mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-04 00:25:29 +00:00
Code Issues Releases Wiki Activity

[master] fixed geoip in blackhole ACLs

Browse Source 
3722.	[bug]		Using geoip ACLs in a blackhole statement
			could cause a segfault. [RT #35272]
This commit is contained in:
Evan Hunt
2014-01-30 17:03:32 -08:00
parent 4734976943
commit d0803df331
10 changed files with 72 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
3722. [bug] Using geoip ACLs in a blackhole statement
could cause a segfault. [RT #35272]
3721. [doc] Improved doucmentation of the EDNS processing 3721. [doc] Improved doucmentation of the EDNS processing
enhancements introduced in change #3593. [RT #35275] enhancements introduced in change #3593. [RT #35275]

1
bin/named/geoip.c
View File

@@ -101,7 +101,6 @@ ns_geoip_load(char *dir) {
return; return;
#else #else
GeoIPOptions method; GeoIPOptions method;
GeoIPDBTypes edition;
#ifdef _WIN32 #ifdef _WIN32
method = GEOIP_STANDARD; method = GEOIP_STANDARD;

2
bin/tests/system/geoip/clean.sh
View File

@@ -16,4 +16,4 @@
rm -f ns2/named.conf rm -f ns2/named.conf
rm -f ns2/example[1234567].db rm -f ns2/example[1234567].db
rm -f dig.out.* rm -f dig.out.* rndc.out.*

45
bin/tests/system/geoip/ns2/named12.conf Normal file
View File

@@ -0,0 +1,45 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};

13
bin/tests/system/geoip/tests.sh
View File

@@ -229,5 +229,18 @@ done
[ $ret -eq 0 ] || echo "I:failed" [ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL"
ret=0
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.test$n || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:exit status: $status" echo "I:exit status: $status"
exit $status exit $status

2
configure vendored
View File

@@ -13470,7 +13470,7 @@ fi
if test "$use_geoip" = "yes" if test "$use_geoip" = "yes"
then then
for d in /usr /usr/local for d in /usr /usr/local /opt/local
do do
if test -f $d/include/GeoIP.h if test -f $d/include/GeoIP.h
then then

2
configure.in
View File

@@ -605,7 +605,7 @@ AC_ARG_WITH(geoip,
if test "$use_geoip" = "yes" if test "$use_geoip" = "yes"
then then
for d in /usr /usr/local for d in /usr /usr/local /opt/local
do do
if test -f $d/include/GeoIP.h if test -f $d/include/GeoIP.h
then then

2
lib/dns/acl.c
View File

@@ -408,6 +408,8 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
#ifdef HAVE_GEOIP #ifdef HAVE_GEOIP
case dns_aclelementtype_geoip: case dns_aclelementtype_geoip:
if (env == NULL || env->geoip == NULL)
return (ISC_FALSE);
return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem)); return (dns_geoip_match(reqaddr, env->geoip, &e->geoip_elem));
#endif #endif
default: default:

3
lib/dns/geoip.c
View File

@@ -249,8 +249,9 @@ country_lookup(GeoIP *db, dns_geoip_subtype_t subtype,
if (prev_state != NULL && if (prev_state != NULL &&
prev_state->subtype == subtype && prev_state->subtype == subtype &&
prev_state->family == family &&
((prev_state->family == AF_INET && prev_state->ipnum == ipnum) || ((prev_state->family == AF_INET && prev_state->ipnum == ipnum) ||
(prev_state->family == AF_INET6 && (prev_state->family == AF_INET6 && ipnum6 != NULL &&
memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0))) memcmp(prev_state->ipnum6.s6_addr, ipnum6->s6_addr, 16) == 0)))
text = prev_state->text; text = prev_state->text;

4
lib/dns/include/dns/acl.h
View File

@@ -230,6 +230,10 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
* and 'matchelt' is non-NULL, *matchelt will be pointed to the matching * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
* element. * element.
* *
* 'env' points to the current ACL environment, including the
* current values of localhost and localnets and (if applicable)
* the GeoIP context.
*
* Returns: * Returns:
*\li #ISC_R_SUCCESS Always succeeds. *\li #ISC_R_SUCCESS Always succeeds.
*/ */