From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 1 Mar 2024 07:26:07 +0000 (+0100)
Subject: Add a limit to the number of RRs in RRSets
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdabf4b9570a60688f9f7d1e88d885f7a3718bca;p=thirdparty%2Fbind9.git

Add a limit to the number of RRs in RRSets

Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.

The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:

    -DDNS_RDATASET_MAX_RECORDS=<limit>

(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
---

diff --git a/configure b/configure
index 1b436d63ebe..30e65f1568d 100755
--- a/configure
+++ b/configure
@@ -12341,7 +12341,7 @@ fi
 
 XTARGETS=
 if test "$enable_developer" = "yes"; then :
-  STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+  STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
        test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
        test "${enable_querytrace+set}" = set || enable_querytrace=yes
        test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/configure.ac b/configure.ac
index fb6f172eaef..ffe087e6d7b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -96,7 +96,7 @@ AC_ARG_ENABLE([developer],
 
 XTARGETS=
 AS_IF([test "$enable_developer" = "yes"],
-      [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1"
+      [STD_CDEFINES="$STD_CDEFINES -DISC_MEM_DEFAULTFILL=1 -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
        test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
        test "${enable_querytrace+set}" = set || enable_querytrace=yes
        test "${with_cmocka+set}" = set || with_cmocka=yes
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 14c43818b80..d74e84ce4a6 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -112,6 +112,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
 }
 #endif /* if DNS_RDATASET_FIXED */
 
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen) {
@@ -156,6 +160,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		return (ISC_R_SUCCESS);
 	}
 
+	if (nitems > DNS_RDATASET_MAX_RECORDS) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
 	if (nitems > 0xffff) {
 		return (ISC_R_NOSPACE);
 	}
@@ -524,6 +532,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 #endif /* if DNS_RDATASET_FIXED */
 	INSIST(ocount > 0 && ncount > 0);
 
+	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
 #if DNS_RDATASET_FIXED
 	oncount = ncount;
 #endif /* if DNS_RDATASET_FIXED */