Overview

File bind-9.9-CVE-2024-11187.patch of Package bind.37294

commit bc748d21378fbe3e8314dec9efbd365c0de563df
Author: Nicki Křížek <nicki@isc.org>
Date:   Mon Jan 20 16:17:36 2025 +0000

    [9.11] [CVE-2024-11187] sec: usr: Limit the additional processing for large RDATA sets
    
    When answering queries, don't add data to the additional section if the answer has more than 13 names in the RDATA. This limits the number of lookups into the database(s) during a single client query, reducing query processing load.
    
    Backport of MR !750
    
    See isc-projects/bind9#5034
    
    Merge branch '5034-security-limit-additional-9.11' into 'bind-9.11-release'
    
    See merge request isc-private/bind9!761

Index: bind-9.9.9-P1/bin/named/query.c
===================================================================
--- bind-9.9.9-P1.orig/bin/named/query.c
+++ bind-9.9.9-P1/bin/named/query.c
@@ -1628,7 +1628,8 @@ query_addadditional(void *arg, dns_name_
 		 */
 		eresult = dns_rdataset_additionaldata(trdataset,
 						      query_addadditional,
-						      client);
+						      client,
+						      DNS_RDATASET_MAXADDITIONAL);
 	}
 
  cleanup:
@@ -2209,7 +2210,7 @@ query_addrdataset(ns_client_t *client, d
 						       rdataset->rdclass);
 	rdataset->attributes |= DNS_RDATASETATTR_LOADORDER;
 
-	if (NOADDITIONAL(client))
+	if (NOADDITIONAL(client) || client->query.qtype == dns_rdatatype_any)
 		return;
 
 	/*
@@ -2220,7 +2221,8 @@ query_addrdataset(ns_client_t *client, d
 	additionalctx.client = client;
 	additionalctx.rdataset = rdataset;
 	(void)dns_rdataset_additionaldata(rdataset, query_addadditional2,
-					  &additionalctx);
+					  &additionalctx,
+					  DNS_RDATASET_MAXADDITIONAL);
 	CTRACE(ISC_LOG_DEBUG(3), "query_addrdataset: done");
 }
 
Index: bind-9.9.9-P1/bin/tests/system/resolver/ns4/named.noaa
===================================================================
--- bind-9.9.9-P1.orig/bin/tests/system/resolver/ns4/named.noaa
+++ /dev/null
@@ -1,6 +0,0 @@
-Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
-See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
-
-$Id: named.noaa,v 1.2 2010/09/15 12:07:56 marka Exp $
-
-Add -T noaa.
Index: bind-9.9.9-P1/bin/tests/system/resolver/tests.sh
===================================================================
--- bind-9.9.9-P1.orig/bin/tests/system/resolver/tests.sh
+++ bind-9.9.9-P1/bin/tests/system/resolver/tests.sh
@@ -286,6 +286,10 @@ grep "From NS 4" dig.ns7.bar.${n} > /dev
 
 if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
 
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
+touch ns4/named.noaa
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
+
 n=`expr $n + 1`
 echo "I:checking that update a nameservers glue has immediate effects ($n)"
 ret=0
@@ -304,6 +308,10 @@ grep "From NS 4" dig.ns7.bar.${n} > /dev
 
 if [ $ret != 0 ]; then echo "I:failed"; status=1; fi
 
+$PERL $SYSTEMTESTTOP/stop.pl resolver ns4
+rm ns4/named.noaa
+$PERL $SYSTEMTESTTOP/start.pl --noclean --restart --port ${PORT} resolver ns4 || ret=1
+
 n=`expr $n + 1`
 echo "I:checking empty RFC 1918 reverse zones ($n)"
 ret=0
Index: bind-9.9.9-P1/lib/dns/include/dns/rdataset.h
===================================================================
--- bind-9.9.9-P1.orig/lib/dns/include/dns/rdataset.h
+++ bind-9.9.9-P1/lib/dns/include/dns/rdataset.h
@@ -58,6 +58,8 @@
 #include <dns/types.h>
 #include <dns/rdatastruct.h>
 
+#define DNS_RDATASET_MAXADDITIONAL 13
+
 ISC_LANG_BEGINDECLS
 
 typedef enum {
@@ -471,7 +473,8 @@ dns_rdataset_towirepartial(dns_rdataset_
 
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg);
+			    dns_additionaldatafunc_t add, void *arg,
+			    size_t limit);
 /*%<
  * For each rdata in rdataset, call 'add' for each name and type in the
  * rdata which is subject to additional section processing.
@@ -490,10 +493,15 @@ dns_rdataset_additionaldata(dns_rdataset
  *\li	If a call to dns_rdata_additionaldata() is not successful, the
  *	result returned will be the result of dns_rdataset_additionaldata().
  *
+ *\li	If 'limit' is non-zero and the number of the rdatasets is larger
+ *	than 'limit', no additional data will be processed.
+ *
  * Returns:
  *
  *\li	#ISC_R_SUCCESS
  *
+ *\li	#DNS_R_TOOMANYRECORDS in case rdataset count is larger than 'limit'
+ *
  *\li	Any error that dns_rdata_additionaldata() can return.
  */
 
Index: bind-9.9.9-P1/lib/dns/rdataset.c
===================================================================
--- bind-9.9.9-P1.orig/lib/dns/rdataset.c
+++ bind-9.9.9-P1/lib/dns/rdataset.c
@@ -34,6 +34,7 @@
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/compress.h>
+#include <dns/result.h>
 
 static const char *trustnames[] = {
 	"none",
@@ -603,7 +604,8 @@ dns_rdataset_towire(dns_rdataset_t *rdat
 
 isc_result_t
 dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
-			    dns_additionaldatafunc_t add, void *arg)
+			    dns_additionaldatafunc_t add, void *arg,
+			    size_t limit)
 {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_result_t result;
@@ -616,6 +618,10 @@ dns_rdataset_additionaldata(dns_rdataset
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_QUESTION) == 0);
 
+	if (limit != 0 && dns_rdataset_count(rdataset) > limit) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
 	result = dns_rdataset_first(rdataset);
 	if (result != ISC_R_SUCCESS)
 		return (result);
Index: bind-9.9.9-P1/lib/dns/resolver.c
===================================================================
--- bind-9.9.9-P1.orig/lib/dns/resolver.c
+++ bind-9.9.9-P1/lib/dns/resolver.c
@@ -5938,7 +5938,7 @@ chase_additional(fetchctx_t *fctx) {
 				rdataset->attributes &= ~DNS_RDATASETATTR_CHASE;
 				(void)dns_rdataset_additionaldata(rdataset,
 								  check_related,
-								  fctx);
+								  fctx, 0);
 				rescan = ISC_TRUE;
 			}
 		}
@@ -6544,8 +6544,11 @@ noanswer_response(fetchctx_t *fctx, dns_
 		 */
 		INSIST(ns_rdataset != NULL);
 		fctx->attributes |= FCTX_ATTR_GLUING;
+		/*
+		 * Mark the glue records in the additional section to be cached.
+		 */
 		(void)dns_rdataset_additionaldata(ns_rdataset, check_related,
-						  fctx);
+						  fctx, 0);
 #if CHECK_FOR_GLUE_IN_ANSWER
 		/*
 		 * Look in the answer section for "glue" that is incorrectly
@@ -6558,7 +6561,7 @@ noanswer_response(fetchctx_t *fctx, dns_
 		    (fctx->type == dns_rdatatype_aaaa ||
 		     fctx->type == dns_rdatatype_a))
 			(void)dns_rdataset_additionaldata(ns_rdataset,
-							  check_answer, fctx);
+							  check_answer, fctx, 0);
 #endif
 		fctx->attributes &= ~FCTX_ATTR_GLUING;
 		/*
@@ -6806,7 +6809,7 @@ answer_response(fetchctx_t *fctx) {
 			rdataset->trust = trust;
 			(void)dns_rdataset_additionaldata(rdataset,
 							  check_related,
-							  fctx);
+							  fctx, 0);
 		}
 	} else if (aname != NULL) {
 		if (!validinanswer(ardataset, fctx))
@@ -6831,7 +6834,7 @@ answer_response(fetchctx_t *fctx) {
 		ardataset->attributes |= DNS_RDATASETATTR_CACHE;
 		ardataset->trust = trust;
 		(void)dns_rdataset_additionaldata(ardataset, check_related,
-						  fctx);
+						  fctx, 0);
 		for (sigrdataset = ISC_LIST_HEAD(aname->list);
 		     sigrdataset != NULL;
 		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
@@ -6990,7 +6993,7 @@ answer_response(fetchctx_t *fctx) {
 					(void)dns_rdataset_additionaldata(
 							rdataset,
 							check_related,
-							fctx);
+							fctx, 0);
 					done = ISC_TRUE;
 				}
 			}
openSUSE Build Service is sponsored by
Places