]> git.ipfire.org Git - thirdparty/bind9.git/log
thirdparty/bind9.git
4 years agoMerge branch '2473-run-respdiff-as-part-of-daily-runs' into 'main'
Michal Nowak [Thu, 22 Jul 2021 12:15:24 +0000 (12:15 +0000)] 
Merge branch '2473-run-respdiff-as-part-of-daily-runs' into 'main'

Run respdiff CI job for scheduled and web pipelines

Closes #2473

See merge request isc-projects/bind9!4710

4 years agoRun respdiff also for scheduled and web pipelines
Michal Nowak [Thu, 18 Feb 2021 15:28:31 +0000 (16:28 +0100)] 
Run respdiff also for scheduled and web pipelines

respdiff needs to be run regularly to identify problems with query
responses discrepancies sooner than after tagging a release.

MAX_DISAGREEMENTS_PERCENTAGE variable is set to 0.5 on the main branch
to make room for a greater number of response disagreements between a
relatively old baseline version and the Development Version.

4 years agoMerge branch '2831-use-static-storage-for-ctx-water' into 'main'
Ondřej Surý [Thu, 22 Jul 2021 10:19:50 +0000 (10:19 +0000)] 
Merge branch '2831-use-static-storage-for-ctx-water' into 'main'

Use static storage for isc_mem water_t

Closes #2831

See merge request isc-projects/bind9!5295

4 years agoUse static storage for isc_mem water_t
Ondřej Surý [Thu, 22 Jul 2021 04:14:32 +0000 (06:14 +0200)] 
Use static storage for isc_mem water_t

On the isc_mem water change the old water_t structure could be used
after free.  Instead of introducing reference counting on the hot-path
we are going to introduce additional constraints on the
isc_mem_setwater.  Once it's set for the first time, the additional
calls have to be made with the same water and water_arg arguments.

4 years agoMerge branch '2833-notify-delay-doc' into 'main'
Evan Hunt [Thu, 22 Jul 2021 02:57:36 +0000 (02:57 +0000)] 
Merge branch '2833-notify-delay-doc' into 'main'

clarify 'notify-delay' documentation

Closes #2833

See merge request isc-projects/bind9!5293

4 years agoclarify 'notify-delay' documentation
Evan Hunt [Wed, 21 Jul 2021 21:39:48 +0000 (14:39 -0700)] 
clarify 'notify-delay' documentation

- the explanation was unclear
- the reference to 'serial-query-rate' was outdated

4 years agoMerge branch 'ondrej/reduce-the-node-lock-count' into 'main' 5292/head
Ondřej Surý [Wed, 21 Jul 2021 15:36:27 +0000 (15:36 +0000)] 
Merge branch 'ondrej/reduce-the-node-lock-count' into 'main'

Reduce the nodelock count for both cache and regular rbtdb

Closes #2829

See merge request isc-projects/bind9!5282

4 years agoAdd CHANGES note for [GL #2829]
Ondřej Surý [Tue, 20 Jul 2021 07:56:10 +0000 (09:56 +0200)] 
Add CHANGES note for [GL #2829]

4 years agoReduce the nodelock count for both cache and regular rbtdb
Ondřej Surý [Mon, 19 Jul 2021 08:17:12 +0000 (10:17 +0200)] 
Reduce the nodelock count for both cache and regular rbtdb

Increasing the nodelock count had major impact on the memory footprint
in scenarios where multiple rbtdb structure would be created like
hosting many zones in a single server.

This reverts commit 03446843856a3efbaaec41409b5eea5542501118 and sets
the nodelock count to previously used values.

4 years agoMerge branch 'mnowak/support-cross-compilation-on-buster' into 'main'
Michal Nowak [Wed, 21 Jul 2021 09:26:00 +0000 (09:26 +0000)] 
Merge branch 'mnowak/support-cross-compilation-on-buster' into 'main'

Add 32-bit cross-compiled builds on Debian Buster

See merge request isc-projects/bind9!4516

4 years agoAdd 32-bit cross-compiled CI jobs on Debian Buster
Michal Nowak [Thu, 17 Dec 2020 10:31:05 +0000 (11:31 +0100)] 
Add 32-bit cross-compiled CI jobs on Debian Buster

Since the forced removal of gcc:sid:i386 in 0aacabc6, we lacked a 32-bit
environment to build and test BIND 9 in the CI. gcc:buster:amd64cross32
adds an environment to cross-compile BIND 9 to 32-bits on Debian Buster
amd64 image with 32-bit BIND 9 dependencies. Commit also adds sanity
checks to ensure that compiled objects are not of the build platform
triplet type.

4 years agoMerge branch '2762-check-opcode' into 'main'
Mark Andrews [Wed, 21 Jul 2021 02:38:13 +0000 (02:38 +0000)] 
Merge branch '2762-check-opcode' into 'main'

check returned opcodes

Closes #2762

See merge request isc-projects/bind9!5286

4 years agoadd release note for [GL #2762]
Mark Andrews [Fri, 11 Jun 2021 07:19:59 +0000 (17:19 +1000)] 
add release note for [GL #2762]

4 years agoAdd CHANGES for [GL #2762]
Mark Andrews [Fri, 11 Jun 2021 07:11:58 +0000 (17:11 +1000)] 
Add CHANGES for [GL #2762]

4 years agocheck nsupdate handles UPDATE response to QUERY
Mark Andrews [Wed, 14 Jul 2021 21:27:55 +0000 (07:27 +1000)] 
check nsupdate handles UPDATE response to QUERY

4 years agodns_rdata_tostruct() should reject rdata with DNS_RDATA_UPDATE set
Mark Andrews [Thu, 10 Jun 2021 00:14:17 +0000 (10:14 +1000)] 
dns_rdata_tostruct() should reject rdata with DNS_RDATA_UPDATE set

4 years agoCheck opcode of messages returned by dns_request_getresponse
Mark Andrews [Fri, 11 Jun 2021 06:58:15 +0000 (16:58 +1000)] 
Check opcode of messages returned by dns_request_getresponse

4 years agoMerge branch 'mnowak/process-core-dumps-when-named-fails-to-start' into 'main'
Michal Nowak [Fri, 16 Jul 2021 16:13:54 +0000 (16:13 +0000)] 
Merge branch 'mnowak/process-core-dumps-when-named-fails-to-start' into 'main'

Process core dump from named which failed to start

See merge request isc-projects/bind9!4987

4 years agoFix handling of restart option in run.sh
Michal Nowak [Tue, 11 May 2021 16:06:59 +0000 (18:06 +0200)] 
Fix handling of restart option in run.sh

The support for stat.pl's --restart option was incomplete in run.sh.
This change makes sure it's handled properly and that named.run file is
not being removed by clean.sh when the --restart option is used.

4 years agoProcess core dump from named which failed to start
Michal Nowak [Tue, 4 May 2021 10:58:23 +0000 (12:58 +0200)] 
Process core dump from named which failed to start

When named failed to start and produced core dump, the core file wasn't
processed by GDB because of run.sh script exiting immediately. This
remedies the limitation, simplifies the surrounding code, and makes the
script shellcheck clean.

4 years agoMerge branch 'mnowak/replace-literal-blocks-with-anchors' into 'main'
Michal Nowak [Fri, 16 Jul 2021 14:21:36 +0000 (14:21 +0000)] 
Merge branch 'mnowak/replace-literal-blocks-with-anchors' into 'main'

Use anchors instead of literal blocks in .gitlab-ci.yml

See merge request isc-projects/bind9!4742

4 years agoUse anchors instead of literal blocks in .gitlab-ci.yml
Michal Nowak [Wed, 24 Feb 2021 12:50:46 +0000 (13:50 +0100)] 
Use anchors instead of literal blocks in .gitlab-ci.yml

Anchor lets the user see the full command logged in GitLab CI:

    ${CONFIGURE} --disable-maintainer-mode --enable-developer ...

Instead of a folded multi-line when literal block is used:

    ${CONFIGURE} \ # collapsed multi-line command

4 years agoMerge branch 'artem/doh-quota-integration' into 'main'
Artem Boldariev [Fri, 16 Jul 2021 09:41:01 +0000 (09:41 +0000)] 
Merge branch 'artem/doh-quota-integration' into 'main'

Make DoH-quota separate and configurable, make it possible to limit the number of HTTP/2 streams per connection

See merge request isc-projects/bind9!5036

4 years agoAdd a missing break on error when adding a DoH endpoint
Artem Boldariev [Mon, 12 Jul 2021 15:25:25 +0000 (18:25 +0300)] 
Add a missing break on error when adding a DoH endpoint

The break on error when adding a DoH endpoint was implied but somehow
gotten missed. This commit fixes that.

4 years agoUpdate documentation to include the new HTTP configuration options
Artem Boldariev [Wed, 23 Jun 2021 11:37:33 +0000 (14:37 +0300)] 
Update documentation to include the new HTTP configuration options

Documentation for the new DoH options has been added.

4 years agoAdd a system test that tests connections quota for DoH
Artem Boldariev [Mon, 14 Jun 2021 13:40:27 +0000 (16:40 +0300)] 
Add a system test that tests connections quota for DoH

The system tests stress out the DoH quota by opening many TCP
connections and then running dig instances against the "overloaded"
server to perform some queries. The processes cannot make any
resolutions because the quota is exceeded. Then the opened connections
are getting closed in random order allowing the queries to proceed.

4 years agomodify CHANGES [GL #2809]
Artem Boldariev [Thu, 20 May 2021 15:17:26 +0000 (18:17 +0300)] 
modify CHANGES [GL #2809]

Document the new HTTP specific options in the CHANGES file.

4 years agoUpdate grammar reference documentation
Artem Boldariev [Thu, 20 May 2021 11:00:04 +0000 (14:00 +0300)] 
Update grammar reference documentation

This commit updates the named grammar reference according to the
latest changes.

4 years agoMake max number of HTTP/2 streams configurable
Artem Boldariev [Tue, 18 May 2021 09:03:58 +0000 (12:03 +0300)] 
Make max number of HTTP/2 streams configurable

This commit makes number of concurrent HTTP/2 streams per connection
configurable as a mean to fight DDoS attacks. As soon as the limit is
reached, BIND terminates the whole session.

The commit adds a global configuration
option (http-streams-per-connection) which can be overridden in an
http <name> {...} statement like follows:

http local-http-server {
    ...
    streams-per-connection 100;
    ...
};

For now the default value is 100, which should be enough (e.g. NGINX
uses 128, but it is a full-featured WEB-server). When using lower
numbers (e.g. ~70), it is possible to hit the limit with
e.g. flamethrower.

4 years agoAdd (http-)listener-clients option (DoH quota mechanism)
Artem Boldariev [Fri, 14 May 2021 11:18:57 +0000 (14:18 +0300)] 
Add (http-)listener-clients option (DoH quota mechanism)

This commit adds support for http-listener-clients global options as
well as ability to override the default in an HTTP server description,
like:

http local-http-server {
    ...
    listener-clients 100;
    ...
};

This way we have ability to specify per-listener active connections
quota globally and then override it when required. This is exactly
what AT&T requested us: they wanted a functionality to specify quota
globally and then override it for specific IPs. This change
functionality makes such a configuration possible.

It makes sense: for example, one could have different quotas for
internal and external clients. Or, for example, one could use BIND's
internal ability to serve encrypted DoH with some sane quota value for
internal clients, while having un-encrypted DoH listener without quota
to put BIND behind a load balancer doing TLS offloading for external
clients.

Moreover, the code no more shares the quota with TCP, which makes
little sense anyway (see tcp-clients option), because of the nature of
interaction of DoH clients: they tend to keep idle opened connections
for longer periods of time, preventing the TCP and TLS client from
being served. Thus, the need to have a separate, generally larger,
quota for them.

Also, the change makes any option within "http <name> { ... };"
statement optional, making it easier to override only required default
options.

By default, the DoH connections are limited to 300 per listener. I
hope that it is a good initial guesstimate.

4 years agoMerge branch 'artem/doh-http-path-validation' into 'main'
Artem Boldariev [Fri, 16 Jul 2021 07:51:43 +0000 (07:51 +0000)] 
Merge branch 'artem/doh-http-path-validation' into 'main'

Verify HTTP paths both in incoming requests and in config file

See merge request isc-projects/bind9!5231

4 years agoUpdate CHANGES
Artem Boldariev [Fri, 25 Jun 2021 09:09:22 +0000 (12:09 +0300)] 
Update CHANGES

The CHANGES file was updated to include information that configuration
checking code now verifies HTTP paths properly.

4 years agoVerify HTTP paths both in incoming requests and in config file
Artem Boldariev [Wed, 19 May 2021 15:03:11 +0000 (18:03 +0300)] 
Verify HTTP paths both in incoming requests and in config file

This commit adds the code (and some tests) which allows verifying
validity of HTTP paths both in incoming HTTP requests and in BIND's
configuration file.

4 years agoMerge branch '2759-extend-tests-for-signed-cname-sourced-delegations' into 'main'
Michał Kępień [Fri, 16 Jul 2021 05:23:15 +0000 (05:23 +0000)] 
Merge branch '2759-extend-tests-for-signed-cname-sourced-delegations' into 'main'

Extend tests for signed, CNAME-sourced delegations

Closes #2759

See merge request isc-projects/bind9!5272

4 years agoExtend tests for signed, CNAME-sourced delegations
Michał Kępień [Fri, 16 Jul 2021 05:20:15 +0000 (07:20 +0200)] 
Extend tests for signed, CNAME-sourced delegations

Extend the "chain" system test with AUTHORITY section checks for signed,
secure delegations.  This complements the checks for signed, insecure
delegations added by commit 26ec4b9a89720e6d5630ad8cf5da6fe357dee32a.

Extend the existing AUTHORITY section checks for signed, insecure
delegations to ensure nonexistence of DS RRsets in such responses.
Adjust comments accordingly.

Ensure dig failures cause the "chain" system test to fail.

4 years agoTweak query_addds() comments to avoid confusion
Michał Kępień [Fri, 16 Jul 2021 05:20:15 +0000 (07:20 +0200)] 
Tweak query_addds() comments to avoid confusion

It has been noticed that commit 7a87bf468b9e092bf65db55a8e9234853c7db63d
did not only fix NSEC record handling in signed, insecure delegations
prepared using both wildcard expansion and CNAME chaining - it also
inadvertently fixed DS record handling in signed, secure delegations
of that flavor.  This is because the 'rdataset' variable in the relevant
location in query_addds() can be either a DS RRset or an NSEC RRset.
Update a code comment in query_addds() to avoid confusion.

Update the comments describing the purpose of query_addds() so that they
also mention NSEC(3) records.

4 years agoMerge branch '2820-rndc-reconfig-does-not-act-on-change-to-zone-statistics' into...
Mark Andrews [Fri, 16 Jul 2021 04:09:53 +0000 (04:09 +0000)] 
Merge branch '2820-rndc-reconfig-does-not-act-on-change-to-zone-statistics' into 'main'

Resolve "rndc reconfig does not act on change to zone-statistics"

Closes #2820

See merge request isc-projects/bind9!5271

4 years agoAdd CHANGES for [GL #2820]
Mark Andrews [Wed, 14 Jul 2021 00:20:13 +0000 (10:20 +1000)] 
Add CHANGES for [GL #2820]

4 years agozone->requeststats_on was not being set at the correct point
Mark Andrews [Tue, 13 Jul 2021 23:59:47 +0000 (09:59 +1000)] 
zone->requeststats_on was not being set at the correct point

4 years agoTest that 'zone-statistics full;' is properly processed
Mark Andrews [Tue, 13 Jul 2021 23:58:50 +0000 (09:58 +1000)] 
Test that 'zone-statistics full;' is properly processed

5 years agoMerge branch '2710-multisigner-cds' into 'main'
Matthijs Mekking [Thu, 15 Jul 2021 07:24:09 +0000 (07:24 +0000)] 
Merge branch '2710-multisigner-cds' into 'main'

Allow update CDS/CDNSKEY records that do not match DNSKEY

Closes #2710

See merge request isc-projects/bind9!5270

5 years agoAdd change and release notes [#2710]
Matthijs Mekking [Tue, 13 Jul 2021 15:34:30 +0000 (17:34 +0200)] 
Add change and release notes [#2710]

5 years agoRelax zone_cdscheck function
Matthijs Mekking [Tue, 13 Jul 2021 09:05:35 +0000 (11:05 +0200)] 
Relax zone_cdscheck function

If we have a CDS or CDNSKEY we at least need to have a DNSKEY with the
same algorithm published and signing the CDS RRset. Same for CDNSKEY
of course.

This relaxes the zone_cdscheck function, because before the CDS or
CDNSKEY had to match a DNSKEY, now only the algorithm has to match.

This allows a provider in a multisigner model to update the CDS/CDNSKEY
RRset in the zone that is served by the other provider.

5 years agoAdd test for allowing update CDS/CDNSKEY
Matthijs Mekking [Tue, 13 Jul 2021 09:04:44 +0000 (11:04 +0200)] 
Add test for allowing update CDS/CDNSKEY

Add tests to the nsupdate system test to make sure that CDS and/or
CDNSKEY that match an algorithm in the DNSKEY RRset are allowed. Also
add tests that updates are rejected if the algorithm does not match.

Remove the now redundant test cases from the dnssec system test.

Update the checkzone system test: Change the algorithm of the CDS and
CDNSKEY records so that the zone is still rejected.

5 years agoMerge branch 'each-doc-trampoline' into 'main'
Evan Hunt [Wed, 14 Jul 2021 17:59:28 +0000 (17:59 +0000)] 
Merge branch 'each-doc-trampoline' into 'main'

document isc__trampoline

See merge request isc-projects/bind9!5116

5 years agodocument isc__trampoline
Evan Hunt [Fri, 28 May 2021 20:47:59 +0000 (13:47 -0700)] 
document isc__trampoline

Added some header file documentation to the isc__trampoline
implementation in trampoline_p.h.

5 years agoMerge branch 'artem/doh-empty-query-string-crash-fix' into 'main'
Artem Boldariev [Tue, 13 Jul 2021 13:55:30 +0000 (13:55 +0000)] 
Merge branch 'artem/doh-empty-query-string-crash-fix' into 'main'

Fix crash in DoH on empty query string in GET requests

See merge request isc-projects/bind9!5268

5 years agoAdd CHANGES for [GL !5268]
Artem Boldariev [Tue, 13 Jul 2021 13:12:31 +0000 (16:12 +0300)] 
Add CHANGES for [GL !5268]

The commit updates the CHANGES file adding a note about a crash caused
by improper handling of DoH GET requests.

5 years agoFix crash in DoH on empty query string in GET requests
Artem Boldariev [Tue, 13 Jul 2021 12:44:15 +0000 (15:44 +0300)] 
Fix crash in DoH on empty query string in GET requests

An unhandled code path left GET query string data uninitialised (equal
to NULL) and led to a crash during the requests' base64 data
decoding. This commit fixes that.

5 years agoMerge branch '2822-inconsistent-recursive-performance' into 'main'
Ondřej Surý [Tue, 13 Jul 2021 13:50:53 +0000 (13:50 +0000)] 
Merge branch '2822-inconsistent-recursive-performance' into 'main'

Disable setting the thread affinity

Closes #2822

See merge request isc-projects/bind9!5265

5 years agoAdd CHANGES and release notes for [GL #2822]
Ondřej Surý [Tue, 13 Jul 2021 08:10:16 +0000 (10:10 +0200)] 
Add CHANGES and release notes for [GL #2822]

5 years agoDisable the cpu system test
Ondřej Surý [Tue, 13 Jul 2021 08:19:56 +0000 (10:19 +0200)] 
Disable the cpu system test

As we don't set the thread affinity, the cpu test would consistently
fail.  Disable it, but don't remove it as we might restore setting the
affinity in the future versions of BIND 9.

5 years agoDisable setting the thread affinity
Ondřej Surý [Tue, 13 Jul 2021 07:51:49 +0000 (09:51 +0200)] 
Disable setting the thread affinity

It was discovered that setting the thread affinity on both the netmgr
and netthread threads lead to inconsistent recursive performance because
sometimes the netmgr and netthread threads would compete over single
resource and sometimes not.

Removing setting the affinity causes a slight dip in the authoritative
performance around 5% (the measured range was from 3.8% to 7.8%), but
the recursive performance is now consistently good.

5 years agoMerge branch '2815-increase-sizeinfo-memory-alignment-on-OpenBSD' into 'main'
Ondřej Surý [Tue, 13 Jul 2021 12:00:01 +0000 (12:00 +0000)] 
Merge branch '2815-increase-sizeinfo-memory-alignment-on-OpenBSD' into 'main'

Use max_align_t for memory sizeinfo alignment on OpenBSD

Closes #2815

See merge request isc-projects/bind9!5267

5 years agoUse max_align_t for memory sizeinfo alignment on OpenBSD
Ondrej Sury [Tue, 13 Jul 2021 10:35:52 +0000 (12:35 +0200)] 
Use max_align_t for memory sizeinfo alignment on OpenBSD

On OpenBSD and more generally on platforms without either jemalloc or
malloc_(usable_)size, we need to increase the alignment for the memory
to sizeof(max_align_t) as with plain sizeof(void *), the compiled code
would be crashing when accessing the returned memory.

5 years agoMerge branch '2811-checkds-memleak-shutdown' into 'main'
Matthijs Mekking [Tue, 13 Jul 2021 09:50:33 +0000 (09:50 +0000)] 
Merge branch '2811-checkds-memleak-shutdown' into 'main'

Fix leak in checkds code

Closes #2811

See merge request isc-projects/bind9!5262

5 years agoAdd change entry for [#2811]
Matthijs Mekking [Mon, 12 Jul 2021 09:02:13 +0000 (11:02 +0200)] 
Add change entry for [#2811]

5 years agoFix leak in checkds code
Matthijs Mekking [Mon, 12 Jul 2021 08:10:12 +0000 (10:10 +0200)] 
Fix leak in checkds code

In 'checkds_send_toaddr' there is a goto bug that causes the TSIG key
and DNS message to not be detached. Remove the offending goto statement.

5 years agoMerge branch '2819-cache-the-isc_os_ncpu-result' into 'main'
Ondřej Surý [Tue, 13 Jul 2021 07:55:51 +0000 (07:55 +0000)] 
Merge branch '2819-cache-the-isc_os_ncpu-result' into 'main'

Cache the isc_os_ncpu() result

Closes #2819

See merge request isc-projects/bind9!5263

5 years agoCache the isc_os_ncpu() result
Ondrej Sury [Mon, 12 Jul 2021 12:21:21 +0000 (14:21 +0200)] 
Cache the isc_os_ncpu() result

It was discovered that on some platforms (f.e. Alpine Linux with MUSL)
the result of isc_os_ncpus() call differ when called before and after we
drop privileges.  This commit changes the isc_os_ncpus() call to cache
the result from the first call and thus always return the same value
during the runtime of the named.  The first call to isc_os_ncpus() is
made as soon as possible on the library initalization.

5 years agoMerge branch '2816-mem-c-739-2-runtime-error-null-pointer-returned-from-function...
Ondřej Surý [Mon, 12 Jul 2021 08:23:40 +0000 (08:23 +0000)] 
Merge branch '2816-mem-c-739-2-runtime-error-null-pointer-returned-from-function-declared-to-never-return-null' into 'main'

Remove nonnull attribute from isc_mem_{get,allocate,reallocate}

Closes #2816

See merge request isc-projects/bind9!5261

5 years agoMerge branch '2815-crashes-related-to-memory-reallocation-on-openbsd' into 'main'
Ondřej Surý [Mon, 12 Jul 2021 08:06:09 +0000 (08:06 +0000)] 
Merge branch '2815-crashes-related-to-memory-reallocation-on-openbsd' into 'main'

Fix the real allocation size in OpenBSD rallocx shim

Closes #2815

See merge request isc-projects/bind9!5260

5 years agoRemove nonnull attribute from isc_mem_{get,allocate,reallocate}
Ondřej Surý [Mon, 12 Jul 2021 07:18:12 +0000 (09:18 +0200)] 
Remove nonnull attribute from isc_mem_{get,allocate,reallocate}

The isc_mem_get(), isc_mem_allocate() and isc_mem_reallocate() can
return NULL ptr in case where the allocation size is NULL.  Remove the
nonnull attribute from the functions' declarations.

This stems from the following definition in the C11 standard:

> If the size of the space requested is zero, the behavior is
> implementation-defined: either a null pointer is returned, or the
> behavior is as if the size were some nonzero value, except that the
> returned pointer shall not be used to access an object.

In this case, we return NULL as it's easier to detect errors when
accessing pointer from zero-sized allocation which should obviously
never happen.

5 years agoFix the real allocation size in OpenBSD rallocx shim
Ondřej Surý [Mon, 12 Jul 2021 06:43:14 +0000 (08:43 +0200)] 
Fix the real allocation size in OpenBSD rallocx shim

In the rallocx() shim for OpenBSD (that's the only platform that doesn't
have malloc_size() or malloc_usable_size() equivalent), the newly
allocated size was missing the extra size_t member for storing the
allocation size leading to size_t sized overflow at the end of the
reallocated memory chunk.

5 years agoMerge branch '2703-gcc-10-fanalyzer-reports-dereference-of-null-text-in-server-c...
Mark Andrews [Mon, 12 Jul 2021 04:28:50 +0000 (04:28 +0000)] 
Merge branch '2703-gcc-10-fanalyzer-reports-dereference-of-null-text-in-server-c-14721' into 'main'

Resolve "gcc-10+ -fanalyzer reports dereference of NULL ‘text’ in server.c:14721"

Closes #2703

See merge request isc-projects/bind9!5047

5 years agoAdd DBC REQUIRE to check that 'text' is non NULL
Mark Andrews [Tue, 18 May 2021 06:37:08 +0000 (16:37 +1000)] 
Add DBC REQUIRE to check that 'text' is non NULL

for all control channel commands.  This should silence
gcc-10-analyzer reporting NULL pointer dereference of 'text'.

5 years agoMerge branch '2753-timer_test-subtests-are-not-independent' into 'main'
Mark Andrews [Mon, 12 Jul 2021 03:55:00 +0000 (03:55 +0000)] 
Merge branch '2753-timer_test-subtests-are-not-independent' into 'main'

Resolve "timer_test subtests are not independent"

Closes #2753

See merge request isc-projects/bind9!5146

5 years agoReset errcnt at the start of each subtest
Mark Andrews [Thu, 3 Jun 2021 09:31:34 +0000 (19:31 +1000)] 
Reset errcnt at the start of each subtest

5 years agoMerge branch '2808-v9_16-unchecked-returns-in-rbtdb_test-c-and-dnssec-signzone-c...
Mark Andrews [Mon, 12 Jul 2021 03:46:15 +0000 (03:46 +0000)] 
Merge branch '2808-v9_16-unchecked-returns-in-rbtdb_test-c-and-dnssec-signzone-c-main' into 'main'

Fix unchecked return of isc_rwlock_lock and isc_rwlock_unlock

Closes #2808

See merge request isc-projects/bind9!5257

5 years agoFix unchecked returns of dns_name_fromtext
Mark Andrews [Wed, 7 Jul 2021 05:50:02 +0000 (15:50 +1000)] 
Fix unchecked returns of dns_name_fromtext

(cherry picked from commit 8538c762cb218839906abcdd05213d44783de306)

5 years agoFix unchecked return of isc_rwlock_lock and isc_rwlock_unlock
Mark Andrews [Wed, 7 Jul 2021 05:47:59 +0000 (15:47 +1000)] 
Fix unchecked return of isc_rwlock_lock and isc_rwlock_unlock

(cherry picked from commit bcaf23dd2799e30cfee1b5d39dec0fbc8e5f7193)

5 years agoMerge branch '2249-stop-falling-back-to-plain-dns-on-formerr-opt' into 'main'
Mark Andrews [Mon, 12 Jul 2021 02:59:19 +0000 (02:59 +0000)] 
Merge branch '2249-stop-falling-back-to-plain-dns-on-formerr-opt' into 'main'

Resolve "Stop falling back to plain DNS on FORMERR+OPT"

Closes #2249

See merge request isc-projects/bind9!4634

5 years agoAdd release note for [GL #2249]
Mark Andrews [Mon, 1 Feb 2021 02:37:26 +0000 (13:37 +1100)] 
Add release note for [GL #2249]

5 years agoAdd CHANGES note for [GL #2249]
Mark Andrews [Mon, 1 Feb 2021 02:35:56 +0000 (13:35 +1100)] 
Add CHANGES note for [GL #2249]

5 years agoUpdate out of date comment
Mark Andrews [Mon, 12 Jul 2021 02:29:55 +0000 (12:29 +1000)] 
Update out of date comment

5 years agoAdjust expected queries for no fallback to plain DNS
Mark Andrews [Mon, 1 Feb 2021 03:37:20 +0000 (14:37 +1100)] 
Adjust expected queries for no fallback to plain DNS

5 years agoCheck that there was no OPT record before falling back
Mark Andrews [Mon, 1 Feb 2021 02:05:08 +0000 (13:05 +1100)] 
Check that there was no OPT record before falling back

to plain DNS on FORMERR.

5 years agoMerge branch '2810-silence-untrusted-loop-bound' into 'main'
Mark Andrews [Mon, 12 Jul 2021 02:09:41 +0000 (02:09 +0000)] 
Merge branch '2810-silence-untrusted-loop-bound' into 'main'

Resolve "Silence untrusted loop bound"

Closes #2810

See merge request isc-projects/bind9!5251

5 years agoSilence untrusted loop bound on nsec3param.iterations
Mark Andrews [Thu, 8 Jul 2021 05:56:04 +0000 (15:56 +1000)] 
Silence untrusted loop bound on nsec3param.iterations

    630
        1. tainted_argument: Calling function dns_rdata_tostruct taints argument nsec3param.iterations. [show details]
    631        result = dns_rdata_tostruct(nsec3rdata, &nsec3param, NULL);
        2. Condition !!(result == 0), taking true branch.
        3. Condition !!(result == 0), taking true branch.
    632        RUNTIME_CHECK(result == ISC_R_SUCCESS);
    633
    634        dns_fixedname_init(&fixed);

            CID 281425 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
            4. tainted_data: Passing tainted expression nsec3param.iterations to dns_nsec3_hashname, which uses it as a loop boundary. [show details]
        Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
    635        result = dns_nsec3_hashname(&fixed, rawhash, &rhsize, vctx->origin,
    636                                    vctx->origin, nsec3param.hash,
    637                                    nsec3param.iterations, nsec3param.salt,
    638                                    nsec3param.salt_length);

5 years agoMerge branch '2807-coverity-reports-use-of-tainted-scalar' into 'main'
Mark Andrews [Mon, 12 Jul 2021 00:42:27 +0000 (00:42 +0000)] 
Merge branch '2807-coverity-reports-use-of-tainted-scalar' into 'main'

Resolve "Coverity reports use of tainted scalar"

Closes #2807

See merge request isc-projects/bind9!5249

5 years agoSilence tainted scalar on rdlen
Mark Andrews [Wed, 7 Jul 2021 04:08:04 +0000 (14:08 +1000)] 
Silence tainted scalar on rdlen

    2042        ttl = isc_buffer_getuint32(&j->it.source);
         13. tainted_data_transitive: Call to function isc_buffer_getuint16 with tainted argument *j->it.source.base returns tainted data. [show details]
         14. var_assign: Assigning: rdlen = isc_buffer_getuint16(&j->it.source), which taints rdlen.
    2043        rdlen = isc_buffer_getuint16(&j->it.source);
    2044
    2045        /*
    2046         * Parse the rdata.
    2047         */
         15. Condition j->it.source.used - j->it.source.current != rdlen, taking false branch.
    2048        if (isc_buffer_remaininglength(&j->it.source) != rdlen) {
    2049                FAIL(DNS_R_FORMERR);
    2050        }
         16. var_assign_var: Assigning: j->it.source.active = j->it.source.current + rdlen. Both are now tainted.
    2051        isc_buffer_setactive(&j->it.source, rdlen);
    2052        dns_rdata_reset(&j->it.rdata);
         17. lower_bounds: Checking lower bounds of unsigned scalar j->it.source.active by taking the true branch of j->it.source.active > j->it.source.current.

    CID 316506 (#1 of 1): Untrusted loop bound (TAINTED_SCALAR)
    18. tainted_data: Passing tainted expression j->it.source.active to dns_rdata_fromwire, which uses it as a loop boundary. [show details]
         Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
    2053        CHECK(dns_rdata_fromwire(&j->it.rdata, rdclass, rdtype, &j->it.source,
    2054                                 &j->it.dctx, 0, &j->it.target));

5 years agoSilence use of tainted scalar
Mark Andrews [Wed, 7 Jul 2021 02:09:31 +0000 (12:09 +1000)] 
Silence use of tainted scalar

    2607
            43. tainted_argument: Calling function journal_read_xhdr taints argument xhdr.size. [show details]
    2608                        result = journal_read_xhdr(j1, &xhdr);
            44. Condition rewrite, taking true branch.
            45. Condition result == 29, taking false branch.
    2609                        if (rewrite && result == ISC_R_NOMORE) {
    2610                                break;
    2611                        }
            46. Condition result != 0, taking false branch.
    2612                        CHECK(result);
    2613
            47. var_assign_var: Assigning: size = xhdr.size. Both are now tainted.
    2614                        size = xhdr.size;

            CID 331088 (#3 of 3): Untrusted allocation size (TAINTED_SCALAR)
            48. tainted_data: Passing tainted expression size to isc__mem_get, which uses it as an allocation size. [show details]
            Ensure that tainted values are properly sanitized, by checking that their values are within a permissible range.
    2615                        buf = isc_mem_get(mctx, size);

5 years agoMerge branch '2812-fix-get-realloc-put-mismatch-in-netmgr' into 'main'
Ondřej Surý [Fri, 9 Jul 2021 16:57:05 +0000 (16:57 +0000)] 
Merge branch '2812-fix-get-realloc-put-mismatch-in-netmgr' into 'main'

Revert the allocate/free -> get/put change from jemalloc change

Closes #2812

See merge request isc-projects/bind9!5252

5 years agoRevert the allocate/free -> get/put change from jemalloc change
Ondřej Surý [Fri, 9 Jul 2021 16:19:58 +0000 (18:19 +0200)] 
Revert the allocate/free -> get/put change from jemalloc change

In the jemalloc merge request, we missed the fact that ah_frees and ah_handles
are reallocated which is not compatible with using isc_mem_get() for allocation
and isc_mem_put() for deallocation.  This commit reverts that part and restores
use of isc_mem_allocate() and isc_mem_free().

5 years agoMerge branch '2433-improve-memory-contention' into 'main'
Ondřej Surý [Fri, 9 Jul 2021 14:27:24 +0000 (14:27 +0000)] 
Merge branch '2433-improve-memory-contention' into 'main'

Reduce the contention of the memory allocator

Closes #2433

See merge request isc-projects/bind9!5012

5 years agoMerge branch 'artem/doh-ignore-accept-header' into 'main'
Artem Boldariev [Fri, 9 Jul 2021 14:00:32 +0000 (14:00 +0000)] 
Merge branch 'artem/doh-ignore-accept-header' into 'main'

DoH: Improve compatiblity by ignoring an "Accept" HTTP header value

See merge request isc-projects/bind9!5246

5 years agoAdd CHANGES and release notes for [GL #2433]
Evan Hunt [Sat, 22 May 2021 17:43:20 +0000 (10:43 -0700)] 
Add CHANGES and release notes for [GL #2433]

5 years agoProperly disable the "water" in isc_mem
Ondřej Surý [Fri, 9 Jul 2021 12:35:00 +0000 (14:35 +0200)] 
Properly disable the "water" in isc_mem

The proper way how to disable the water limit in the isc_mem context is
to call:

    isc_mem_setwater(ctx, NULL, NULL, 0, 0);

this ensures that the old water callback is called with ISC_MEM_LOWATER
if the callback was called with ISC_MEM_HIWATER before.

Historically, there were some places where the limits were disabled by
calling:

    isc_mem_setwater(ctx, water, water_arg, 0, 0);

which would also call the old callback, but it also causes the water_t
to be allocated and extra check to be executed because water callback is
not NULL.

This commits unifies the calls to disable water to the preferred form.

5 years agoDisable jemalloc for Address and Thread Sanitizers
Ondřej Surý [Fri, 9 Jul 2021 11:30:43 +0000 (13:30 +0200)] 
Disable jemalloc for Address and Thread Sanitizers

The Address and Thread Sanitizers both intercept the malloc calls and
using the extended jemalloc API interferes with that.  This commit
disables the use of jemalloc for both ASAN and TSAN enabled builds to
eliminate both false positives and false negatives.

5 years agoUse restrict and const in isc_mempool_t
Artem Boldariev [Fri, 9 Jul 2021 11:24:33 +0000 (14:24 +0300)] 
Use restrict and const in isc_mempool_t

This commit makes add restrict and const modifiers to some variables
to aid compiler to do its optimizations.

5 years agoDo not use atomic variables in isc_mempool_t
Artem Boldariev [Fri, 9 Jul 2021 11:01:22 +0000 (14:01 +0300)] 
Do not use atomic variables in isc_mempool_t

As now mempool objects intended to be used in a thread-local manner,
there is no point in using atomic here.

5 years agoUse isc_mem_get() and isc_mem_put() in isc_mem_total test
Ondřej Surý [Fri, 9 Jul 2021 09:44:44 +0000 (11:44 +0200)] 
Use isc_mem_get() and isc_mem_put() in isc_mem_total test

Previously, the isc_mem_allocate() and isc_mem_free() would be used for
isc_mem_total test, but since we now use the real allocation
size (sallocx, malloc_size, malloc_usable_size) to track the allocation
size, it's impossible to get the test value right.  Changing the test to
use isc_mem_get() and isc_mem_put() will use the exact size provided, so
the test would work again on all the platforms even when jemalloc is not
being used.

5 years agoDisable jemalloc on softhsm2.4 branch
Ondřej Surý [Fri, 9 Jul 2021 09:19:17 +0000 (11:19 +0200)] 
Disable jemalloc on softhsm2.4 branch

It was discovered that softhsm2.4 has a bug that causes invalid free()
call to be called when unloading libsofthsm.so.2 library.  The native
PKCS#11 API is scheduled to removed in the 9.17+ release, we could
safely just disable jemalloc for this particular build.

5 years agoRewrite isc_mem water to use single atomic exchange operation
Ondřej Surý [Wed, 7 Jul 2021 14:05:48 +0000 (16:05 +0200)] 
Rewrite isc_mem water to use single atomic exchange operation

This commit refactors the water mechanism in the isc_mem API to use
single pointer to a water_t structure that can be swapped with
atomic_exchange operation instead of having four different
values (water, water_arg, hi_water, lo_water) in the flat namespace.

This reduces the need for locking and prevents a race when water and
water_arg could be desynchronized.

5 years agoAllow size == 0 in isc_mem_{get,allocate,reallocate}
Ondřej Surý [Thu, 10 Jun 2021 08:18:24 +0000 (10:18 +0200)] 
Allow size == 0 in isc_mem_{get,allocate,reallocate}

Calls to jemalloc extended API with size == 0 ends up in undefined
behaviour.  This commit makes the isc_mem_get() and friends calls
more POSIX aligned:

  If size is 0, either a null pointer or a unique pointer that can be
  successfully passed to free() shall be returned.

We picked the easier route (which have been already supported in the old
code) and return NULL on calls to the API where size == 0.

5 years agoUse system allocator when jemalloc is unavailable
Ondřej Surý [Tue, 25 May 2021 10:46:00 +0000 (12:46 +0200)] 
Use system allocator when jemalloc is unavailable

This commit adds support for systems where the jemalloc library is not
available as a package, here's the quick summary:

  * On Linux - the jemalloc is usually available as a package, if
    configured --without-jemalloc, the shim would be used around
    malloc(), free(), realloc() and malloc_usable_size()

  * On macOS - the jemalloc is available from homebrew or macports, if
    configured --without-jemalloc, the shim would be used around
    malloc(), free(), realloc() and malloc_size()

  * On FreeBSD - the jemalloc is *the* system allocator, we just need
    to check for <malloc_np.h> header to get access to non-standard API

  * On NetBSD - the jemalloc is *the* system allocator, we just need to
    check for <jemalloc/jemalloc.h> header to get access to non-standard
    API

  * On a system hostile to users and developers (read OpenBSD) - the
    jemalloc API is emulated by using ((size_t *)ptr)[-1] field to hold
    the size information.  The OpenBSD developers care only for
    themselves, so why should we care about speed on OpenBSD?

5 years agoupdate the "memory" section of the developer doc
Evan Hunt [Mon, 24 May 2021 19:40:15 +0000 (12:40 -0700)] 
update the "memory" section of the developer doc

Information about memory allocation was outdated.

5 years agodocument the dependency on jemalloc
Evan Hunt [Sat, 22 May 2021 17:40:00 +0000 (10:40 -0700)] 
document the dependency on jemalloc

updated README and PLATFORMS with new text on build requirements.

5 years agoRemove error checks in dns_message for mem allocations
Evan Hunt [Thu, 20 May 2021 00:18:22 +0000 (17:18 -0700)] 
Remove error checks in dns_message for mem allocations

Removed error checks for several functions that can no longer fail due
to failed memory allocation.

5 years agoRemove atomic thread synchronization from the memory hot-path
Ondřej Surý [Fri, 14 May 2021 13:13:33 +0000 (15:13 +0200)] 
Remove atomic thread synchronization from the memory hot-path

This commit refactors the hi/lo-water related code to remove contention
on the hot path in the memory allocator.