diff --git a/backport-Add-missing-DbC-magic-checks.patch b/backport-Add-missing-DbC-magic-checks.patch new file mode 100644 index 0000000000000000000000000000000000000000..5a3c341d3fcc638bc0d9d98fd2d2c23fe5f7cbbb --- /dev/null +++ b/backport-Add-missing-DbC-magic-checks.patch @@ -0,0 +1,64 @@ +From f9845df6d61e7491508a7f54b1d3caab7641652e Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Thu, 1 Dec 2022 12:51:30 +1100 +Subject: [PATCH] Add missing DbC magic checks + +Checking for value != NULL is not sufficient to detect use after +free errors. + +(cherry picked from commit b1086a5561c8024fc39b5250063fc901c27eef06) +--- + lib/dns/catz.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/catz.c b/lib/dns/catz.c +index 332f9877360..68927e84bbf 100644 +--- a/lib/dns/catz.c ++++ b/lib/dns/catz.c +@@ -638,7 +638,7 @@ cleanup_ht: + void + dns_catz_catzs_set_view(dns_catz_zones_t *catzs, dns_view_t *view) { + REQUIRE(DNS_CATZ_ZONES_VALID(catzs)); +- REQUIRE(view != NULL); ++ REQUIRE(DNS_VIEW_VALID(view)); + /* Either it's a new one or it's being reconfigured. */ + REQUIRE(catzs->view == NULL || !strcmp(catzs->view->name, view->name)); + +@@ -834,7 +834,7 @@ void + dns_catz_catzs_detach(dns_catz_zones_t **catzsp) { + dns_catz_zones_t *catzs; + +- REQUIRE(catzsp != NULL && *catzsp != NULL); ++ REQUIRE(catzsp != NULL && DNS_CATZ_ZONES_VALID(*catzsp)); + + catzs = *catzsp; + *catzsp = NULL; +@@ -1515,7 +1515,7 @@ dns_catz_generate_masterfilename(dns_catz_zone_t *zone, dns_catz_entry_t *entry, + bool special = false; + + REQUIRE(DNS_CATZ_ZONE_VALID(zone)); +- REQUIRE(entry != NULL); ++ REQUIRE(DNS_CATZ_ENTRY_VALID(entry)); + REQUIRE(buffer != NULL && *buffer != NULL); + + isc_buffer_allocate(zone->catzs->mctx, &tbuf, +@@ -1613,7 +1613,7 @@ dns_catz_generate_zonecfg(dns_catz_zone_t *zone, dns_catz_entry_t *entry, + char zname[DNS_NAME_FORMATSIZE]; + + REQUIRE(DNS_CATZ_ZONE_VALID(zone)); +- REQUIRE(entry != NULL); ++ REQUIRE(DNS_CATZ_ENTRY_VALID(entry)); + REQUIRE(buf != NULL && *buf == NULL); + + /* +@@ -1745,7 +1745,7 @@ dns_catz_dbupdate_callback(dns_db_t *db, void *fn_arg) { + isc_region_t r; + + REQUIRE(DNS_DB_VALID(db)); +- REQUIRE(fn_arg != NULL); ++ REQUIRE(DNS_CATZ_ZONES_VALID(fn_arg)); + catzs = (dns_catz_zones_t *)fn_arg; + + dns_name_toregion(&db->origin, &r); +-- +2.23.0 \ No newline at end of file diff --git a/backport-Call-dns_db_updatenotify_unregister-earlier.patch b/backport-Call-dns_db_updatenotify_unregister-earlier.patch new file mode 100644 index 0000000000000000000000000000000000000000..b35e4ad3be0ef759c6ad14fce8953e0ff24d8447 --- /dev/null +++ b/backport-Call-dns_db_updatenotify_unregister-earlier.patch @@ -0,0 +1,159 @@ +From dd73306509b4703011cbc6a8cc3d3667a58110d3 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 30 Nov 2022 18:44:37 +1100 +Subject: [PATCH] Call dns_db_updatenotify_unregister earlier + +dns_db_updatenotify_unregister needed to be called earlier to ensure +that listener->onupdate_arg always points to a valid object. The +existing lazy cleanup in rbtdb_free did not ensure that. + +(cherry picked from commit 35839e91d84f4c22f3554ff4b6dc53d20359621e) +--- + lib/dns/include/dns/zone.h | 3 +- + lib/dns/rbtdb.c | 10 +------ + lib/dns/zone.c | 60 ++++++++++++++++++++++---------------- + 3 files changed, 38 insertions(+), 35 deletions(-) + +diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h +index cb5da5d046e..4bdc936949a 100644 +--- a/lib/dns/include/dns/zone.h ++++ b/lib/dns/include/dns/zone.h +@@ -2610,7 +2610,8 @@ dns_zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs); + void + dns_zone_catz_disable(dns_zone_t *zone); + /*%< +- * Disable zone as catalog zone, if it is one. ++ * Disable zone as catalog zone, if it is one. Also disables any ++ * registered callbacks for the catalog zone. + * + * Requires: + * +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 36fce510244..b36cdf22059 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -1063,7 +1063,6 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) { + char buf[DNS_NAME_FORMATSIZE]; + dns_rbt_t **treep; + isc_time_t start; +- dns_dbonupdatelistener_t *listener, *listener_next; + + if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in) { + overmem((dns_db_t *)rbtdb, (bool)-1); +@@ -1220,14 +1219,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, bool log, isc_event_t *event) { + isc_file_munmap(rbtdb->mmap_location, (size_t)rbtdb->mmap_size); + } + +- for (listener = ISC_LIST_HEAD(rbtdb->common.update_listeners); +- listener != NULL; listener = listener_next) +- { +- listener_next = ISC_LIST_NEXT(listener, link); +- ISC_LIST_UNLINK(rbtdb->common.update_listeners, listener, link); +- isc_mem_put(rbtdb->common.mctx, listener, +- sizeof(dns_dbonupdatelistener_t)); +- } ++ INSIST(ISC_LIST_EMPTY(rbtdb->common.update_listeners)); + + isc_mem_putanddetach(&rbtdb->common.mctx, rbtdb, sizeof(*rbtdb)); + } +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 62c102b374f..21e71767e93 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -1938,6 +1938,31 @@ dns_zone_rpz_disable_db(dns_zone_t *zone, dns_db_t *db) { + zone->rpzs->zones[zone->rpz_num]); + } + ++/* ++ * If a zone is a catalog zone, attach it to update notification in database. ++ */ ++void ++dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ REQUIRE(db != NULL); ++ ++ if (zone->catzs != NULL) { ++ dns_db_updatenotify_register(db, dns_catz_dbupdate_callback, ++ zone->catzs); ++ } ++} ++ ++static void ++dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) { ++ REQUIRE(DNS_ZONE_VALID(zone)); ++ REQUIRE(db != NULL); ++ ++ if (zone->catzs != NULL) { ++ dns_db_updatenotify_unregister(db, dns_catz_dbupdate_callback, ++ zone->catzs); ++ } ++} ++ + static void + zone_catz_enable(dns_zone_t *zone, dns_catz_zones_t *catzs) { + REQUIRE(DNS_ZONE_VALID(zone)); +@@ -1964,6 +1989,9 @@ zone_catz_disable(dns_zone_t *zone) { + REQUIRE(DNS_ZONE_VALID(zone)); + + if (zone->catzs != NULL) { ++ if (zone->db != NULL) { ++ dns_zone_catz_disable_db(zone, zone->db); ++ } + dns_catz_catzs_detach(&zone->catzs); + } + } +@@ -1984,31 +2012,6 @@ dns_zone_catz_is_enabled(dns_zone_t *zone) { + return (zone->catzs != NULL); + } + +-/* +- * If a zone is a catalog zone, attach it to update notification in database. +- */ +-void +-dns_zone_catz_enable_db(dns_zone_t *zone, dns_db_t *db) { +- REQUIRE(DNS_ZONE_VALID(zone)); +- REQUIRE(db != NULL); +- +- if (zone->catzs != NULL) { +- dns_db_updatenotify_register(db, dns_catz_dbupdate_callback, +- zone->catzs); +- } +-} +- +-static void +-dns_zone_catz_disable_db(dns_zone_t *zone, dns_db_t *db) { +- REQUIRE(DNS_ZONE_VALID(zone)); +- REQUIRE(db != NULL); +- +- if (zone->catzs != NULL) { +- dns_db_updatenotify_unregister(db, dns_catz_dbupdate_callback, +- zone->catzs); +- } +-} +- + /* + * Set catalog zone ownership of the zone + */ +@@ -5375,6 +5378,11 @@ cleanup: + isc_result_totext(result)); + } + ++ if (result != ISC_R_SUCCESS) { ++ dns_zone_rpz_disable_db(zone, db); ++ dns_zone_catz_disable_db(zone, db); ++ } ++ + for (inc = ISC_LIST_HEAD(zone->newincludes); inc != NULL; + inc = ISC_LIST_HEAD(zone->newincludes)) + { +@@ -17472,6 +17480,8 @@ static void + zone_detachdb(dns_zone_t *zone) { + REQUIRE(zone->db != NULL); + ++ dns_zone_rpz_disable_db(zone, zone->db); ++ dns_zone_catz_disable_db(zone, zone->db); + dns_db_detach(&zone->db); + } + +-- +2.23.0 \ No newline at end of file diff --git a/backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch b/backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch new file mode 100644 index 0000000000000000000000000000000000000000..99e5182a1e5d62ee6d77bc2f58e2b8e1cd49956d --- /dev/null +++ b/backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch @@ -0,0 +1,43 @@ +From 148608c7b2a6fb55dafd35632b4a661f90ed36fb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= +Date: Mon, 13 Jun 2022 14:03:16 +0200 +Subject: [PATCH] Check for NULL before dereferencing qctx->rpz_st + +Commit 9ffb4a7ba11fae64a6ce2dd6390cd334372b7ab7 causes Clang Static +Analyzer to flag a potential NULL dereference in query_nxdomain(): + + query.c:9394:26: warning: Dereference of null pointer [core.NullDereference] + if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) { + ^~~~~~~~~~~~~~~~~~~ + 1 warning generated. + +The warning above is for qctx->rpz_st potentially being a NULL pointer +when query_nxdomain() is called from query_resume(). This is a false +positive because none of the database lookup result codes currently +causing query_nxdomain() to be called (DNS_R_EMPTYWILD, DNS_R_NXDOMAIN) +can be returned by a database lookup following a recursive resolution +attempt. Add a NULL check nevertheless in order to future-proof the +code and silence Clang Static Analyzer. + +(cherry picked from commit 07592d1315412c38c978e8d009aace5d0f5bef93) +--- + lib/ns/query.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 43638a35eb8..067c6a23729 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -9248,7 +9248,9 @@ query_nxdomain(query_ctx_t *qctx, bool empty_wild) { + { + ttl = 0; + } +- if (!qctx->nxrewrite || qctx->rpz_st->m.rpz->addsoa) { ++ if (!qctx->nxrewrite || ++ (qctx->rpz_st != NULL && qctx->rpz_st->m.rpz->addsoa)) ++ { + result = query_addsoa(qctx, ttl, section); + if (result != ISC_R_SUCCESS) { + QUERY_ERROR(qctx, result); +-- +2.23.0 \ No newline at end of file diff --git a/backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch b/backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch new file mode 100644 index 0000000000000000000000000000000000000000..2bafe8fda0cc43426e7f1bb2c20d1df8a870733c --- /dev/null +++ b/backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch @@ -0,0 +1,67 @@ +From 949768b252f3cb8a64425f15c9819b24202bb553 Mon Sep 17 00:00:00 2001 +From: Matthijs Mekking +Date: Mon, 10 Oct 2022 14:14:43 +0200 +Subject: [PATCH] Don't allow DNSSEC records in the raw zone + +There was an exception for dnssec-policy that allowed DNSSEC in the +unsigned version of the zone. This however causes a crash if the +zone switches from dynamic to inline-signing in the case of NSEC3, +because we are now trying to add an NSEC3 record to a non-NSEC3 node. +This is because BIND expects none of the records in the unsigned +version of the zone to be NSEC3. + +Remove the exception for dnssec-policy when copying non DNSSEC +records, but do allow for DNSKEY as this may be a published DNSKEY +from a different provider. + +(cherry picked from commit 332b98ae49948e26a90f1d6e0a625f6eec568777) +--- + lib/dns/zone.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 9a248ff318..e6c6bd01ca 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -16969,9 +16969,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, + } + + static isc_result_t +-copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, +- dns_db_t *rawdb, dns_dbiterator_t *dbiterator, +- unsigned int *oldserial) { ++copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb, ++ dns_dbiterator_t *dbiterator, unsigned int *oldserial) { + dns_dbnode_t *rawnode = NULL, *node = NULL; + dns_fixedname_t fixed; + dns_name_t *name = dns_fixedname_initname(&fixed); +@@ -17008,14 +17007,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, + rdataset.type == dns_rdatatype_dnskey || + rdataset.type == dns_rdatatype_nsec3param) + { +- /* +- * Allow DNSSEC records with dnssec-policy. +- * WMM: Perhaps add config option for it. +- */ +- if (dns_zone_getkasp(zone) == NULL) { +- dns_rdataset_disassociate(&rdataset); +- continue; +- } ++ dns_rdataset_disassociate(&rdataset); ++ continue; + } + if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) { + result = checkandaddsoa(db, node, version, &rdataset, +@@ -17118,8 +17111,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) { + for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; + result = dns_dbiterator_next(dbiterator)) + { +- result = copy_non_dnssec_records(zone, db, version, rawdb, +- dbiterator, oldserialp); ++ result = copy_non_dnssec_records(db, version, rawdb, dbiterator, ++ oldserialp); + if (result != ISC_R_SUCCESS) { + goto failure; + } +-- +2.23.0 \ No newline at end of file diff --git a/backport-Fix-a-logical-bug-in-cfg_print_duration.patch b/backport-Fix-a-logical-bug-in-cfg_print_duration.patch new file mode 100644 index 0000000000000000000000000000000000000000..6b0f7d6c22f8bc49a5da1dd3d37c16b168d6b42c --- /dev/null +++ b/backport-Fix-a-logical-bug-in-cfg_print_duration.patch @@ -0,0 +1,70 @@ +From f458f6496de4dce06b1f9682537855800eda9675 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Mon, 17 Oct 2022 08:45:09 +0000 +Subject: [PATCH] Fix a logical bug in cfg_print_duration() + +The cfg_print_duration() function prints a ISO 8601 duration value +converted from an array of integers, where the parts of the date and +time are stored. + +durationlen[6], which holds the "seconds" part of the duration, has +a special case in cfg_print_duration() to ensure that when there are +no values in the duration, the result still can be printed as "PT0S", +instead of just "P", so it can be a valid ISO 8601 duration value. + +There is a logical error in one of the two special case code paths, +when it checks that no value from the "date" part is defined, and no +"hour" or "minute" from the "time" part are defined. + +Because of the error, durationlen[6] can be used uninitialized, in +which case the second parameter passed to snprintf() (which is the +maximum allowed length) can contain a garbage value. + +This can not be exploited because the buffer is still big enough to +hold the maximum possible amount of characters generated by the "%u%c" +format string. + +Fix the logical bug, and initialize the 'durationlen' array to zeros +to be a little safer from other similar errors. + +(cherry picked from commit 94409101870b689f77452b6324968687d9f3c72f) +--- + lib/isccfg/parser.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c +index b2a4a0ee979..42056c974e8 100644 +--- a/lib/isccfg/parser.c ++++ b/lib/isccfg/parser.c +@@ -1041,7 +1041,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) { + char *str; + const char *indicators = "YMWDHMS"; + int count, i; +- int durationlen[7]; ++ int durationlen[7] = { 0 }; + cfg_duration_t duration; + /* + * D ? The duration has a date part. +@@ -1073,10 +1073,8 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) { + } else { + T = true; + } +- } else { +- durationlen[i] = 0; ++ count += durationlen[i]; + } +- count += durationlen[i]; + } + /* + * Special case for seconds which is not taken into account in the +@@ -1114,7 +1112,7 @@ cfg_print_duration(cfg_printer_t *pctx, const cfg_obj_t *obj) { + } + /* Special case for seconds. */ + if (duration.parts[6] > 0 || +- (!D && !duration.parts[4] && !duration.parts[3])) { ++ (!D && !duration.parts[4] && !duration.parts[5])) { + snprintf(str, durationlen[6] + 2, "%u%c", + (uint32_t)duration.parts[6], indicators[6]); + } +-- +2.23.0 \ No newline at end of file diff --git a/backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch b/backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch new file mode 100644 index 0000000000000000000000000000000000000000..16ba0eb53b7d1c24aadafc8518f3d6175bece17a --- /dev/null +++ b/backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch @@ -0,0 +1,34 @@ +From a634488a24f9be05d50a4a67f0d2bf4182161697 Mon Sep 17 00:00:00 2001 +From: Aram Sargsyan +Date: Wed, 14 Dec 2022 14:40:31 +0000 +Subject: [PATCH] Fix logging a uint32_t SOA serial value in + dns_catz_update_from_db() + +The dns_catz_update_from_db() function prints serial number as a signed +number (with "%d" in the format string), but the `vers` variable's type +is 'uint32_t'. This breaks serials bigger than 2^31. + +Use PRIu32 instead of "d" in the format string. + +(cherry picked from commit 72b1760ea6cd415efe9868aad97c982fea8b0a42) +--- + lib/dns/catz.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/dns/catz.c b/lib/dns/catz.c +index 49ad9bf37b..8a552d1259 100644 +--- a/lib/dns/catz.c ++++ b/lib/dns/catz.c +@@ -1874,8 +1874,8 @@ dns_catz_update_from_db(dns_db_t *db, dns_catz_zones_t *catzs) { + + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER, + ISC_LOG_INFO, +- "catz: updating catalog zone '%s' with serial %d", bname, +- vers); ++ "catz: updating catalog zone '%s' with serial %" PRIu32, ++ bname, vers); + + result = dns_catz_new_zone(catzs, &newzone, &db->origin); + if (result != ISC_R_SUCCESS) { +-- +2.23.0 \ No newline at end of file diff --git a/backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch b/backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch new file mode 100644 index 0000000000000000000000000000000000000000..6202e1afdee0c2db2fc4af841529e2708e4c9e0f --- /dev/null +++ b/backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch @@ -0,0 +1,99 @@ +From 72724b258c1c86c638630559d7142723d595d69d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Thu, 3 Nov 2022 17:42:12 +0100 +Subject: [PATCH] Propagate the shutdown event to the recursing ns_client(s) + +Send the ns_query_cancel() on the recursing clients when we initiate the +named shutdown for faster shutdown. + +When we are shutting down the resolver, we cancel all the outstanding +fetches, and the ISC_R_CANCEL events doesn't propagate to the ns_client +callback. + +In the future, the better solution how to fix this would be to look at +the shutdown paths and let them all propagate from bottom (loopmgr) to +top (f.e. ns_client). + +(cherry picked from commit d861d403bb9a7912e29a06aba6caf6d502839f1b) +--- + lib/ns/client.c | 13 +++++++++++++ + lib/ns/include/ns/client.h | 10 ++++++++-- + lib/ns/interfacemgr.c | 1 + + lib/ns/win32/libns.def | 1 + + 4 files changed, 23 insertions(+), 2 deletions(-) + +diff --git a/lib/ns/client.c b/lib/ns/client.c +index 6bd5ddfdefb..d4ce000be87 100644 +--- a/lib/ns/client.c ++++ b/lib/ns/client.c +@@ -2518,6 +2518,19 @@ cleanup_reclock: + return (result); + } + ++void ++ns_clientmgr_shutdown(ns_clientmgr_t *manager) { ++ REQUIRE(VALID_MANAGER(manager)); ++ ++ LOCK(&manager->reclock); ++ for (ns_client_t *client = ISC_LIST_HEAD(manager->recursing); ++ client != NULL; client = ISC_LIST_NEXT(client, rlink)) ++ { ++ ns_query_cancel(client); ++ } ++ UNLOCK(&manager->reclock); ++} ++ + void + ns_clientmgr_destroy(ns_clientmgr_t **managerp) { + isc_result_t result; +diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h +index 9d152c6bbe8..d1e2fde4073 100644 +--- a/lib/ns/include/ns/client.h ++++ b/lib/ns/include/ns/client.h +@@ -354,12 +354,18 @@ ns_clientmgr_create(isc_mem_t *mctx, ns_server_t *sctx, isc_taskmgr_t *taskmgr, + */ + + void +-ns_clientmgr_destroy(ns_clientmgr_t **managerp); ++ns_clientmgr_shutdown(ns_clientmgr_t *manager); + /*%< +- * Destroy a client manager and all ns_client_t objects ++ * Shutdown a client manager and all ns_client_t objects + * managed by it. + */ + ++void ++ns_clientmgr_destroy(ns_clientmgr_t **managerp); ++/*%< ++ * Destroy a client manager. ++ */ ++ + isc_sockaddr_t * + ns_client_getsockaddr(ns_client_t *client); + /*%< +diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c +index 687359058b0..216e274a54e 100644 +--- a/lib/ns/interfacemgr.c ++++ b/lib/ns/interfacemgr.c +@@ -574,6 +574,7 @@ ns_interface_shutdown(ns_interface_t *ifp) { + isc_nmsocket_close(&ifp->tcplistensocket); + } + if (ifp->clientmgr != NULL) { ++ ns_clientmgr_shutdown(ifp->clientmgr); + ns_clientmgr_destroy(&ifp->clientmgr); + } + } +diff --git a/lib/ns/win32/libns.def b/lib/ns/win32/libns.def +index eadd940a9ce..50edf86730b 100644 +--- a/lib/ns/win32/libns.def ++++ b/lib/ns/win32/libns.def +@@ -42,6 +42,7 @@ ns_client_shuttingdown + ns_client_sourceip + ns_clientmgr_create + ns_clientmgr_destroy ++ns_clientmgr_shutdown + ns_hook_add + ns_hooktable_create + ns_hooktable_free +-- +2.23.0 \ No newline at end of file diff --git a/backport-Release-unused-key-file-IO-lock-objects.patch b/backport-Release-unused-key-file-IO-lock-objects.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b0a076ba7efb413fe47357208bcdb87e3152677 --- /dev/null +++ b/backport-Release-unused-key-file-IO-lock-objects.patch @@ -0,0 +1,31 @@ +From 98fca774b62f35b0618c01430e424ca43c492e34 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= +Date: Wed, 7 Dec 2022 16:45:33 +0100 +Subject: [PATCH] Release unused key file IO lock objects + +Due to off-by-one error in zonemgr_keymgmt_delete, unused key file IO +lock objects were never freed and they were kept until the server +shutdown. Adjust the returned value by -1 to accomodate the fact that +the atomic_fetch_*() functions return the value before the operation and +not current value after the operation. + +(cherry picked from commit fb1acd6736609360f79a498d44dffcceb8ca0f54) +--- + lib/dns/zone.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/dns/zone.c b/lib/dns/zone.c +index 2456cd23be..22ffc73b63 100644 +--- a/lib/dns/zone.c ++++ b/lib/dns/zone.c +@@ -18656,7 +18656,7 @@ zonemgr_keymgmt_delete(dns_zonemgr_t *zmgr, dns_zone_t *zone) { + if (dns_name_equal(kfio->name, &zone->origin)) { + unsigned int count; + +- count = atomic_fetch_sub_relaxed(&kfio->count, 1); ++ count = atomic_fetch_sub_relaxed(&kfio->count, 1) - 1; + if (count > 0) { + /* Keep the entry. */ + break; +-- +2.23.0 \ No newline at end of file diff --git a/backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch b/backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e50fc3ff6f97eda7860230b458f94d4e2f94b68 --- /dev/null +++ b/backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch @@ -0,0 +1,87 @@ +From 3952f01cad20c5468a9f0aef818ee79b57aeb260 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Tue, 18 Oct 2022 10:02:08 +1100 +Subject: [PATCH] Select the appropriate namespace when using a dual stack + server + +When using dual-stack-servers the covering namespace to check whether +answers are in scope or not should be fctx->domain. To do this we need +to be able to distingish forwarding due to forwarders clauses and +dual-stack-servers. A new flag FCTX_ADDRINFO_DUALSTACK has been added +to signal this. + +(cherry picked from commit dfbffd77f9fac6397f5223e0fc3b3de28de68b5f) +--- + lib/dns/resolver.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index 9a25a4cda7..41d79e9d46 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -320,6 +320,11 @@ struct fetchctx { + ISC_LIST(resquery_t) queries; + dns_adbfindlist_t finds; + dns_adbfind_t *find; ++ /* ++ * altfinds are names and/or addresses of dual stack servers that ++ * should be used when iterative resolution to a server is not ++ * possible because the address family of that server is not usable. ++ */ + dns_adbfindlist_t altfinds; + dns_adbfind_t *altfind; + dns_adbaddrinfolist_t forwaddrs; +@@ -588,12 +593,14 @@ struct dns_resolver { + #define FCTX_ADDRINFO_EDNSOK 0x04000 + #define FCTX_ADDRINFO_NOCOOKIE 0x08000 + #define FCTX_ADDRINFO_BADCOOKIE 0x10000 ++#define FCTX_ADDRINFO_DUALSTACK 0x20000 + + #define UNMARKED(a) (((a)->flags & FCTX_ADDRINFO_MARK) == 0) + #define ISFORWARDER(a) (((a)->flags & FCTX_ADDRINFO_FORWARDER) != 0) + #define NOCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_NOCOOKIE) != 0) + #define EDNSOK(a) (((a)->flags & FCTX_ADDRINFO_EDNSOK) != 0) + #define BADCOOKIE(a) (((a)->flags & FCTX_ADDRINFO_BADCOOKIE) != 0) ++#define ISDUALSTACK(a) (((a)->flags & FCTX_ADDRINFO_DUALSTACK) != 0) + + #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0) + #define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) +@@ -3639,7 +3646,7 @@ findname(fetchctx_t *fctx, const dns_name_t *name, in_port_t port, + } + } + } +- if ((flags & FCTX_ADDRINFO_FORWARDER) != 0) { ++ if ((flags & FCTX_ADDRINFO_DUALSTACK) != 0) { + ISC_LIST_APPEND(fctx->altfinds, find, publink); + } else { + ISC_LIST_APPEND(fctx->finds, find, publink); +@@ -3938,7 +3945,7 @@ normal_nses: + a = ISC_LIST_NEXT(a, link)) { + if (!a->isaddress) { + findname(fctx, &a->_u._n.name, a->_u._n.port, +- stdoptions, FCTX_ADDRINFO_FORWARDER, ++ stdoptions, FCTX_ADDRINFO_DUALSTACK, + now, NULL, NULL, NULL); + continue; + } +@@ -3951,6 +3958,7 @@ normal_nses: + if (result == ISC_R_SUCCESS) { + dns_adbaddrinfo_t *cur; + ai->flags |= FCTX_ADDRINFO_FORWARDER; ++ ai->flags |= FCTX_ADDRINFO_DUALSTACK; + cur = ISC_LIST_HEAD(fctx->altaddrs); + while (cur != NULL && cur->srtt < ai->srtt) { + cur = ISC_LIST_NEXT(cur, publink); +@@ -7117,7 +7125,9 @@ name_external(const dns_name_t *name, dns_rdatatype_t type, fetchctx_t *fctx) { + unsigned int labels; + dns_namereln_t rel; + +- apex = ISFORWARDER(fctx->addrinfo) ? fctx->fwdname : &fctx->domain; ++ apex = (ISDUALSTACK(fctx->addrinfo) || !ISFORWARDER(fctx->addrinfo)) ++ ? &fctx->domain ++ : fctx->fwdname; + + /* + * The name is outside the queried namespace. +-- +2.23.0 \ No newline at end of file diff --git a/backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch b/backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch new file mode 100644 index 0000000000000000000000000000000000000000..61bf78b5032fc74aff7dc441ccce7d0ce79168cf --- /dev/null +++ b/backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch @@ -0,0 +1,81 @@ +From ffeda92cd85461dad3bea74dd4892ef990fec4c9 Mon Sep 17 00:00:00 2001 +From: Mark Andrews +Date: Wed, 30 Nov 2022 18:40:27 +1100 +Subject: [PATCH] Suppress duplicate dns_db_updatenotify_register registrations + +Duplicate dns_db_updatenotify_register registrations need to be +suppressed to ensure that dns_db_updatenotify_unregister is successful. + +(cherry picked from commit f13e71e55167bf9c94f4faf1dab110467158e7b4) +--- + lib/dns/catz.c | 6 +++--- + lib/dns/db.c | 12 +++++++++++- + lib/dns/include/dns/db.h | 2 +- + 3 files changed, 15 insertions(+), 5 deletions(-) + +diff --git a/lib/dns/catz.c b/lib/dns/catz.c +index 487d20833e1..332f9877360 100644 +--- a/lib/dns/catz.c ++++ b/lib/dns/catz.c +@@ -810,9 +810,9 @@ dns_catz_zone_detach(dns_catz_zone_t **zonep) { + zone->magic = 0; + isc_timer_detach(&zone->updatetimer); + if (zone->db_registered) { +- INSIST(dns_db_updatenotify_unregister( +- zone->db, dns_catz_dbupdate_callback, +- zone->catzs) == ISC_R_SUCCESS); ++ dns_db_updatenotify_unregister( ++ zone->db, dns_catz_dbupdate_callback, ++ zone->catzs); + } + if (zone->dbversion) { + dns_db_closeversion(zone->db, &zone->dbversion, false); +diff --git a/lib/dns/db.c b/lib/dns/db.c +index c5de3d9e0b0..04cf6560fea 100644 +--- a/lib/dns/db.c ++++ b/lib/dns/db.c +@@ -1013,7 +1013,7 @@ dns_db_rpz_ready(dns_db_t *db) { + return ((db->methods->rpz_ready)(db)); + } + +-/** ++/* + * Attach a notify-on-update function the database + */ + isc_result_t +@@ -1024,6 +1024,16 @@ dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn, + REQUIRE(db != NULL); + REQUIRE(fn != NULL); + ++ for (listener = ISC_LIST_HEAD(db->update_listeners); listener != NULL; ++ listener = ISC_LIST_NEXT(listener, link)) ++ { ++ if ((listener->onupdate == fn) && ++ (listener->onupdate_arg == fn_arg)) ++ { ++ return (ISC_R_SUCCESS); ++ } ++ } ++ + listener = isc_mem_get(db->mctx, sizeof(dns_dbonupdatelistener_t)); + + listener->onupdate = fn; +diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h +index f14d9f6c529..08bdc80e4ee 100644 +--- a/lib/dns/include/dns/db.h ++++ b/lib/dns/include/dns/db.h +@@ -1673,11 +1673,11 @@ dns_db_updatenotify_register(dns_db_t *db, dns_dbupdate_callback_t fn, + void *fn_arg); + /*%< + * Register a notify-on-update callback function to a database. ++ * Duplicate callbacks are suppressed. + * + * Requires: + * + * \li 'db' is a valid database +- * \li 'db' does not have an update callback registered + * \li 'fn' is not NULL + * + */ +-- +2.23.0 \ No newline at end of file diff --git a/backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch b/backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch new file mode 100644 index 0000000000000000000000000000000000000000..b6270056175648398a8425d7c1458b220ac3580d --- /dev/null +++ b/backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch @@ -0,0 +1,62 @@ +From 8e4a1f3483bedf262504583605ec07205bd17c2a Mon Sep 17 00:00:00 2001 +From: Evan Hunt +Date: Tue, 18 Oct 2022 13:48:52 -0700 +Subject: [PATCH] ensure RPZ lookups handle CD=1 correctly + +RPZ rewrites called dns_db_findext() without passing through the +client database options; as as result, if the client set CD=1, +DNS_DBFIND_PENDINGOK was not used as it should have been, and +cache lookups failed, resulting in failure of the rewrite. + +(cherry picked from commit 305a50dbe12a43b0ee429c2e9bee04f35a8047c4) +--- + lib/ns/query.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/lib/ns/query.c b/lib/ns/query.c +index 43a0293d5d..baa28b5233 100644 +--- a/lib/ns/query.c ++++ b/lib/ns/query.c +@@ -3585,7 +3585,7 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, + struct in_addr ina; + struct in6_addr in6a; + isc_result_t result; +- unsigned int options = DNS_DBFIND_GLUEOK; ++ unsigned int options = client->query.dboptions | DNS_DBFIND_GLUEOK; + bool done = false; + + CTRACE(ISC_LOG_DEBUG(3), "rpz_rewrite_ip_rrset"); +@@ -3646,8 +3646,9 @@ rpz_rewrite_ip_rrset(ns_client_t *client, dns_name_t *name, + * otherwise we are done. + */ + if (result == DNS_R_GLUE) { +- options = 0; ++ options = client->query.dboptions; + } else { ++ options = client->query.dboptions | DNS_DBFIND_GLUEOK; + done = true; + } + +@@ -4207,7 +4208,7 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, + + dns_fixedname_init(&nsnamef); + dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); +- options = DNS_DBFIND_GLUEOK; ++ options = client->query.dboptions | DNS_DBFIND_GLUEOK; + while (st->r.label > st->popt.min_ns_labels) { + bool was_glue = false; + /* +@@ -4333,9 +4334,9 @@ rpz_rewrite(ns_client_t *client, dns_rdatatype_t qtype, isc_result_t qresult, + * glue responses, otherwise setup for the next name. + */ + if (was_glue) { +- options = 0; ++ options = client->query.dboptions; + } else { +- options = DNS_DBFIND_GLUEOK; ++ options = client->query.dboptions | DNS_DBFIND_GLUEOK; + st->r.label--; + } + +-- +2.23.0 \ No newline at end of file diff --git a/bind.spec b/bind.spec index 21846cfb8268a80e01657f631e4c590d96ae83b8..62b16109a580db28edba64474b0f1e0f675b15f9 100644 --- a/bind.spec +++ b/bind.spec @@ -30,7 +30,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: MPLv2.0 Version: 9.16.23 -Release: 15 +Release: 16 Epoch: 32 Url: https://www.isc.org/downloads/bind/ # @@ -173,13 +173,24 @@ Patch6004:backport-CVE-2022-38177.patch Patch6005:backport-CVE-2022-38178.patch Patch6006:backport-CVE-2022-2906.patch Patch6007:backport-CVE-2022-2881.patch - Patch6096:backport-CVE-2022-3736.patch Patch6097:backport-CVE-2022-3924.patch Patch6098:backport-CVE-2022-3094-add-an-update-quota.patch Patch6099:backport-CVE-2022-3094-add-a-configuration-option-for-the-update-quota.patch Patch6100:backport-CVE-2022-3094-move-update-ACL-and-update-policy-checks-before-quota.patch +Patch6101:backport-Fix-a-logical-bug-in-cfg_print_duration.patch +Patch6102:backport-ensure-RPZ-lookups-handle-CD-1-correctly.patch +Patch6103:backport-Don-t-allow-DNSSEC-records-in-the-raw-zone.patch +Patch6104:backport-Select-the-appropriate-namespace-when-using-a-dual-stack-server.patch +Patch6105:backport-Check-for-NULL-before-dereferencing-qctx-rpz_st.patch +Patch6106:backport-Suppress-duplicate-dns_db_updatenotify_register-registrations.patch +Patch6107:backport-Call-dns_db_updatenotify_unregister-earlier.patch +Patch6108:backport-Add-missing-DbC-magic-checks.patch +Patch6109:backport-Propagate-the-shutdown-event-to-the-recursing-ns_client-s.patch +Patch6110:backport-Release-unused-key-file-IO-lock-objects.patch +Patch6111:backport-Fix-logging-a-uint32_t-SOA-serial-value-in-dns_catz_update_from_db.patch + Patch9000:bugfix-limit-numbers-of-test-threads.patch %{?systemd_ordering} @@ -1188,6 +1199,12 @@ fi; %endif %changelog +* Sat Feb 25 2023 zhanghao - 32:9.16.23-16 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC: backport some patches from community + * Thu Feb 09 2023 zhanghao - 32:9.16.23-15 - Type:bugfix - CVE:NA