2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 05:28:00 +00:00

40757 Commits

Author SHA1 Message Date
Michał Kępień
01ac86f90b
Retroactively add release note for CVE-2023-50868
A release note for CVE-2023-50868 was not included in BIND 9.19.21, even
though that vulnerability was already addressed in that release (by the
fix for CVE-2023-50387).  Retroactively add a relevant release note for
BIND 9.19.21.
2024-02-14 14:49:49 +01:00
Michał Kępień
2fd20bbaf5
Mention CVE-2023-50868 in CHANGES entry 6322
Since CVE-2023-50868 does not have a dedicated fix in BIND 9, mention
its CVE identifier in the CHANGES entry for CVE-2023-50387 (KeyTrap),
which accompanied the code change that addresses both of these
vulnerabilities.
2024-02-14 14:49:49 +01:00
Michał Kępień
8610799317 BIND 9.19.21
-----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBANamVSTMToLcHCXRu1f52e
 tTJWV3T1GSVrPYXwAGe6EVC7m9CTl06FZ9ZG/ymn1S1++dk4ByVZXf6dODe2Mu0RuqGmyf
 MUEMKXVdj3cEQhgRaMjBXvIZoYAsQlbHO2BEttomq8PhrpLRizDBq4Bv2aThM0XN2QqSGS
 ozwYMcPiGUoMVNcVrC4ZQ+Cptb5C4liqAcpRqrSo8l1vcNg5b1Hk6r7NFPdx542gsGMLae
 wZrnKn3LWz3ZXTGeK2cRmBxm/bydiVSCsc9XjB+tWtIGUpQsfaXqZ7Hs6t+1f1vsnu88oJ
 oi1dRBo3YNRl49UiCukXWayQrPJa8wwxURS9W28JMAAAADZ2l0AAAAAAAAAAZzaGE1MTIA
 AAEUAAAADHJzYS1zaGEyLTUxMgAAAQBSREyaosd+mY8kovqAvGYR8pOui/7gOi6pBprPGw
 RlOB5z6YOx5FOjbVL/YvBhKk2gbox++o8jCMEmdNNbWeO3U3uBvxCa+8QGARbuMV6vdoR4
 qjnOgOfryXyaRw7PQX0ZH0gPw1B1036y5bnW7WPkqrTvGgxW34O1q6j0EumE0vh90E24/l
 PAWKDCTqDR/+slGDuWgtPcCZuClljw1Mh0dAliKkGhp0l80qMQSr6O/p66A44UxzKwtnnt
 lagtO0j4nZ+BxC/hyaFc/FlCzeoc48qFQRIt0ZjYKU+XK0CUr2RTpYFdi/n7y3BNd7bDkD
 nIkEDddn/lXP5rkAdkmDCa
 -----END SSH SIGNATURE-----
gpgsig -----BEGIN SSH SIGNATURE-----
 U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAg25GGAuUyFX1gxo7QocNm8V6J/8
 frHSduYX7Aqk4iJLwAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
 AAAAQEGqBHXwCtEJxRzHbTp6CfBNjqwIAjRD9G+HC4M7q77KBEBgc6dRf15ZRRgiWJCk5P
 iHMZkEMyWCnELMzhiTzgE=
 -----END SSH SIGNATURE-----

Merge tag 'v9.19.21'

BIND 9.19.21
2024-02-14 13:24:56 +01:00
Michal Nowak
917851ac5c Merge branch 'mnowak/accommodate-black-24.2.0' into 'main'
Accommodate black 24.2.0

See merge request isc-projects/bind9!8729
2024-02-14 11:31:34 +00:00
Michal Nowak
70163a8b3f
Accommodate black 24.2.0 2024-02-14 10:49:21 +01:00
Evan Hunt
9279a1038b Merge branch 'each-cleanup-dns_rbt' into 'main'
clean up dns_rbt

See merge request isc-projects/bind9!8715
2024-02-14 09:45:58 +00:00
Evan Hunt
ac9bd03a0d clean up dns_rbt
- create_node() in rbt.c cannot fail
- the dns_rbt_*name() functions, which are wrappers around
  dns_rbt_[add|find|delete]node(), were never used except in tests.

this change isn't really necessary since RBT is likely to go away
eventually anyway. but keeping the API as simple as possible while it
persists is a good thing, and may reduce confusion while QPDB is being
developed from RBTDB code.
2024-02-14 01:36:44 -08:00
Evan Hunt
7d1e622b5f Merge branch 'each-move-DNS_RBT_NSEC_-to-db.h' into 'main'
move DNS_RBT_NSEC_* to db.h

See merge request isc-projects/bind9!8714
2024-02-14 09:27:21 +00:00
Evan Hunt
78d173b548 move DNS_RBT_NSEC_* to db.h
these values pertain to whether a node is in the main, nsec, or nsec3
tree of an RBTDB. they need to be moved to a more generic location so
they can also be used by QPDB.

(this is in db.h rather than db_p.h because rbt.c needs access to it.
technically, that's a layer violation, but it's a long-existing one;
refactoring to get rid of it would be a large hassle, and eventually
we expect to remove rbt.c anyway.)
2024-02-14 01:13:44 -08:00
Matthijs Mekking
808281cf43 Merge branch 'each-separate-generic-DB-helpers' into 'main'
separate generic DB helpers into db_p.h

See merge request isc-projects/bind9!8713
2024-02-14 08:46:05 +00:00
Matthijs Mekking
af5679960e Add coccinelle rule to favor DNS_SIGTYPE
This should error if DNS_TYPEPAIR_VALUE(dns_rdatatype_rrsig, type) is
used.
2024-02-14 09:00:27 +01:00
Evan Hunt
27c862d953 separate generic DB helpers into db_p.h
when the QPDB is implemented, we will need to have both qpdb_p.h and
rbtdb_p.h. in order to prevent name collisions or code duplication,
this commit adds a generic private header file, db_p.h, containing
structures and macros that will be used by both databases.

some functions and structs have been renamed to more specifically refer
to the RBT database, in order to avoid namespace collision with similar
things that will be needed by the QPDB later.
2024-02-14 09:00:27 +01:00
Evan Hunt
a22fec506a Merge branch 'each-refactor-wildcard-matching' into 'main'
Refactor wildcard matching

See merge request isc-projects/bind9!8712
2024-02-13 22:48:39 +00:00
Evan Hunt
d1acc987e9 refactor wildcard matching
refactor the wildcard matching code to make it a bit easier to
understand, in hopes that it will reduce the difficulty of converting
from RBTDB to QPDB later.

there are also some minor optimizations: previously, after stepping
backward to find the predecessor, we stepped back foward *from* the
predecessor to find the successor.  we now reset the rbtnode chain to
its original starting point before stepping forward; this eliminates
some unnecessary processing. and, if neither predecessor nor successor
is found, we return early rather than carrying on with an unnecessary
effort to match labels.
2024-02-13 22:14:17 +00:00
Mark Andrews
dbf29b7b5b Merge branch '4571-findnsec3proofs-failed-to-disassociate-all-rdatasets-returned-by-dns_ncache_current' into 'main'
Resolve "findnsec3proofs failed to disassociate all rdatasets returned by dns_ncache_current"

Closes #4571

See merge request isc-projects/bind9!8725
2024-02-13 13:06:32 +00:00
Mark Andrews
3b7cddfb1b Add CHANGES note for [GL #4571] 2024-02-13 11:42:56 +00:00
Mark Andrews
dc94f42209 Dissassociate rdatasets returned from dns_ncache_current
lib/dns/validator.c:findnsec3proofs failed to disassociate the
temporary rdataset returned by dns_ncache_current on all paths.
2024-02-13 11:42:56 +00:00
Mark Andrews
a9ceecdd9d Merge branch '4569-cid-486326-memory-corruptions-overrun' into 'main'
Resolve "** CID 486326:  Memory - corruptions  (OVERRUN)"

Closes #4569

See merge request isc-projects/bind9!8723
2024-02-13 00:07:42 +00:00
Mark Andrews
371defc357 Address CID 486326: Memory - corruptions (OVERRUN)
Coverity detected that address->type.sa was too small when copying
a struct sockaddr_sin6, use the alterative union element
address->type.sin6 instead.
2024-02-13 09:21:49 +11:00
Mark Andrews
c2b7cb2cef Merge branch '4570-cid-486327-control-flow-issues-unreachable' into 'main'
Resolve "CID 486327:  Control flow issues  (UNREACHABLE)"

Closes #4570

See merge request isc-projects/bind9!8724
2024-02-12 21:59:12 +00:00
Mark Andrews
dd57db2274 Remove duplicate unreachable code block
This was accidentially left in during the developement of !8299.
2024-02-12 15:18:46 +11:00
Ondřej Surý
dea228d198 Merge branch '4568-fix-isc_ht-case-insensitive-matching' into 'main'
Fix case insensitive matching in isc_ht hash table implementation

Closes #4568

See merge request isc-projects/bind9!8718
2024-02-11 08:55:52 +00:00
Ondřej Surý
e91884553f
Add CHANGES note for [GL #4568] 2024-02-11 09:37:09 +01:00
Ondřej Surý
a114042059
Add a system test for mixed-case data for the same owner
We were missing a test where a single owner name would have multiple
types with a different case.  The generated RRSIGs and NSEC records will
then have different case than the signed records and message parser have
to cope with that and treat everything as the same owner.
2024-02-11 09:36:56 +01:00
Ondřej Surý
175655b771
Fix case insensitive matching in isc_ht hash table implementation
The case insensitive matching in isc_ht was basically completely broken
as only the hashvalue computation was case insensitive, but the key
comparison was always case sensitive.
2024-02-11 09:36:56 +01:00
Evan Hunt
fca10c1305 Merge branch 'each-placeholder' into 'main'
add placeholder to CHANGES [GL #4567]

See merge request isc-projects/bind9!8720
2024-02-11 07:21:08 +00:00
Evan Hunt
54fb2a72ef add placeholder to CHANGES [GL #4567] 2024-02-10 23:19:57 -08:00
Aydın Mercan
eee76558ee Merge branch '4491-use-rcu-instead-of-rwlock-in-isc_log-unit' into 'main'
Convert rwlock in isc_log_t to RCU

Closes #4491

See merge request isc-projects/bind9!8593
2024-02-09 10:56:22 +00:00
Aydın Mercan
a911949ebc
Convert rwlock in isc_log_t to RCU
The isc_log_t contains a isc_logconfig_t that is swapped, dereferenced
or accessed its fields through a mutex. Instead of protecting it with a
rwlock, use RCU.
2024-02-09 13:11:48 +03:00
Ondřej Surý
0a7b0c3896 Merge branch 'ondrej/add-placeholder' into 'main'
Add placeholder to CHANGES

See merge request isc-projects/bind9!8717
2024-02-09 09:02:01 +00:00
Ondřej Surý
25859a6960 Add placeholder to CHANGES 2024-02-09 10:01:33 +01:00
Ondřej Surý
606f2daaa2 Merge branch '4549-heap-use-after-free-lib-isccc-ccmsg-c-160-in-ccmsg_senddone' into 'main'
Resolve "heap-use-after-free lib/isccc/ccmsg.c:160 in ccmsg_senddone"

Closes #4549

See merge request isc-projects/bind9!8692
2024-02-08 17:34:46 +00:00
Mark Andrews
6c15e45328
Add CHANGES note for [GL #4549] 2024-02-08 17:24:11 +01:00
Ondřej Surý
315aa3135a
Fix UAF in ccmsg.c when reading stopped before sending
When shutting down the whole server, the reading could stop and detach
from controlconnection before sending is done.  If send callback then
detaches from the last controlconnection handle, the ccmsg would be
invalidated after the send callback and thus we must not access ccmsg
after calling the send_cb().
2024-02-08 17:24:11 +01:00
Ondřej Surý
88a14985db
Add isc_nm_read_stop() and remove .reading member from ccmsg
We need to stop reading when calling isc_ccmsg_disconnect() as the
reading handle doesn't have to be last because sending might be in
progress.  After that, we can safely remove .reading member because the
reading would not be called after the disconnect has been called.

The ccmsg_senddone() should also not call the recv callback if the
sending failed, that's the job of the caller's send callback - in fact
it already does that, so the code in ccmsg_senddone() was superfluous.
2024-02-08 17:23:39 +01:00
Ondřej Surý
5964eb4796
Refactor the normal vs error path in control_senddone()
The code flow in control_senddone() was modified to be simpler to follow
and superfluous INSIST() was zapped from control_recvmessage().
2024-02-08 17:16:41 +01:00
Ondřej Surý
de25743e00 Merge branch 'ondrej/reduce-netmgr-memory-usage' into 'main'
Reduce memory sizes of common structures

See merge request isc-projects/bind9!8299
2024-02-08 14:45:25 +00:00
Ondřej Surý
15329d471e
Add memory pools for isc_nmsocket_t structures
To reduce memory pressure, we can add light per-loop (netmgr worker)
memory pools for isc_nmsocket_t structures.  This will help in
situations where there's a lot of churn creating and destroying the
nmsockets.
2024-02-08 15:13:47 +01:00
Ondřej Surý
750bd364b5
Reduce the isc_nmsocket_t size from 1840 to 1208 bytes
Embedding isc_nmsocket_h2_t directly inside isc_nmsocket_t had increased
the size of isc_nmsocket_t to 1840 bytes.  Making the isc_nmsocket_h2_t
to be a pointer to the structure and allocated on demand allows us to
reduce the size to 1208 bytes.  While there are still some possible
reductions in the isc_nmsocket_t (embedded tlsstream, streamdns
structures), this was the far biggest drop in the memory usage.
2024-02-08 15:13:47 +01:00
Ondřej Surý
eada7b6e13
Reduce struct isc__nm_uvreq size from 1560 to 560 bytes
The uv_req union member of struct isc__nm_uvreq contained libuv request
types that we don't use.  Turns out that uv_getnameinfo_t is 1000 bytes
big and unnecessarily enlarged the whole structure.  Remove all the
unused members from the uv_req union.
2024-02-08 15:13:47 +01:00
Ondřej Surý
2367b6a2e1
Reduce sizeof isc_sockaddr from 152 to 48 bytes
After removing sockaddr_unix from isc_sockaddr, we can also remove
sockaddr_storage and reduce the isc_sockaddr size from 152 bytes to just
48 bytes needed to hold IPv6 addresses.
2024-02-08 15:13:47 +01:00
Tom Krizek
2133e5f4f7 Merge branch '4560-pytest-junit-xml-compat' into 'main'
Support older junit XML format in test result processing

Closes #4560

See merge request isc-projects/bind9!8696
2024-02-08 13:57:07 +00:00
Tom Krizek
06a977a699
Add CHANGES note for [GL #4560] 2024-02-08 14:15:41 +01:00
Tom Krizek
bec3dd10b3
Support older junit XML format in test result processing
When running `make check` on a platform which has older (but still
supported) pytest, e.g. 3.4.2 on EL8, the junit to trs conversion would
fail because the junit format has different structure. Make the junit
XML processing more lenient to support both the older and newer junit
XML formats.
2024-02-08 14:14:26 +01:00
Tom Krizek
eb2e158172 Merge branch '4562-use-source-port-for-ditch-pl' into 'main'
Use a single local port for ditch.pl

Closes #4562

See merge request isc-projects/bind9!8698
2024-02-08 12:42:23 +00:00
Tom Krizek
339fa5690a
Use a single local port for ditch.pl
The ditch.pl script is used to generate burst traffic without waiting
for the responses. When running other tests in parallel, this can result
in a ephemeral port clash, since the ditch.pl process closes the socket
immediately. In rare occasions when the message ID also clashes with
other tests' queries, it might result in an UnexpectedSource error from
dnspython.

Use a dedicated port EXTRAPORT8 which is reserved for each test as a
source port for the burst traffic.
2024-02-08 13:41:23 +01:00
Ondřej Surý
381763120b Merge branch '4187-auto-vectorize-compiler-optimization-causing-exception-crash' into 'main'
Use proper padding instead of using alignas()

Closes #4187

See merge request isc-projects/bind9!8530
2024-02-08 11:17:58 +00:00
Ondřej Surý
306124b385
Add CHANGES note for [GL #4187] 2024-02-08 10:54:57 +01:00
Ondřej Surý
2463e5232d
Use proper padding instead of using alignas()
As it was pointed out, the alignas() can't be used on objects larger
than `max_align_t` otherwise the compiler might miscompile the code to
use auto-vectorization on unaligned memory.

As we were only using alignas() as a way to prevent false memory
sharing, we can use manual padding in the affected structures.
2024-02-08 10:54:35 +01:00
Ondřej Surý
05e60a0af6 Merge branch 'ondrej/various-rbtdb-fixes' into 'main'
Various rbtdb fixes and optimizations

See merge request isc-projects/bind9!8675
2024-02-08 07:34:07 +00:00