Ondřej Surý [Mon, 6 Dec 2021 10:10:17 +0000 (11:10 +0100)]
Stop leaking mutex in nmworker and cond in nm socket
On FreeBSD, the pthread primitives are not solely allocated on stack,
but part of the object lives on the heap. Missing pthread_*_destroy
causes the heap memory to grow and in case of fast lived object it's
possible to run out-of-memory.
Properly destroy the leaking mutex (worker->lock) and
the leaking condition (sock->cond).
Ondřej Surý [Wed, 1 Dec 2021 16:41:20 +0000 (17:41 +0100)]
Improve the logging on failed TCP accept
Previously, when TCP accept failed, we have logged a message with
ISC_LOG_ERROR level. One common case, how this could happen is that the
client hits TCP client quota and is put on hold and when resumed, the
client has already given up and closed the TCP connection. In such
case, the named would log:
TCP connection failed: socket is not connected
This message was quite confusing because it actually doesn't say that
it's related to the accepting the TCP connection and also it logs
everything on the ISC_LOG_ERROR level.
Change the log message to "Accepting TCP connection failed" and for
specific error states lower the severity of the log message to
ISC_LOG_INFO.
Aram Sargsyan [Mon, 11 Oct 2021 18:13:39 +0000 (18:13 +0000)]
Fix catalog zone reconfiguration crash
The following scenario triggers a "named" crash:
1. Configure a catalog zone.
2. Start "named".
3. Comment out the "catalog-zone" clause.
4. Run `rndc reconfig`.
5. Uncomment the "catalog-zone" clause.
6. Run `rndc reconfig` again.
Implement the required cleanup of the in-memory catalog zone during
the first `rndc reconfig`, so that the second `rndc reconfig` could
find it in an expected state.
Mark Andrews [Tue, 9 Nov 2021 00:39:52 +0000 (11:39 +1100)]
Suppress OpenSSL deprecated warnings from OpensSSL 3.0.0
We are not back porting OpenSSL 3.0.0 fixes to this branch so there
is no point in emitting warnings about using deprecated code.
Additionally this impacts --enable-developer and --enable-warn-error.
Mark Andrews [Thu, 25 Nov 2021 02:16:56 +0000 (13:16 +1100)]
Exercise ISC_R_NOSPACE path in dns_sdlz_putrr
Use relative names when adding SOA record and a long domain
name to create SOA RR where the wire format is longer than
the initial buffer allocation in dns_sdlz_putrr.
Mark Andrews [Wed, 24 Nov 2021 00:03:19 +0000 (11:03 +1100)]
Do not convert ISC_R_NOSPACE to DNS_R_SERVFAIL too early
The parsing loop needs to process ISC_R_NOSPACE to properly
size the buffer. If result is still ISC_R_NOSPACE at the end
of the parsing loop set result to DNS_R_SERVFAIL.
Michal Nowak [Wed, 24 Nov 2021 15:50:57 +0000 (16:50 +0100)]
Fix "array subscript is of type 'char'" on NetBSD 9
In file included from rdata.c:602:
In file included from ./code.h:88:
./rdata/in_1/svcb_64.c:259:9: warning: array subscript is of type 'char' [-Wchar-subscripts]
if (!isdigit(*region->base)) {
^~~~~~~~~~~~~~~~~~~~~~
/usr/include/sys/ctype_inline.h:51:44: note: expanded from macro 'isdigit'
#define isdigit(c) ((int)((_ctype_tab_ + 1)[(c)] & _CTYPE_D))
^~~~
Petr Špaček [Mon, 8 Nov 2021 15:43:05 +0000 (16:43 +0100)]
Add missing PYTHONPATH variable export to pylint job in CI
The old .gitlab-ci.yaml accidentally worked because pylint
was importing modules internally, probably as a side-effect
of testing other code.
This pylint invocation errors out when PYTHONPATH is not set:
$ pylint --rcfile $CI_PROJECT_DIR/.pylintrc bin/tests/system/keymgr/testpolicy.py
************* Module testpolicy
bin/tests/system/keymgr/testpolicy.py:13:0: E0401: Unable to import 'isc' (import-error)
And this invocation works even without PYTHONPATH:
$ pylint --rcfile $CI_PROJECT_DIR/.pylintrc bin/python/setup.py bin/tests/system/keymgr/testpolicy.py
Petr Špaček [Mon, 21 Jun 2021 12:51:43 +0000 (14:51 +0200)]
Add new system test for wildcard expansion
This is almost minimal prototype to show how to use python-hypothesis
library in a system test. It does not fully replace existing shell-based
system test for wildcards.
Petr Špaček [Fri, 5 Nov 2021 10:39:07 +0000 (11:39 +0100)]
Automatically cancel CI jobs on outdated branches
Gitlab feature
https://docs.gitlab.com/ee/ci/pipelines/settings.html#auto-cancel-redundant-pipelines
can automatically cancel jobs which operate on an outdated code, i.e. on
branches which received new commits while jobs with an older set of
commits are still running. For this feature to work jobs have to be
configured with boolean interruptible: true.
I think practically all of our current CI jobs can be cancelled,
so the option is now on by default for all jobs.
Petr Špaček [Thu, 28 Oct 2021 14:39:20 +0000 (16:39 +0200)]
retain diff output if clang-format changes something
It's major PITA trying to guess what exactly clang-format has changed,
so how CI stores patch file with changes which can be applied locally if
needed.
Aram Sargsyan [Wed, 27 Oct 2021 19:52:05 +0000 (19:52 +0000)]
Add dst_key_pubcompare and dst_key_compare unit test
The dst_key_pubcompare() and dst_key_compare() didn't have a unit test,
add the unit tests which test comparing the same keys, different keys,
and, where possible, similar keys with a manually altered parameter.
dst_key_pubcompare() internally uses the *_todns() functions of the
lib/dns/openssl*_link.c modules.
dst_key_compare() internally uses the *_compare() functions of the
lib/dns/openssl*_link.c modules.
Michał Kępień [Thu, 28 Oct 2021 12:03:04 +0000 (14:03 +0200)]
Disable PyLint warning C0209
PyLint 2.11 reports a new warning, C0209 (consider-using-f-string).
Since f-strings are only available in Python 3.6+, existing scripts
cannot be updated to use this feature just yet because they would stop
working with older Python versions. Instead, disable PyLint warning
C0209 for the time being. Sort all disabled warnings in .pylintrc.
Michał Kępień [Thu, 28 Oct 2021 10:22:33 +0000 (12:22 +0200)]
Move CHANGES entry for GL #2308
GL #2308 was originally referenced by CHANGES entry 5727. However, the
corresponding code change turned out to be flawed and had to be reverted
in BIND 9.16.22, causing CHANGES entry 5727 to be removed on the release
branch.
Commit d329d47bae68c1cc90374397b4756a8f2487895e subsequently addressed
the flaw, so the fix for GL #2308 will be included in BIND 9.16.23.
Move the relevant CHANGES entry to reflect that.
Enable lame response detection even with disabled lame cache
Previously, when lame cache would be disabled by setting lame-ttl to 0,
it would also disable lame answer detection. In this commit, we enable
the lame response detection even when the lame cache is disabled. This
enables stopping answer processing early rather than going through the
whole answer processing flow.
The lame-ttl cache is implemented in ADB as per-server locked
linked-list "indexed" with <qname,qtype>. This list has to be walked
every time there's a new query or new record added into the lame cache.
Determined attacker can use this to degrade performance of the resolver.
Resolver testing has shown that disabling the lame cache has little
impact on the resolver performance and it's a minimal viable defense
against this kind of attack.
Evan Hunt [Sun, 17 Oct 2021 18:45:21 +0000 (11:45 -0700)]
Fix catz test error
The catz system test included a test case that was looking for a single
answer record after an update, when it should have been looking for two.
The test usually passed because of timing - the first dig usually got a
response before the update was completed - but occasionally the update
processed fast enough for the test to fail. On investigation, it turned
out to be the test that was wrong.
Evan Hunt [Sun, 17 Oct 2021 18:45:21 +0000 (11:45 -0700)]
Fix digdelv test error
The digdelv system test has a test case in which stderr was
included in the dig output. When trace logging was in use,
this confused the grep and caused a spurious test failure.
Mark Andrews [Wed, 13 Oct 2021 06:39:00 +0000 (17:39 +1100)]
Check that existing catalog zone entries are preserved
Update the 'catz' system test by adding tests that update an
catalog zone (catalog1.example) while preserving existing entries
(increase SOA serial) then check that catalog zone has transferred
and that the existing entries have not accidentally been removed
as a consequence (can return updated zone content).
Mark Andrews [Wed, 13 Oct 2021 06:06:48 +0000 (17:06 +1100)]
Prevent existing catalog zone entries being incorrectly deleted
After receiving a new version of a catalog zone it is required
to merge it with the old version.
The algorithm walks through the new version's hash table and applies
the following logic:
1. If an entry from the new version does not exist in the old
version, then it's a new entry, add the entry to the `toadd` hash
table.
2. If the zone does not exist in the set of configured zones, because
it was deleted via rndc delzone or it was removed from another
catalog zone instance, then add into to the `toadd` hash table to
be reinstantiated.
3. If an entry from the new version also exists in the old version,
but is modified, then add the entry to the `tomod` hash table, then
remove it from the old version's hash table.
4. If an entry from the new version also exists in the old version and
is the same (unmodified) then just remove it from the old version's
hash table.
The algorithm then deletes all the remaining zones which still exist
in the old version's hash table (because only the ones that don't
exist in the new version should now remain there), then adds the ones
that were added to the `toadd`, and modifies the ones that were added
to the `tomod`, completing the merge.
During a recent refactoring, the part when the entry should be
removed from the old version's hash table on condition (4.) above
was accidentally omitted, so the unmodified zones were remaining
in the old version's hash table and consequently being deleted.
Michal Nowak [Thu, 18 Feb 2021 15:19:57 +0000 (16:19 +0100)]
Use Fedora image for GCC ASAN and TSAN CI jobs
For the sake of running ASAN and TSAN jobs with the latest stable GCC,
replace "base image" (Debian Buster with GCC 8.3.0) with Fedora 34 image
with GCC 11.
projects / thirdparty / bind9.git / log
