From: W.C.A. Wijngaards Date: Wed, 17 Jun 2026 14:15:15 +0000 (+0200) Subject: - Fix that fast_reload does not terminate the server if X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4c5082ad05d9782f788ec3c61c017f8cc66db7ff;p=thirdparty%2Funbound.git - Fix that fast_reload does not terminate the server if random init for DNS cookies fails. The data is only random generated if cookies are enabled, and the random data is necessary. Thanks to Qifan Zhang, Palo Alto Networks, for the report. --- diff --git a/doc/Changelog b/doc/Changelog index 16b0e0f79..d2b37df10 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -58,6 +58,11 @@ - Fix that fast_reload does not terminate the server on config read failure after malloc failure. Thanks to Qifan Zhang, Palo Alto Networks, for the report. + - Fix that fast_reload does not terminate the server if + random init for DNS cookies fails. The data is only random + generated if cookies are enabled, and the random data + is necessary. Thanks to Qifan Zhang, Palo Alto Networks, + for the report. 16 June 2026: Wouter - Fix to disallow $INCLUDE for secondary zones. Start up diff --git a/util/config_file.c b/util/config_file.c index 428633b6c..ab209a818 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -94,7 +94,7 @@ struct config_parser_state* cfg_parser = 0; static void init_outgoing_availports(int* array, int num); /** init cookie with random data */ -static void init_cookie_secret(uint8_t* cookie_secret, size_t cookie_secret_len); +static int init_cookie_secret(struct config_file* cfg); struct config_file* config_create(void) @@ -390,8 +390,7 @@ config_create(void) #endif cfg->do_answer_cookie = 0; memset(cfg->cookie_secret, 0, sizeof(cfg->cookie_secret)); - cfg->cookie_secret_len = 16; - init_cookie_secret(cfg->cookie_secret, cfg->cookie_secret_len); + cfg->cookie_secret_len = 0; /* not set yet */ cfg->cookie_secret_file = NULL; #ifdef USE_CACHEDB if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit; @@ -1577,6 +1576,8 @@ config_read(struct config_file* cfg, const char* filename, const char* chroot) } globfree(&g); config_auto_slab_values(cfg); + if(!init_cookie_secret(cfg)) + return 0; return 1; } #endif /* HAVE_GLOB */ @@ -1601,6 +1602,8 @@ config_read(struct config_file* cfg, const char* filename, const char* chroot) } config_auto_slab_values(cfg); + if(!init_cookie_secret(cfg)) + return 0; return 1; } @@ -1875,18 +1878,33 @@ config_delete(struct config_file* cfg) free(cfg); } -static void -init_cookie_secret(uint8_t* cookie_secret, size_t cookie_secret_len) +static int +init_cookie_secret(struct config_file* cfg) { - struct ub_randstate *rand = ub_initstate(NULL); + struct ub_randstate* rand; + size_t cookie_secret_len; + uint8_t* cookie_secret; + if(!cfg->do_answer_cookie) + return 1; + if(cfg->cookie_secret_file && cfg->cookie_secret_file[0]) + return 1; + if(cfg->cookie_secret_len != 0) + return 1; - if (!rand) - fatal_exit("could not init random generator"); + rand = ub_initstate(NULL); + if(!rand) { + log_err("init_cookie_secret: could not init random generator"); + return 0; + } + cfg->cookie_secret_len = 16; + cookie_secret_len = cfg->cookie_secret_len; + cookie_secret = cfg->cookie_secret; while (cookie_secret_len) { *cookie_secret++ = (uint8_t)ub_random(rand); cookie_secret_len--; } ub_randfree(rand); + return 1; } static void