *client, dns_zone_t *zone) {
7e24df
 	update_event_t *event = NULL;
7e24df
 	isc_task_t *zonetask = NULL;
7e24df
 
7e24df
+	result = isc_quota_attach(&client->manager->sctx->updquota,
7e24df
+				  &(isc_quota_t *){ NULL });
7e24df
+	if (result != ISC_R_SUCCESS) {
7e24df
+		update_log(client, zone, LOGLEVEL_PROTOCOL,
7e24df
+			   "update failed: too many DNS UPDATEs queued (%s)",
7e24df
+			   isc_result_totext(result));
7e24df
+		ns_stats_increment(client->manager->sctx->nsstats,
7e24df
+				   ns_statscounter_updatequota);
7e24df
+		return (DNS_R_DROP);
7e24df
+	}
7e24df
+
7e24df
 	event = (update_event_t *)isc_event_allocate(
7e24df
 		client->mctx, client, DNS_EVENT_UPDATE, forward_action, NULL,
7e24df
 		sizeof(*event));
7e24df
-- 
7e24df
2.39.1
7e24df