diff options
Diffstat (limited to 'debian/patches/0036-CVE-2022-2795.patch')
| -rw-r--r-- | debian/patches/0036-CVE-2022-2795.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/debian/patches/0036-CVE-2022-2795.patch b/debian/patches/0036-CVE-2022-2795.patch new file mode 100644 index 0000000..c978c73 --- /dev/null +++ b/debian/patches/0036-CVE-2022-2795.patch @@ -0,0 +1,60 @@ +From bf2ea6d8525bfd96a84dad221ba9e004adb710a8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org> +Date: Thu, 8 Sep 2022 11:11:30 +0200 +Subject: [PATCH] Bound the amount of work performed for delegations + +Limit the amount of database lookups that can be triggered in +fctx_getaddresses() (i.e. when determining the name server addresses to +query next) by setting a hard limit on the number of NS RRs processed +for any delegation encountered. Without any limit in place, named can +be forced to perform large amounts of database lookups per each query +received, which severely impacts resolver performance. + +The limit used (20) is an arbitrary value that is considered to be big +enough for any sane DNS delegation. + +(cherry picked from commit 3a44097fd6c6c260765b628cd1d2c9cb7efb0b2a) +--- + lib/dns/resolver.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c +index d2cf14bbc8b..73a0ee9f779 100644 +--- a/lib/dns/resolver.c ++++ b/lib/dns/resolver.c +@@ -195,6 +195,12 @@ + */ + #define NS_FAIL_LIMIT 4 + #define NS_RR_LIMIT 5 ++/* ++ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in ++ * any NS RRset encountered, to avoid excessive resource use while processing ++ * large delegations. ++ */ ++#define NS_PROCESSING_LIMIT 20 + + /* Number of hash buckets for zone counters */ + #ifndef RES_DOMAIN_BUCKETS +@@ -3711,6 +3717,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) { + bool need_alternate = false; + bool all_spilled = true; + unsigned int no_addresses = 0; ++ unsigned int ns_processed = 0; + + FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth); + +@@ -3902,6 +3909,11 @@ normal_nses: + + dns_rdata_reset(&rdata); + dns_rdata_freestruct(&ns); ++ ++ if (++ns_processed >= NS_PROCESSING_LIMIT) { ++ result = ISC_R_NOMORE; ++ break; ++ } + } + if (result != ISC_R_NOMORE) { + return (result); +-- +GitLab + |