+2126. [security] Serialise validation of type ANY responses. [RT #16555]
--- 9.2.1 released ---
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.h,v 1.18 2001/01/09 21:53:39 bwelling Exp $ */
+/* $Id: validator.h,v 1.18.20.1 2007/02/09 00:05:54 marka Exp $ */
#ifndef DNS_VALIDATOR_H
#define DNS_VALIDATOR_H 1
ISC_LINK(dns_validator_t) link;
};
+/*%
+ * dns_validator_create() options.
+ */
+#define DNS_VALIDATOR_DEFER 2U
+
ISC_LANG_BEGINDECLS
isc_result_t
* part of a known insecure domain.
*/
+void
+dns_validator_send(dns_validator_t *validator);
+/*%<
+ * Send a deferred validation request
+ *
+ * Requires:
+ * 'validator' to points to a valid DNSSEC validator.
+ */
+
void
dns_validator_cancel(dns_validator_t *validator);
/*
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.218.2.10 2002/04/19 01:11:16 marka Exp $ */
+/* $Id: resolver.c,v 1.218.2.10.2.1 2007/02/09 00:05:54 marka Exp $ */
#include <config.h>
if (result != ISC_R_SUCCESS)
return (result);
+ INSIST(ISC_LIST_EMPTY(fctx->validators));
+
dns_message_reset(fctx->rmessage, DNS_MESSAGE_INTENTPARSE);
query = isc_mem_get(res->mctx, sizeof *query);
unsigned int bucketnum;
isc_boolean_t bucket_empty = ISC_FALSE;
dns_resolver_t *res = fctx->res;
+ dns_validator_t *validator;
REQUIRE(SHUTTINGDOWN(fctx));
- if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
+ if (fctx->pending != 0)
return;
+ for (validator = ISC_LIST_HEAD(fctx->validators);
+ validator != NULL;
+ validator = ISC_LIST_HEAD(fctx->validators)) {
+ ISC_LIST_UNLINK(fctx->validators, validator, link);
+ dns_validator_cancel(validator);
+ dns_validator_destroy(&validator);
+ }
+
bucketnum = fctx->bucketnum;
LOCK(&res->buckets[bucketnum].lock);
if (fctx->references == 0)
goto noanswer_response;
}
- if (sentresponse) {
+ if (!ISC_LIST_EMPTY(fctx->validators))
+ dns_validator_send(ISC_LIST_HEAD(fctx->validators));
+ else if (sentresponse) {
/*
* If we only deferred the destroy because we wanted to cache
* the data, destroy now.
* more rdatasets that still need to
* be validated.
*/
+ dns_validator_send(ISC_LIST_HEAD(fctx->validators));
goto cleanup_event;
}
unsigned int options;
isc_task_t *task;
dns_validator_t *validator;
+ unsigned int valoptions = 0;
/*
* The appropriate bucket lock must be held.
rdataset,
sigrdataset,
fctx->rmessage,
- 0,
+ valoptions,
task,
validated,
fctx,
&validator);
- if (result == ISC_R_SUCCESS)
+ if (result == ISC_R_SUCCESS) {
ISC_LIST_APPEND(
fctx->validators,
validator, link);
+ valoptions |=
+ DNS_VALIDATOR_DEFER;
+ }
}
}
} else if (!EXTERNAL(rdataset)) {
valrdataset,
valsigrdataset,
fctx->rmessage,
- 0,
+ valoptions,
task,
validated,
fctx,
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.91.2.1 2001/09/19 21:51:40 bwelling Exp $ */
+/* $Id: validator.c,v 1.91.2.1.4.1 2007/02/09 00:05:54 marka Exp $ */
#include <config.h>
ISC_LINK_INIT(val, link);
val->magic = VALIDATOR_MAGIC;
- isc_task_send(task, (isc_event_t **)&event);
+ if ((options & DNS_VALIDATOR_DEFER) == 0)
+ isc_task_send(task, (isc_event_t **)&event);
*validatorp = val;
return (result);
}
+void
+dns_validator_send(dns_validator_t *validator) {
+ isc_event_t *event;
+ REQUIRE(VALID_VALIDATOR(validator));
+
+ LOCK(&validator->lock);
+
+ INSIST((validator->options & DNS_VALIDATOR_DEFER) != 0);
+ event = (isc_event_t *)validator->event;
+ validator->options &= ~DNS_VALIDATOR_DEFER;
+ UNLOCK(&validator->lock);
+
+ isc_task_send(validator->task, &event);
+}
+
void
dns_validator_cancel(dns_validator_t *validator) {
REQUIRE(VALID_VALIDATOR(validator));
if (validator->authvalidator != NULL)
dns_validator_cancel(validator->authvalidator);
+
+ if ((validator->options & DNS_VALIDATOR_DEFER) != 0) {
+ isc_task_t *task = validator->event->ev_sender;
+ validator->options &= ~DNS_VALIDATOR_DEFER;
+ isc_event_free((isc_event_t **)&validator->event);
+ isc_task_detach(&task);
+ }
}
UNLOCK(&validator->lock);
}
projects / thirdparty / bind9.git / commitdiff
