File bind-CVE-2022-2795.patch of Package bind.34202
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index d2cf14bbc8b..73a0ee9f779 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -195,6 +195,12 @@
*/
#define NS_FAIL_LIMIT 4
#define NS_RR_LIMIT 5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
/* Number of hash buckets for zone counters */
#ifndef RES_DOMAIN_BUCKETS
@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
bool need_alternate = false;
bool all_spilled = true;
unsigned int no_addresses = 0;
+ unsigned int ns_processed = 0;
FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);
@@ -3902,6 +3909,11 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
dns_rdata_reset(&rdata);
dns_rdata_freestruct(&ns);
+
+ if (++ns_processed >= NS_PROCESSING_LIMIT) {
+ result = ISC_R_NOMORE;
+ break;
+ }
}
if (result != ISC_R_NOMORE) {
return (result);