mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Merge branch '3022-doh-fix-dig-crash-on-unexpected-alpn' into 'main'

Browse Source 
Resolve #3022: DoH: dig eventually aborts on ALPN negotiation failure when issuing a DoH query (because of dangling handles)

Closes #3022

See merge request isc-projects/bind9!5590
This commit is contained in:
Artem Boldariev
2021-11-26 08:53:24 +00:00
parent c52a383523 44951f8cac
commit 2fc4239ccb
4 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
5765. [bug] Fix a bug in DoH implementation making 'dig'
abort when ALPN negotiation fails. [GL #3022]
5764. [bug] dns_sdlz_putrr failed to process some valid resource 5764. [bug] dns_sdlz_putrr failed to process some valid resource
records. [GL #3021] records. [GL #3021]

11
bin/tests/system/doth/tests.sh
View File

@@ -116,6 +116,17 @@ grep "$msg_xfrs_not_allowed" dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret)) status=$((status + ret))
# Let's try to issue an HTTP/2 query over TLS port to check if dig
# will detect ALPN token negotiation problem.
n=$((n + 1))
echo_i "checking DoH query when ALPN is expected to fail (dot, failure expected) ($n)"
ret=0
# shellcheck disable=SC2086
"$DIG" +https $common_dig_options -p "${TLSPORT}" "$@" @10.53.0.1 . SOA > dig.out.test$n
grep "ALPN for HTTP/2 failed." dig.out.test$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=$((status + ret))
n=$((n + 1)) n=$((n + 1))
echo_i "checking DoH query (POST) ($n)" echo_i "checking DoH query (POST) ($n)"
ret=0 ret=0

1
lib/isc/netmgr/http.c
View File

@@ -1379,7 +1379,6 @@ transport_connect_cb(isc_nmhandle_t *handle, isc_result_t result, void *cbarg) {
* client will fail if HTTP/2 cannot be * client will fail if HTTP/2 cannot be
* negotiated via ALPN. * negotiated via ALPN.
*/ */
isc__nmsocket_prep_destroy(transp_sock);
result = ISC_R_HTTP2ALPNERROR; result = ISC_R_HTTP2ALPNERROR;
goto error; goto error;
} }

4
lib/isc/netmgr/tlsstream.c
View File

@@ -367,7 +367,9 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
received_data->length, &len); received_data->length, &len);
if (rv <= 0 || len != received_data->length) { if (rv <= 0 || len != received_data->length) {
result = ISC_R_TLSERROR; result = ISC_R_TLSERROR;
#if defined(NETMGR_TRACE) && defined(NETMGR_TRACE_VERBOSE)
saved_errno = errno; saved_errno = errno;
#endif
goto error; goto error;
} }
@@ -506,6 +508,7 @@ tls_do_bio(isc_nmsocket_t *sock, isc_region_t *received_data,
} }
error: error:
#if defined(NETMGR_TRACE) && defined(NETMGR_TRACE_VERBOSE)
isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR, isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL, ISC_LOGMODULE_NETMGR,
ISC_LOG_NOTICE, ISC_LOG_NOTICE,
"SSL error in BIO: %d %s (errno: %d). Arguments: " "SSL error in BIO: %d %s (errno: %d). Arguments: "
@@ -513,6 +516,7 @@ error:
"send_data: %p, finish: %s", "send_data: %p, finish: %s",
tls_status, isc_result_totext(result), saved_errno, tls_status, isc_result_totext(result), saved_errno,
received_data, send_data, finish ? "true" : "false"); received_data, send_data, finish ? "true" : "false");
#endif
tls_failed_read_cb(sock, result); tls_failed_read_cb(sock, result);
} }