From: Mark Andrews Date: Tue, 23 Jan 2007 23:42:23 +0000 (+0000) Subject: 9.1.1-P3 X-Git-Tag: v9.1.1-P3^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=249bec72af9eaf8d8cebd4505c9c3670c63ede8a;p=thirdparty%2Fbind9.git 9.1.1-P3 --- diff --git a/CHANGES b/CHANGES index 3b47ee7b437..67887723323 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ + --- 9.1.1-P3 released --- + +2126. [security] Serialise validation of type ANY responses. [RT #16555] + --- 9.1.1-P2 released --- 1499. [bug] isc_random need to be seeded better if arc4random() diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h index fcd7380615e..74664d4166a 100644 --- a/lib/dns/include/dns/validator.h +++ b/lib/dns/include/dns/validator.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.h,v 1.17.2.1 2001/01/09 22:46:27 bwelling Exp $ */ +/* $Id: validator.h,v 1.17.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */ #ifndef DNS_VALIDATOR_H #define DNS_VALIDATOR_H 1 @@ -111,6 +111,11 @@ struct dns_validator { ISC_LINK(dns_validator_t) link; }; +/*% + * dns_validator_create() options. + */ +#define DNS_VALIDATOR_DEFER 2U + ISC_LANG_BEGINDECLS isc_result_t @@ -153,6 +158,15 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, * part of a known insecure domain. */ +void +dns_validator_send(dns_validator_t *validator); +/*%< + * Send a deferred validation request + * + * Requires: + * 'validator' to points to a valid DNSSEC validator. + */ + void dns_validator_cancel(dns_validator_t *validator); /* diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index ef706b3d6c5..dc8dbef1f99 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.187.2.9.4.1 2002/06/01 02:13:13 marka Exp $ */ +/* $Id: resolver.c,v 1.187.2.9.4.2 2007/01/23 23:42:23 marka Exp $ */ #include @@ -701,6 +701,8 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, if (result != ISC_R_SUCCESS) return (result); + INSIST(ISC_LIST_EMPTY(fctx->validators)); + dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE); query = isc_mem_get(res->mctx, sizeof *query); @@ -2373,12 +2375,21 @@ maybe_destroy(fetchctx_t *fctx) { unsigned int bucketnum; isc_boolean_t bucket_empty = ISC_FALSE; dns_resolver_t *res = fctx->res; + dns_validator_t *validator; REQUIRE(SHUTTINGDOWN(fctx)); - if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators)) + if (fctx->pending != 0) return; + for (validator = ISC_LIST_HEAD(fctx->validators); + validator != NULL; + validator = ISC_LIST_HEAD(fctx->validators)) { + ISC_LIST_UNLINK(fctx->validators, validator, link); + dns_validator_cancel(validator); + dns_validator_destroy(&validator); + } + bucketnum = fctx->bucketnum; LOCK(&res->buckets[bucketnum].lock); if (fctx->references == 0) @@ -2549,7 +2560,9 @@ validated(isc_task_t *task, isc_event_t *event) { goto noanswer_response; } - if (sentresponse) { + if (!ISC_LIST_EMPTY(fctx->validators)) + dns_validator_send(ISC_LIST_HEAD(fctx->validators)); + else if (sentresponse) { /* * If we only deferred the destroy because we wanted to cache * the data, destroy now. @@ -2569,6 +2582,7 @@ validated(isc_task_t *task, isc_event_t *event) { * more rdatasets that still need to * be validated. */ + dns_validator_send(ISC_LIST_HEAD(fctx->validators)); goto cleanup_event; } @@ -2617,6 +2631,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { unsigned int options; isc_task_t *task; dns_validator_t *validator; + unsigned int valoptions = 0; /* * The appropriate bucket lock must be held. @@ -2805,15 +2820,18 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { rdataset, sigrdataset, fctx->rmessage, - 0, + valoptions, task, validated, fctx, &validator); - if (result == ISC_R_SUCCESS) + if (result == ISC_R_SUCCESS) { ISC_LIST_APPEND( fctx->validators, validator, link); + valoptions |= + DNS_VALIDATOR_DEFER; + } } } } else if (!EXTERNAL(rdataset)) { @@ -2886,7 +2904,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, isc_stdtime_t now) { valrdataset, valsigrdataset, fctx->rmessage, - 0, + valoptions, task, validated, fctx, diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 271b35d5bfd..161001ffa74 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: validator.c,v 1.87.2.1 2001/01/09 22:44:26 bwelling Exp $ */ +/* $Id: validator.c,v 1.87.2.1.4.1 2007/01/23 23:42:23 marka Exp $ */ #include @@ -1512,7 +1512,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, ISC_LINK_INIT(val, link); val->magic = VALIDATOR_MAGIC; - isc_task_send(task, (isc_event_t **)&event); + if ((options & DNS_VALIDATOR_DEFER) == 0) + isc_task_send(task, (isc_event_t **)&event); *validatorp = val; @@ -1529,6 +1530,21 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type, return (result); } +void +dns_validator_send(dns_validator_t *validator) { + isc_event_t *event; + REQUIRE(VALID_VALIDATOR(validator)); + + LOCK(&validator->lock); + + INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0); + event = (isc_event_t *)validator->event; + validator->options &= ~DNS_VALIDATOR_DEFER; + UNLOCK(&validator->lock); + + isc_task_send(validator->task, &event); +} + void dns_validator_cancel(dns_validator_t *validator) { REQUIRE(VALID_VALIDATOR(validator)); @@ -1548,6 +1564,13 @@ dns_validator_cancel(dns_validator_t *validator) { if (validator->authvalidator != NULL) dns_validator_cancel(validator->authvalidator); + + if ((validator->options & DNS_VALIDATOR_DEFER) != 0) { + isc_task_t *task = validator->event->ev_sender; + validator->options &= ~DNS_VALIDATOR_DEFER; + isc_event_free((isc_event_t **)&validator->event); + isc_task_detach(&task); + } } UNLOCK(&validator->lock); } diff --git a/version b/version index 0cc8eb8f67b..ec7beffaa25 100644 --- a/version +++ b/version @@ -1,4 +1,4 @@ -# $Id: version,v 1.18.4.13.4.2 2003/09/01 05:31:27 marka Exp $ +# $Id: version,v 1.18.4.13.4.3 2007/01/23 23:42:23 marka Exp $ # # This file must follow /bin/sh rules. It is imported directly via # configure. @@ -7,4 +7,4 @@ MAJORVER=9 MINORVER=1 PATCHVER=1 RELEASETYPE=-P -RELEASEVER=2 +RELEASEVER=3