::arg().set("include-dir","Include *.conf files from this directory");
::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
+
+ ::arg().set("xfr-max-received-mbytes", "Maximum number of megabytes received from an incoming AXFR")="100";
}
static uint64_t uptimeOfProcess(const std::string& str)
<listitem><para>
Check for wildcard URL records.
</para></listitem></varlistentry>
+ <varlistentry>
+ <term>xfr-max-received-mbytes=...</term>
+ <listitem>
+ <para>
+ Specifies the maximum number of received megabytes allowed on an incoming AXFR update, to prevent
+ resource exhaustion. A value of 0 means no restriction.
+ The default is 100. Available since 3.4.10.
+ </para>
+ </listitem>
+ </varlistentry>
+
</variablelist>
</para>
</chapter>
#
# webserver-print-arguments=no
+#################################
+# xfr-max-received-mbytes Maximum number of megabytes received from an incoming AXFR
+#
+# xfr-max-received-mbytes=100
+
const string& tsigkeyname,
const string& tsigalgorithm,
const string& tsigsecret,
- const ComboAddress* laddr)
-: d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_tsigPos(0), d_nonSignedMessages(0)
+ const ComboAddress* laddr,
+ size_t maxReceivedBytes)
+ : d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_receivedBytes(0), d_maxReceivedBytes(maxReceivedBytes), d_tsigPos(0), d_nonSignedMessages(0)
{
ComboAddress local;
if (laddr != NULL) {
int len=getLength();
if(len<0)
throw ResolverException("EOF trying to read axfr chunk from remote TCP client");
-
- timeoutReadn(len);
+
+ if (d_maxReceivedBytes > 0 && (d_maxReceivedBytes - d_receivedBytes) < (size_t) len)
+ throw ResolverException("Reached the maximum number of received bytes during AXFR");
+
+ timeoutReadn(len);
+
+ d_receivedBytes += (uint16_t) len;
+
MOADNSParser mdp(d_buf.get(), len);
int err = parseResult(mdp, "", 0, 0, &res);
const string& tsigkeyname=string(),
const string& tsigalgorithm=string(),
const string& tsigsecret=string(),
- const ComboAddress* laddr = NULL);
+ const ComboAddress* laddr = NULL,
+ size_t maxReceivedBytes=0);
~AXFRRetriever();
int getChunk(Resolver::res_t &res);
string d_tsigsecret;
string d_prevMac; // RFC2845 4.4
string d_signData;
+ size_t d_receivedBytes;
+ size_t d_maxReceivedBytes;
uint32_t d_tsigPos;
uint d_nonSignedMessages; // RFC2845 4.4
TSIGRecordContent d_trc;
vector<DNSResourceRecord> rrs;
ComboAddress raddr(remote, 53);
- AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr);
+ AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr, ((size_t) ::arg().asNum("xfr-max-received-mbytes")) * 1024 * 1024);
Resolver::res_t recs;
while(retriever.getChunk(recs)) {
if(first) {