From: Colin Vidal Date: Wed, 19 Nov 2025 11:31:50 +0000 (+0100) Subject: enforce bounds of multiple configuration options X-Git-Tag: v9.21.17~4^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fe326a8c2ffe147da1af443f7bd05b092b9991f9;p=thirdparty%2Fbind9.git enforce bounds of multiple configuration options The configuration options `edns-version`, `edns-udp-size`, `max-udp-size`, `no-cookie-udp-size` and `padding` now enforce boundaries. The configuration (including when using `named-checkconf`) now fails if those options are out of range. --- diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index c10916b82e6..ca726b737f8 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1138,6 +1138,24 @@ check_listeners(const cfg_obj_t *list, const cfg_obj_t *config, return result; } +static void +check_range_uint32(const cfg_obj_t *map, isc_result_t *result, const char *name, + uint32_t lower, uint32_t upper) { + const cfg_obj_t *obj = NULL; + (void)cfg_map_get(map, name, &obj); + if (obj != NULL) { + uint32_t value = cfg_obj_asuint32(obj); + if (value < lower || value > upper) { + cfg_obj_log(obj, ISC_LOG_ERROR, + "%s '%u' out of range (%u..%u)", name, + value, lower, upper); + if (*result == ISC_R_SUCCESS) { + *result = ISC_R_RANGE; + } + } + } +} + static isc_result_t check_port(const cfg_obj_t *options, const char *type, in_port_t *portp) { const cfg_obj_t *portobj = NULL; @@ -2026,6 +2044,11 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } } + check_range_uint32(options, &result, "edns-udp-size", 512, 4096); + check_range_uint32(options, &result, "max-udp-size", 512, 4096); + check_range_uint32(options, &result, "nocookie-udp-size", 128, + UINT32_MAX); + if (aclctx != NULL) { cfg_aclconfctx_detach(&aclctx); } @@ -4799,6 +4822,11 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions, } } dns_peer_detach(&peer); + + check_range_uint32(v1, &result, "edns-udp-size", 512, 4096); + check_range_uint32(v1, &result, "max-udp-size", 512, 4096); + check_range_uint32(v1, &result, "edns-version", 0, 255); + check_range_uint32(v1, &result, "padding", 0, 512); } return result; }