File bind-CVE-2022-2795.patch of Package bind.30842

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d2cf14bbc8b..73a0ee9f779 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -178,6 +178,12 @@
  */
 #define NS_FAIL_LIMIT 4
 #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
 
 /* Number of hash buckets for zone counters */
 #ifndef RES_DOMAIN_BUCKETS
@@ -2899,6 +2905,7 @@
 	isc_boolean_t all_spilled = ISC_TRUE;
 #endif /* ENABLE_FETCHLIMIT */
 	unsigned int no_addresses = 0;
+	unsigned int ns_processed = 0;
 
 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
 
@@ -3079,6 +3086,11 @@
 
 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
+
+                if (++ns_processed >= NS_PROCESSING_LIMIT) {
+                	result = ISC_R_NOMORE;
+                	break;
+                }
 	}
 	if (result != ISC_R_NOMORE)
 	{

Places

File bind-CVE-2022-2795.patch of Package bind.30842

Places