|
| 1 | +From d74dde3a74fce30842606ab49ac425635a2849a7 Mon Sep 17 00:00:00 2001 |
| 2 | +From: archana25-ms < [email protected]> |
| 3 | +Date: Wed, 25 Jun 2025 08:27:04 +0000 |
| 4 | +Subject: [PATCH] Address CVE-2024-11187 |
| 5 | +Upstream Patch Reference: https://downloads.isc.org/isc/bind9/9.20.5/patches/0001-CVE-2024-11187.patch |
| 6 | + |
| 7 | +--- |
| 8 | + bin/tests/system/additional/tests.sh | 2 +- |
| 9 | + bin/tests/system/resolver/ns4/named.noaa | 12 ------------ |
| 10 | + bin/tests/system/resolver/tests.sh | 8 ++++++++ |
| 11 | + lib/dns/include/dns/rdataset.h | 10 +++++++++- |
| 12 | + lib/dns/rbtdb.c | 2 +- |
| 13 | + lib/dns/rdataset.c | 8 +++++++- |
| 14 | + lib/dns/resolver.c | 16 ++++++++++------ |
| 15 | + lib/ns/query.c | 12 +++++++++--- |
| 16 | + 8 files changed, 45 insertions(+), 25 deletions(-) |
| 17 | + delete mode 100644 bin/tests/system/resolver/ns4/named.noaa |
| 18 | + |
| 19 | +diff --git a/bin/tests/system/additional/tests.sh b/bin/tests/system/additional/tests.sh |
| 20 | +index 3701790..bf7b082 100644 |
| 21 | +--- a/bin/tests/system/additional/tests.sh |
| 22 | ++++ b/bin/tests/system/additional/tests.sh |
| 23 | +@@ -278,7 +278,7 @@ n=$(expr $n + 1) |
| 24 | + echo_i "testing with 'minimal-any no;' ($n)" |
| 25 | + ret=0 |
| 26 | + $DIG $DIGOPTS -t ANY www.rt.example @10.53.0.1 >dig.out.$n || ret=1 |
| 27 | +-grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2" dig.out.$n >/dev/null || ret=1 |
| 28 | ++grep "ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 1" dig.out.$n >/dev/null || ret=1 |
| 29 | + if [ $ret -eq 1 ]; then |
| 30 | + echo_i "failed" |
| 31 | + status=$((status + 1)) |
| 32 | +diff --git a/bin/tests/system/resolver/ns4/named.noaa b/bin/tests/system/resolver/ns4/named.noaa |
| 33 | +deleted file mode 100644 |
| 34 | +index be78cc2..0000000 |
| 35 | +--- a/bin/tests/system/resolver/ns4/named.noaa |
| 36 | ++++ /dev/null |
| 37 | +@@ -1,12 +0,0 @@ |
| 38 | +-Copyright (C) Internet Systems Consortium, Inc. ("ISC") |
| 39 | +- |
| 40 | +-SPDX-License-Identifier: MPL-2.0 |
| 41 | +- |
| 42 | +-This Source Code Form is subject to the terms of the Mozilla Public |
| 43 | +-License, v. 2.0. If a copy of the MPL was not distributed with this |
| 44 | +-file, you can obtain one at https://mozilla.org/MPL/2.0/. |
| 45 | +- |
| 46 | +-See the COPYRIGHT file distributed with this work for additional |
| 47 | +-information regarding copyright ownership. |
| 48 | +- |
| 49 | +-Add -T noaa. |
| 50 | +diff --git a/bin/tests/system/resolver/tests.sh b/bin/tests/system/resolver/tests.sh |
| 51 | +index 2e089fa..761a728 100755 |
| 52 | +--- a/bin/tests/system/resolver/tests.sh |
| 53 | ++++ b/bin/tests/system/resolver/tests.sh |
| 54 | +@@ -309,6 +309,10 @@ done |
| 55 | + if [ $ret != 0 ]; then echo_i "failed"; fi |
| 56 | + status=$((status + ret)) |
| 57 | + |
| 58 | ++stop_server ns4 |
| 59 | ++touch ns4/named.noaa |
| 60 | ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 |
| 61 | ++ |
| 62 | + n=$((n + 1)) |
| 63 | + echo_i "RT21594 regression test check setup ($n)" |
| 64 | + ret=0 |
| 65 | +@@ -345,6 +349,10 @@ grep "status: NXDOMAIN" dig.ns5.out.${n} >/dev/null || ret=1 |
| 66 | + if [ $ret != 0 ]; then echo_i "failed"; fi |
| 67 | + status=$((status + ret)) |
| 68 | + |
| 69 | ++stop_server ns4 |
| 70 | ++rm ns4/named.noaa |
| 71 | ++start_server --noclean --restart --port ${PORT} ns4 || ret=1 |
| 72 | ++ |
| 73 | + n=$((n + 1)) |
| 74 | + echo_i "check that replacement of additional data by a negative cache no data entry clears the additional RRSIGs ($n)" |
| 75 | + ret=0 |
| 76 | +diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h |
| 77 | +index de3f638..65d3f53 100644 |
| 78 | +--- a/lib/dns/include/dns/rdataset.h |
| 79 | ++++ b/lib/dns/include/dns/rdataset.h |
| 80 | +@@ -55,6 +55,8 @@ |
| 81 | + #include <dns/rdatastruct.h> |
| 82 | + #include <dns/types.h> |
| 83 | + |
| 84 | ++#define DNS_RDATASET_MAXADDITIONAL 13 |
| 85 | ++ |
| 86 | + ISC_LANG_BEGINDECLS |
| 87 | + |
| 88 | + typedef enum { |
| 89 | +@@ -446,7 +448,8 @@ dns_rdataset_towirepartial(dns_rdataset_t *rdataset, |
| 90 | + |
| 91 | + isc_result_t |
| 92 | + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, |
| 93 | +- dns_additionaldatafunc_t add, void *arg); |
| 94 | ++ dns_additionaldatafunc_t add, void *arg, |
| 95 | ++ size_t limit); |
| 96 | + /*%< |
| 97 | + * For each rdata in rdataset, call 'add' for each name and type in the |
| 98 | + * rdata which is subject to additional section processing. |
| 99 | +@@ -465,10 +468,15 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, |
| 100 | + *\li If a call to dns_rdata_additionaldata() is not successful, the |
| 101 | + * result returned will be the result of dns_rdataset_additionaldata(). |
| 102 | + * |
| 103 | ++ *\li If 'limit' is non-zero and the number of the rdatasets is larger |
| 104 | ++ * than 'limit', no additional data will be processed. |
| 105 | ++ * |
| 106 | + * Returns: |
| 107 | + * |
| 108 | + *\li #ISC_R_SUCCESS |
| 109 | + * |
| 110 | ++ *\li #DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit' |
| 111 | ++ * |
| 112 | + *\li Any error that dns_rdata_additionaldata() can return. |
| 113 | + */ |
| 114 | + |
| 115 | +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c |
| 116 | +index 9670671..fcccd58 100644 |
| 117 | +--- a/lib/dns/rbtdb.c |
| 118 | ++++ b/lib/dns/rbtdb.c |
| 119 | +@@ -10609,7 +10609,7 @@ no_glue: |
| 120 | + maybe_rehash_gluetable(rbtversion); |
| 121 | + idx = hash_32(hash, rbtversion->glue_table_bits); |
| 122 | + |
| 123 | +- (void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx); |
| 124 | ++ (void)dns_rdataset_additionaldata(rdataset, glue_nsdname_cb, &ctx, 0); |
| 125 | + |
| 126 | + cur = isc_mem_get(rbtdb->common.mctx, sizeof(*cur)); |
| 127 | + |
| 128 | +diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c |
| 129 | +index 221d7f8..160c549 100644 |
| 130 | +--- a/lib/dns/rdataset.c |
| 131 | ++++ b/lib/dns/rdataset.c |
| 132 | +@@ -29,6 +29,7 @@ |
| 133 | + #include <dns/ncache.h> |
| 134 | + #include <dns/rdata.h> |
| 135 | + #include <dns/rdataset.h> |
| 136 | ++#include <dns/result.h> |
| 137 | + |
| 138 | + static const char *trustnames[] = { |
| 139 | + "none", "pending-additional", |
| 140 | +@@ -578,7 +579,8 @@ dns_rdataset_towire(dns_rdataset_t *rdataset, const dns_name_t *owner_name, |
| 141 | + |
| 142 | + isc_result_t |
| 143 | + dns_rdataset_additionaldata(dns_rdataset_t *rdataset, |
| 144 | +- dns_additionaldatafunc_t add, void *arg) { |
| 145 | ++ dns_additionaldatafunc_t add, void *arg, |
| 146 | ++ size_t limit) { |
| 147 | + dns_rdata_t rdata = DNS_RDATA_INIT; |
| 148 | + isc_result_t result; |
| 149 | + |
| 150 | +@@ -590,6 +592,10 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset, |
| 151 | + REQUIRE(DNS_RDATASET_VALID(rdataset)); |
| 152 | + REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0); |
| 153 | + |
| 154 | ++ if (limit != 0 && dns_rdataset_count(rdataset) > limit) { |
| 155 | ++ return DNS_R_TOOMANYRECORDS; |
| 156 | ++ } |
| 157 | ++ |
| 158 | + result = dns_rdataset_first(rdataset); |
| 159 | + if (result != ISC_R_SUCCESS) { |
| 160 | + return (result); |
| 161 | +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c |
| 162 | +index 0952624..f0c60aa 100644 |
| 163 | +--- a/lib/dns/resolver.c |
| 164 | ++++ b/lib/dns/resolver.c |
| 165 | +@@ -9015,7 +9015,7 @@ rctx_answer_any(respctx_t *rctx) { |
| 166 | + rdataset->trust = rctx->trust; |
| 167 | + |
| 168 | + (void)dns_rdataset_additionaldata(rdataset, check_related, |
| 169 | +- rctx); |
| 170 | ++ rctx, 0); |
| 171 | + } |
| 172 | + |
| 173 | + return (ISC_R_SUCCESS); |
| 174 | +@@ -9062,7 +9062,7 @@ rctx_answer_match(respctx_t *rctx) { |
| 175 | + rctx->ardataset->attributes |= DNS_RDATASETATTR_ANSWER; |
| 176 | + rctx->ardataset->attributes |= DNS_RDATASETATTR_CACHE; |
| 177 | + rctx->ardataset->trust = rctx->trust; |
| 178 | +- (void)dns_rdataset_additionaldata(rctx->ardataset, check_related, rctx); |
| 179 | ++ (void)dns_rdataset_additionaldata(rctx->ardataset, check_related, rctx, 0); |
| 180 | + |
| 181 | + for (sigrdataset = ISC_LIST_HEAD(rctx->aname->list); |
| 182 | + sigrdataset != NULL; |
| 183 | +@@ -9268,7 +9268,7 @@ rctx_authority_positive(respctx_t *rctx) { |
| 184 | + * to this rdataset. |
| 185 | + */ |
| 186 | + (void)dns_rdataset_additionaldata( |
| 187 | +- rdataset, check_related, rctx); |
| 188 | ++ rdataset, check_related, rctx, 0); |
| 189 | + done = true; |
| 190 | + } |
| 191 | + } |
| 192 | +@@ -9775,8 +9775,12 @@ rctx_referral(respctx_t *rctx) { |
| 193 | + */ |
| 194 | + INSIST(rctx->ns_rdataset != NULL); |
| 195 | + FCTX_ATTR_SET(fctx, FCTX_ATTR_GLUING); |
| 196 | ++ |
| 197 | ++ /* |
| 198 | ++ * Mark the glue records in the additional section to be cached. |
| 199 | ++ */ |
| 200 | + (void)dns_rdataset_additionaldata(rctx->ns_rdataset, check_related, |
| 201 | +- rctx); |
| 202 | ++ rctx, 0); |
| 203 | + #if CHECK_FOR_GLUE_IN_ANSWER |
| 204 | + /* |
| 205 | + * Look in the answer section for "glue" that is incorrectly |
| 206 | +@@ -9789,7 +9793,7 @@ rctx_referral(respctx_t *rctx) { |
| 207 | + (fctx->type == dns_rdatatype_aaaa || fctx->type == dns_rdatatype_a)) |
| 208 | + { |
| 209 | + (void)dns_rdataset_additionaldata(rctx->ns_rdataset, |
| 210 | +- check_answer, fctx); |
| 211 | ++ check_answer, fctx, 0); |
| 212 | + } |
| 213 | + #endif /* if CHECK_FOR_GLUE_IN_ANSWER */ |
| 214 | + FCTX_ATTR_CLR(fctx, FCTX_ATTR_GLUING); |
| 215 | +@@ -9899,7 +9903,7 @@ again: |
| 216 | + if (CHASE(rdataset)) { |
| 217 | + rdataset->attributes &= ~DNS_RDATASETATTR_CHASE; |
| 218 | + (void)dns_rdataset_additionaldata( |
| 219 | +- rdataset, check_related, rctx); |
| 220 | ++ rdataset, check_related, rctx, 0); |
| 221 | + rescan = true; |
| 222 | + } |
| 223 | + } |
| 224 | +diff --git a/lib/ns/query.c b/lib/ns/query.c |
| 225 | +index ec9bf5b..dd157eb 100644 |
| 226 | +--- a/lib/ns/query.c |
| 227 | ++++ b/lib/ns/query.c |
| 228 | +@@ -2048,7 +2048,8 @@ addname: |
| 229 | + */ |
| 230 | + if (trdataset != NULL && dns_rdatatype_followadditional(type)) { |
| 231 | + eresult = dns_rdataset_additionaldata( |
| 232 | +- trdataset, query_additional_cb, qctx); |
| 233 | ++ trdataset, query_additional_cb, qctx, |
| 234 | ++ DNS_RDATASET_MAXADDITIONAL); |
| 235 | + } |
| 236 | + |
| 237 | + cleanup: |
| 238 | +@@ -2139,7 +2140,8 @@ regular: |
| 239 | + * Add other additional data if needed. |
| 240 | + * We don't care if dns_rdataset_additionaldata() fails. |
| 241 | + */ |
| 242 | +- (void)dns_rdataset_additionaldata(rdataset, query_additional_cb, qctx); |
| 243 | ++ (void)dns_rdataset_additionaldata(rdataset, query_additional_cb, |
| 244 | ++ qctx, DNS_RDATASET_MAXADDITIONAL); |
| 245 | + CTRACE(ISC_LOG_DEBUG(3), "query_additional: done"); |
| 246 | + } |
| 247 | + |
| 248 | +@@ -2165,7 +2167,8 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep, |
| 249 | + * To the current response for 'client', add the answer RRset |
| 250 | + * '*rdatasetp' and an optional signature set '*sigrdatasetp', with |
| 251 | + * owner name '*namep', to section 'section', unless they are |
| 252 | +- * already there. Also add any pertinent additional data. |
| 253 | ++ * already there. Also add any pertinent additional data, unless |
| 254 | ++ * the query was for type ANY. |
| 255 | + * |
| 256 | + * If 'dbuf' is not NULL, then '*namep' is the name whose data is |
| 257 | + * stored in 'dbuf'. In this case, query_addrrset() guarantees that |
| 258 | +@@ -2221,6 +2224,9 @@ query_addrrset(query_ctx_t *qctx, dns_name_t **namep, |
| 259 | + query_addtoname(mname, rdataset); |
| 260 | + query_setorder(qctx, mname, rdataset); |
| 261 | + query_additional(qctx, rdataset); |
| 262 | ++ if (qctx->qtype != dns_rdatatype_any) { |
| 263 | ++ query_additional(qctx, rdataset); |
| 264 | ++ } |
| 265 | + |
| 266 | + /* |
| 267 | + * Note: we only add SIGs if we've added the type they cover, so |
| 268 | +-- |
| 269 | +2.45.3 |
| 270 | + |
0 commit comments