9.1.1-P3

diff --git a/CHANGES b/CHANGES
index 3b47ee7b4373abfc8456360a0389ee0372d61c78..67887723323b8052a29499ab36721ee6663ae4d2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,8 @@
 
+       --- 9.1.1-P3 released ---
+
+2126.  [security]      Serialise validation of type ANY responses. [RT #16555]
+
        --- 9.1.1-P2 released ---
 
 1499.  [bug]           isc_random need to be seeded better if arc4random()

diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index fcd7380615e7531b68f3c117f492689bf8a2d0ac..74664d4166abdb564af7ac206a21020eadbd2b68 100644 (file)
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.17.2.1 2001/01/09 22:46:27 bwelling Exp $ */
+/* $Id: validator.h,v 1.17.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -111,6 +111,11 @@ struct dns_validator {
        ISC_LINK(dns_validator_t)       link;
 };
 
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DEFER 2U
+
 ISC_LANG_BEGINDECLS
 
 isc_result_t
@@ -153,6 +158,15 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  * part of a known insecure domain.
  */
 
+void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ *     'validator' to points to a valid DNSSEC validator.
+ */
+
 void
 dns_validator_cancel(dns_validator_t *validator);
 /*

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index ef706b3d6c51fcd82dc385ac44a0e1178704ea95..dc8dbef1f99428515c667ca1a1b44e77884917d1 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.187.2.9.4.1 2002/06/01 02:13:13 marka Exp $ */
+/* $Id: resolver.c,v 1.187.2.9.4.2 2007/01/23 23:42:23 marka Exp $ */
 
 #include <config.h>
 
@@ -701,6 +701,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
        if (result != ISC_R_SUCCESS)
                return (result);
 
+       INSIST(ISC_LIST_EMPTY(fctx->validators));
+
        dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
 
        query = isc_mem_get(res->mctx, sizeof *query);
@@ -2373,12 +2375,21 @@ maybe_destroy(fetchctx_t *fctx) {
        unsigned int bucketnum;
        isc_boolean_t bucket_empty = ISC_FALSE;
        dns_resolver_t *res = fctx->res;
+       dns_validator_t *validator;
 
        REQUIRE(SHUTTINGDOWN(fctx));
 
-       if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+       if (fctx->pending != 0)
                return;
 
+       for (validator = ISC_LIST_HEAD(fctx->validators);
+            validator != NULL;
+            validator = ISC_LIST_HEAD(fctx->validators)) {
+               ISC_LIST_UNLINK(fctx->validators, validator, link);
+               dns_validator_cancel(validator);
+               dns_validator_destroy(&validator);
+       }
+
        bucketnum = fctx->bucketnum;
        LOCK(&res->buckets[bucketnum].lock);
        if (fctx->references == 0)
@@ -2549,7 +2560,9 @@ validated(isc_task_t *task, isc_event_t *event) {
                        goto noanswer_response;
        }
 
-       if (sentresponse) {
+       if (!ISC_LIST_EMPTY(fctx->validators))
+               dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+       else if (sentresponse) {
                /*
                 * If we only deferred the destroy because we wanted to cache
                 * the data, destroy now.
@@ -2569,6 +2582,7 @@ validated(isc_task_t *task, isc_event_t *event) {
                 * more rdatasets that still need to
                 * be validated.
                 */
+               dns_validator_send(ISC_LIST_HEAD(fctx->validators));
                goto cleanup_event;
        }
 
@@ -2617,6 +2631,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
        unsigned int options;
        isc_task_t *task;
        dns_validator_t *validator;
+       unsigned int valoptions = 0;
 
        /*
         * The appropriate bucket lock must be held.
@@ -2805,15 +2820,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
                                                rdataset,
                                                sigrdataset,
                                                fctx->rmessage,
-                                               0,
+                                               valoptions,
                                                task,
                                                validated,
                                                fctx,
                                                &validator);
-                                       if (result == ISC_R_SUCCESS)
+                                       if (result == ISC_R_SUCCESS) {
                                                ISC_LIST_APPEND(
                                                        fctx->validators,
                                                        validator, link);
+                                               valoptions |=
+                                                        DNS_VALIDATOR_DEFER;
+                                       }
                                }
                        }
                } else if (!EXTERNAL(rdataset)) {
@@ -2886,7 +2904,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) {
                                              valrdataset,
                                              valsigrdataset,
                                              fctx->rmessage,
-                                             0,
+                                             valoptions,
                                              task,
                                              validated,
                                              fctx,

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 271b35d5bfd5fb75855bf29411ef7054dac04cbc..161001ffa74973a9e3b9b9e073ea222d2707cfa1 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.87.2.1 2001/01/09 22:44:26 bwelling Exp $ */
+/* $Id: validator.c,v 1.87.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */
 
 #include <config.h>
 
@@ -1512,7 +1512,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
        ISC_LINK_INIT(val, link);
        val->magic = VALIDATOR_MAGIC;
 
-       isc_task_send(task, (isc_event_t **)&event);
+       if ((options & DNS_VALIDATOR_DEFER) == 0)
+               isc_task_send(task, (isc_event_t **)&event);
 
        *validatorp = val;
 
@@ -1529,6 +1530,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
        return (result);
 }
 
+void
+dns_validator_send(dns_validator_t *validator) {
+       isc_event_t *event;
+       REQUIRE(VALID_VALIDATOR(validator));
+
+       LOCK(&validator->lock);
+
+       INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+       event = (isc_event_t *)validator->event;
+       validator->options &= ~DNS_VALIDATOR_DEFER;
+       UNLOCK(&validator->lock);
+
+       isc_task_send(validator->task, &event);
+}
+
 void
 dns_validator_cancel(dns_validator_t *validator) {
        REQUIRE(VALID_VALIDATOR(validator));
@@ -1548,6 +1564,13 @@ dns_validator_cancel(dns_validator_t *validator) {
 
                if (validator->authvalidator != NULL)
                        dns_validator_cancel(validator->authvalidator);
+
+               if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+                       isc_task_t *task = validator->event->ev_sender;
+                       validator->options &= ~DNS_VALIDATOR_DEFER;
+                       isc_event_free((isc_event_t **)&validator->event);
+                       isc_task_detach(&task);
+               }
        }
        UNLOCK(&validator->lock);
 }

diff --git a/version b/version
index 0cc8eb8f67b2ecf564a7e50c82dcb0e18c1baff9..ec7beffaa254244d717700f0966b7412ea84d916 100644 (file)
--- a/version
+++ b/version
@@ -1,4 +1,4 @@
-# $Id: version,v 1.18.4.13.4.2 2003/09/01 05:31:27 marka Exp $
+# $Id: version,v 1.18.4.13.4.3 2007/01/23 23:42:23 marka Exp $
 #
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
@@ -7,4 +7,4 @@ MAJORVER=9
 MINORVER=1
 PATCHVER=1
 RELEASETYPE=-P
-RELEASEVER=2
+RELEASEVER=3