ISC Open Source Projects issueshttps://gitlab.isc.org/groups/isc-projects/-/issues2022-09-27T03:49:26Zhttps://gitlab.isc.org/isc-projects/bind9/-/issues/2749Missing ATOMIC_VAR_INIT for atomic static variables2022-09-27T03:49:26ZMark AndrewsMissing ATOMIC_VAR_INIT for atomic static variablesNot plannedMark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3566UAF in req_senddone on shutdown2022-09-27T12:48:58ZOndřej SurýUAF in req_senddone on shutdownFrom https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793682
```
D:inline:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D inline-ns2 -X named.lock -m'.
D:inline:Program terminated with signal SIGABRT, Aborted...From https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793682
```
D:inline:Core was generated by `/builds/isc-projects/bind9/bin/named/.libs/named -D inline-ns2 -X named.lock -m'.
D:inline:Program terminated with signal SIGABRT, Aborted.
D:inline:Sent by thr_kill() from pid 27679 and user 1001.
D:inline:#0 0x000000080151369a in thr_kill () from /lib/libc.so.7
D:inline:[Current thread is 1 (LWP 100288)]
D:inline:#0 0x000000080151369a in thr_kill () from /lib/libc.so.7
D:inline:#1 0x0000000801511af4 in raise () from /lib/libc.so.7
D:inline:#2 0x0000000801487719 in abort () from /lib/libc.so.7
D:inline:#3 0x000000000024013d in library_fatal_error (file=0x8008aeb37 "request.c", line=979, format=0x8008a1b5c "%s(): %s() failed with error %d (%s)", args=0x7fffdfffdb30) at main.c:278
D:inline:#4 0x00000008003194a5 in isc_error_fatal (file=0x187c0 <error: Cannot access memory at address 0x187c0>, line=6, format=0x0) at error.c:68
D:inline:#5 0x00000008009c7cf0 in req_senddone (eresult=<optimized out>, region=<optimized out>, arg=<optimized out>) at request.c:993
D:inline:#6 0x0000000800913a75 in send_done (handle=0x801949780, result=ISC_R_SHUTTINGDOWN, cbarg=0x0) at dispatch.c:1920
D:inline:#7 0x0000000800314d88 in isc__nm_udp_send (handle=0x187c0, region=0x7fffdfffdce8, cb=0x800913a40 <send_done>, cbarg=0x0) at netmgr/udp.c:715
D:inline:#8 0x0000000800307a5c in isc_nm_send (handle=0x187c0, region=0x6, cb=0x0, cbarg=0x8015136ba <thr_self+10>) at netmgr/netmgr.c:1984
D:inline:#9 0x0000000800913a10 in dns_dispatch_send (resp=0x805230a00, r=0x7fffdfffdce8, dscp=<optimized out>) at dispatch.c:1971
D:inline:#10 0x00000008009c806c in req_send (request=0x80530db40) at request.c:295
D:inline:#11 0x00000008009c7a96 in req_connected (eresult=ISC_R_SUCCESS, region=<optimized out>, arg=0x80530db40) at request.c:957
D:inline:#12 0x000000080091391e in udp_connected (handle=0x801949780, eresult=ISC_R_SUCCESS, arg=0x805230a00) at dispatch.c:1804
D:inline:#13 0x0000000800307d75 in isc__nm_async_connectcb (worker=<optimized out>, ev0=<optimized out>) at netmgr/netmgr.c:2143
D:inline:#14 0x0000000800305300 in process_netievent (arg=0x80533ad80) at netmgr/netmgr.c:488
D:inline:#15 0x00000008003207a7 in isc__job_cb (idle=0x802f6d548) at job.c:75
D:inline:#16 0x000000080111d5cd in ?? () from /usr/local/lib/libuv.so.1
D:inline:#17 0x0000000801117026 in uv_run () from /usr/local/lib/libuv.so.1
D:inline:#18 0x000000080032792e in loop_run (loop=0x801940530) at loop.c:266
D:inline:#19 0x0000000800326b1c in loop_thread (arg=0x801940530) at loop.c:293
D:inline:#20 0x000000080033d446 in isc__trampoline_run (arg=0x8019f5330) at trampoline.c:198
D:inline:#21 0x000000080133d08c in ?? () from /lib/libthr.so.3
D:inline:#22 0x0000000000000000 in ?? ()
D:inline:Backtrace stopped: Cannot access memory at address 0x7fffdfffe000
```
@each, can you take a look at this?October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3553followups from #34932022-09-27T12:59:11ZEvan Huntfollowups from #3493Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to ...Now that the minimal fix for the statistics channel overread issue has been merged to the public repository, related code that was written while fixing it can be made public as well:
- further cleaning up httpd.c
- adding assertions to the `ISC__BUFFER` macros
- changing `ISC__BUFFER` macros to static inline functions in 9.19 and 9.18October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Evan HuntEvan Hunthttps://gitlab.isc.org/isc-projects/bind9/-/issues/3542BIND sometimes exits with "assertion failure" when accessing the statistics c...2022-09-27T13:01:48ZGreg ChoulesBIND sometimes exits with "assertion failure" when accessing the statistics channelThe following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may a...The following Support ticket provide evidence of this happening:
[Named crashes "critical: httpd.c:871: REQUIRE(httpd->state == RECV) failed" with statistics-channel call](https://support.isc.org/Ticket/Display.html?id=21145)
This may also be related to CVE-2022-2881October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3548Static declaration of 'sallocx' follows non-static declaration on FreeBSD 13.12022-09-27T13:35:39ZMichal NowakStatic declaration of 'sallocx' follows non-static declaration on FreeBSD 13.1`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, i...`main` fails to build on FreeBSD 13.1-RELEASE-p2 when `--without-jemalloc` is present:
```
In file included from mem.c:58:
./jemalloc_shim.h:70:1: error: static declaration of 'sallocx' follows non-static declaration
sallocx(void *ptr, int flags) {
^
/usr/include/malloc_np.h:99:8: note: previous declaration is here
size_t sallocx(const void *ptr, int flags);
^
1 error generated.
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3513CID 356329: Error handling issues in bin/dnssec/dnssec-signzone.c2022-09-27T14:34:24ZMichal NowakCID 356329: Error handling issues in bin/dnssec/dnssec-signzone.cCoverity Scan suggests to check return value of `isc__task_create()` (originated in b69e783164cd50e3306364668558e460617ee8fc) as in other places:
```
/bin/dnssec/dnssec-signzone.c: 3732 in main()
3726 if (directory == NULL) {
3727 ...Coverity Scan suggests to check return value of `isc__task_create()` (originated in b69e783164cd50e3306364668558e460617ee8fc) as in other places:
```
/bin/dnssec/dnssec-signzone.c: 3732 in main()
3726 if (directory == NULL) {
3727 directory = ".";
3728 }
3729
3730 isc_managers_create(&mctx, ntasks, &loopmgr, &netmgr, &taskmgr);
3731
>>> CID 356329: Error handling issues (CHECKED_RETURN)
>>> Calling "isc__task_create" without checking return value (as is done elsewhere 16 out of 18 times).
3732 isc_task_create(taskmgr, &write_task, 0);
3733
3734 result = dst_lib_init(mctx, engine);
3735 if (result != ISC_R_SUCCESS) {
3736 fatal("could not initialize dst: %s",
3737 isc_result_totext(result));
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3551Missing RSA_free call in opensslrsa_verify22022-09-28T00:06:52ZMark AndrewsMissing RSA_free call in opensslrsa_verify2If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth...If `e == NULL` then we should be freeing `rsa`. I don't believe that there is a path where we construct a `rsa` key without `e` and thereby trigger this path but marking confidential until that review is done. This was reported by Seth Arnold <seth.arnold@canonical.com>.
```
#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
RSA_get0_key(rsa, NULL, &e, NULL);
if (e == NULL) {
return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
}
bits = BN_num_bits(e);
RSA_free(rsa);
#else
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3512XoT breaks DDNS update forwarding2022-09-28T10:28:06ZBen WeeksXoT breaks DDNS update forwarding
### Summary
When XoT is used in BIND 9.18, allow-update-forwarding { any; } does not forward TSIG signed updates to primary
### BIND version used
```
BIND 9.18.5 (Stable Release) <id:>
running on FreeBSD amd64 12.3-RELEASE-p6 FreeBSD ...
### Summary
When XoT is used in BIND 9.18, allow-update-forwarding { any; } does not forward TSIG signed updates to primary
### BIND version used
```
BIND 9.18.5 (Stable Release) <id:>
running on FreeBSD amd64 12.3-RELEASE-p6 FreeBSD 12.3-RELEASE-p6 GENERIC
built by make with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--enable-dnsrps' '--with-readline=libedit' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-querytrace' '--enable-tcp-fastopen' '--prefix=/usr/local' '--mandir=/usr/local/man' '--disable-silent-rules' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.3' 'build_alias=amd64-portbld-freebsd12.3' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf' 'PKG_CONFIG_LIBDIR=/wrkdirs/usr/ports/dns/bind918/work/.pkgconfig:/usr/local/libdata/pkgconfig:/usr/libdata/pkgconfig' 'PYTHON=/usr/local/bin/python3.9' 'READLINE_CFLAGS=-L/usr/local/lib'
compiled by CLANG FreeBSD Clang 10.0.1 (git@github.com:llvm/llvm-project.git llvmorg-10.0.1-0-gef32c611aa2)
compiled with OpenSSL version: OpenSSL 1.1.1l-freebsd 24 Aug 2021
linked to OpenSSL version: OpenSSL 1.1.1l-freebsd 24 Aug 2021
compiled with libuv version: 1.42.0
linked to libuv version: 1.42.0
compiled with libnghttp2 version: 1.48.0
linked to libnghttp2 version: 1.48.0
compiled with libxml2 version: 2.9.13
linked to libxml2 version: 20913
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
compiled with protobuf-c version: 1.4.0
linked to protobuf-c version: 1.4.0
threads support is enabled
```
### Steps to reproduce
configure dynamic zone where a client (eg. nsupdate) sends a TSIG signed update to a secondary. The secondary is expected to forward to the primary to validate the TSIG signature
TSIG nsupdate client ---> secondary ---> primary
Install a TSIG key for DDNS updates on the client and primary.
Note the configuration works when Xot is disabled. Enable XoT and note the bug.
### What is the current *bug* behavior?
BIND on the secondary does not forward the DDNS update and logs:
client @0xXXXXXXXXX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx#56633: request has invalid signature: TSIG ddns-key.dynzone.example.com: tsig verify failure (BADKEY)
### What is the expected *correct* behavior?
I expect the same behavior when Xot is disabled. That is to forward the TSIG signed update to the primary.
### Relevant configuration files
```
primaries example.com {
2001:db8::1 key ns1-ns2.example.com. tls ephemeral;
};
zone "dynzone.example.com" {
type secondary;
primaries { example.com; };
allow-update-forwarding { any; };
file "/var/dns/secondary/dynzone.example.com";
};
```
### Relevant logs and/or screenshots
Secondary logs:
```
client @0xXXXXXXXXX xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx#56633: request has invalid signature: TSIG ddns-key.dynzone.example.com: tsig verify failure (BADKEY)
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Arаm SаrgsyаnArаm Sаrgsyаnhttps://gitlab.isc.org/isc-projects/kea/-/issues/2579Sanity checks for Kea 2.3.1 rc12022-09-28T14:11:06ZjenkinsSanity checks for Kea 2.3.1 rc1We are now at step SANITY CHECKS of Kea 2.3.1 rc1.
Please verify the tarballs and packages according to [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-co...We are now at step SANITY CHECKS of Kea 2.3.1 rc1.
Please verify the tarballs and packages according to [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-content-4-sanity-checks) and according to your imagination.
Before starting, please state what you are checking in a thread/discussion (not as comment).
When you finish a check, state in the same thread/discussion what the result is.
This way we know what is covered upfront and we can avoid repeating ourselves.
#### Tarballs on repo.isc.org
* `/data/shared/sweng/kea/releases/2.3.1-rc1`
* `/data/shared/sweng/kea/releases/premium-2.3.1-rc1`
* `/data/shared/sweng/kea/releases/subscription-2.3.1-rc1`
* `/data/shared/sweng/kea/releases/enterprise-2.3.1-rc1`
```
SHA256 (kea-2.3.1.tar.gz) = afb7aa8b88585c1945a06021f5fb47af40e577f12fffdb4b070679e0eafdcbb1
SHA256 (kea-enterprise-2.3.1.tar.gz) = 92dfd07aa04dd42a8f32640c662a7e696b57f237bb296810ab8f3c516c85e141
SHA256 (kea-premium-2.3.1.tar.gz) = 20ffa563d79b22822482fc5dda07e1927ca3f1fb5941dc2c5fb6b6fcc3c2bcf6
SHA256 (kea-subscription-2.3.1.tar.gz) = c764e97fd86152e7f10d9445d65c4f8f4c9856484ebe63d6cfb95ec372486c0f
```
#### Packages on packages.aws.isc.org
* [APK: 2.3.1-r20220926152201](https://packages.aws.isc.org/#browse/search/raw=format%3Draw%20AND%20name.raw%3D*r20220926152201.apk)
* [deb: 2.3.1-isc20220926152201](https://packages.aws.isc.org/#browse/search/apt=format%3Dapt%20AND%20version%3D2.3.1-isc20220926152201)
* [RPM: 2.3.1-isc20220926152201.\[os\]](https://packages.aws.isc.org/#browse/search/yum=format%3Dyum%20AND%20version%3D2.3.1-isc20220926152201*)
You can find the name for all the packages attached as build artifacts in the pkg job: https://jenkins.aws.isc.org/job/kea-dev/job/pkg/927/
Instructions for installing packages are at point 9 of [chapter `4. Sanity Checks` of the release procedure](https://gitlab.isc.org/isc-private/qa-dhcp/-/wikis/Kea/Release-Process#user-content-4-sanity-checks).kea2.3.1https://gitlab.isc.org/isc-projects/bind9/-/issues/3567Bump the minimal libuv version to 1.34.02022-09-29T09:45:35ZOndřej SurýBump the minimal libuv version to 1.34.0By the time BIND 9.20 is release, all distributions without libuv >= 1.34.0 will be either EOL or on life-support. But even with the old distributions, the libuv could be updated from backports (or by installing it locally).
Bumping th...By the time BIND 9.20 is release, all distributions without libuv >= 1.34.0 will be either EOL or on life-support. But even with the old distributions, the libuv could be updated from backports (or by installing it locally).
Bumping the minimal libuv version to 1.34.0 allows us to drop all the libuv shims that we've been maintaining.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3559Provide custom isc_mem based allocators for external libraries2022-09-29T09:47:35ZOndřej SurýProvide custom isc_mem based allocators for external librariesSome of the external libraries that we use in BIND 9 provide a way how to override their internal allocators. Create separate memory context for each of the libraries.Some of the external libraries that we use in BIND 9 provide a way how to override their internal allocators. Create separate memory context for each of the libraries.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3562suffix may be used before being assigned in qmin/ans3/ans.py2022-09-29T10:03:12ZMark Andrewssuffix may be used before being assigned in qmin/ans3/ans.pyCoverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.r...Coverity reports `Bad use of null-like value`
```
139 if lqname == "zoop.boing." and rrtype == NS:
CID 350722 (#1 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
140 r.answer.append(
141 dns.rrset.from_text(lqname + suffix, 1, IN, NS, "ns3." + suffix)
142 )
143 r.flags |= dns.flags.AA
11. Condition endswith(lqname, "icky.ptang.zoop.boing."), taking true branch.
144 elif endswith(lqname, "icky.ptang.zoop.boing."):
CID 350722 (#5 of 7): Bad use of null-like value (FORWARD_NULL)
12. invalid_operation: Invalid operation on null-like value suffix.
145 r.authority.append(
146 dns.rrset.from_text(
147 "icky.ptang.zoop.boing." + suffix,
148 1,
149 IN,
150 NS,
151 "a.bit.longer.ns.name." + suffix,
152 )
153 )
154 elif endswith("icky.ptang.zoop.boing.", lqname):
CID 350722 (#3 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
155 r.authority.append(
156 dns.rrset.from_text(
157 "zoop.boing." + suffix,
158 1,
159 IN,
160 SOA,
161 "ns3." + suffix + " hostmaster.arpa. 2018050100 1 1 1 1",
162 )
163 )
164 if bad:
165 r.set_rcode(NXDOMAIN)
166 if ugly:
167 r.set_rcode(FORMERR)
168 elif endswith(lqname, "zoop.boing."):
CID 350722 (#4 of 7): Bad use of null-like value (FORWARD_NULL) [select issue]
169 r.authority.append(
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Mark AndrewsMark Andrewshttps://gitlab.isc.org/isc-projects/bind9/-/issues/3565AddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_check...2022-09-29T10:24:54ZPetr Špačekpspacek@isc.orgAddressSanitizer: stack-use-after-scope in dns_tsig_verify (dns_message_checksig test)### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scop...### Summary
ASAN error:
```
testing 63 bytes from /builds/isc-projects/bind9/fuzz/dns_message_checksig.in/tsig-reply
=================================================================
==1074==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe14b1d780 at pc 0x55eeaf01c3ff bp 0x7ffe14b1c990 sp 0x7ffe14b1c160
READ of size 12 at 0x7ffe14b1d780 thread T0
#0 0x55eeaf01c3fe in __asan_memmove (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0xa63fe) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
#1 0x7f93f3d6a227 in memmove /usr/include/x86_64-linux-gnu/bits/string_fortified.h:40:10
#2 0x7f93f3d6a227 in dns_tsig_verify /builds/isc-projects/bind9/lib/dns/tsig.c:1241:3
#3 0x7f93f3dd122d in dns_view_checksig /builds/isc-projects/bind9/lib/dns/view.c:1471:10
#4 0x7f93f38f42a8 in dns_message_checksig /builds/isc-projects/bind9/lib/dns/message.c:3145:12
#5 0x55eeaf058c18 in LLVMFuzzerTestOneInput /builds/isc-projects/bind9/fuzz/dns_message_checksig.c:393:11
#6 0x55eeaf05c189 in test_one_file /builds/isc-projects/bind9/fuzz/main.c:53:3
#7 0x55eeaf05c468 in test_all_from /builds/isc-projects/bind9/fuzz/main.c:89:3
#8 0x55eeaf05bc18 in main /builds/isc-projects/bind9/fuzz/main.c:130:2
#9 0x7f93f2dc5d09 in __libc_start_main csu/../csu/libc-start.c:308:16
#10 0x55eeaef9a569 in _start (/builds/isc-projects/bind9/fuzz/.libs/dns_message_checksig+0x24569) (BuildId: 73cf12c5424a9fda378fddea924b696e6cb966ca)
```
Jobs:
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793490: [test-suite.log](/uploads/83a286ac6c986172669ad2e5579a8716/test-suite.log)
- https://gitlab.isc.org/isc-projects/bind9/-/jobs/2793597: [test-suite.log](/uploads/e091fdf3e65bbbd62b360da2d700fe51/test-suite.log)
### BIND version used
4108d79c9a3bc7a617d7ca24adc1180043ee9919 (!6822), but change in this MR affects only tests.
### Steps to reproduce
Run unit:clang:asan job in CI.
### What is the current *bug* behavior?October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3547memory leak in dns_message_checksig function - SIG(0) without view2022-09-29T10:48:45ZPetr Špačekpspacek@isc.orgmemory leak in dns_message_checksig function - SIG(0) without viewReproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast...Reproduced using code from !5923 commit 4a3aa7abc8fb0610a807dcbd5ca34af1b332d97e.
It was caught by AFL fuzzer when tests were crashing wildly.
AFL output:
```
american fuzzy lop ++4.02c {default} (.libs/lt-dns_message_checksig) [fast]
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│ run time : 0 days, 0 hrs, 0 min, 26 sec │ cycles done : 14 │
│ last new find : 0 days, 0 hrs, 0 min, 0 sec │ corpus count : 117 │
│last saved crash : 0 days, 0 hrs, 0 min, 4 sec │saved crashes : 27 │
│ last saved hang : none seen yet │ saved hangs : 0 │
├─ cycle progress ─────────────────────┬─ map coverage┴──────────────────────┤
│ now processing : 31.274 (26.5%) │ map density : 0.31% / 1.41% │
│ runs timed out : 0 (0.00%) │ count coverage : 1.45 bits/tuple │
├─ stage progress ─────────────────────┼─ findings in depth ─────────────────┤
│ now trying : havoc │ favored items : 60 (51.28%) │
│ stage execs : 117/220 (53.18%) │ new edges on : 76 (64.96%) │
│ total execs : 1.62M │ total crashes : 158 (27 saved) │
│ exec speed : 61.6k/sec │ total tmouts : 0 (0 saved) │
├─ fuzzing strategy yields ────────────┴─────────────┬─ item geometry ───────┤
│ bit flips : disabled (default, enable with -D) │ levels : 8 │
│ byte flips : disabled (default, enable with -D) │ pending : 27 │
│ arithmetics : disabled (default, enable with -D) │ pend fav : 0 │
│ known ints : disabled (default, enable with -D) │ own finds : 114 │
│ dictionary : n/a │ imported : 0 │
│havoc/splice : 93/655k, 48/959k │ stability : 99.27% │
│py/custom/rq : unused, unused, unused, unused ├───────────────────────┘
│ trim/eff : 32.43%/2274, disabled │ [cpu000: 25%]
└────────────────────────────────────────────────────┘^C
+++ Baking aborted by the chef +++
[+] We're done here. Have a nice day!
```
Reproducer:
```shell
autoreconf -fiv
CC='afl-clang-fast' CFLAGS='-O2 -march=native' CPPFLAGS='-D_FORTIFY_SOURCE=0' ./configure --enable-fuzzing=afl
make
cd fuzz
make check # fails, but nevermind
./dns_message_checksig
```
This will print a message with a value you sound set in the next step. E.g.
```
Warning: AFL++ tools might need to set AFL_MAP_SIZE to 67237 to be able to run this instrumented program if this crashes!
```
Go on:
```
AFL_MAP_SIZE=67237 afl-fuzz -i dns_message_checksig.in -o dns_message_checksig.out .libs/lt-dns_message_checksig
```
:boom:
Versions used:
```
$ pacman -Q afl clang
aflplusplus 4.02c-1
clang 14.0.6-2
BIND 90949da78f048eca660417906a25165de676e8c1
```October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Petr Špačekpspacek@isc.orgPetr Špačekpspacek@isc.orghttps://gitlab.isc.org/isc-projects/bind9/-/issues/3202Convert the isc_timer API to use isc_nm loops2022-09-29T10:55:30ZOndřej SurýConvert the isc_timer API to use isc_nm loopsOctober 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Ondřej SurýOndřej Surýhttps://gitlab.isc.org/isc-projects/bind9/-/issues/1176Add support for sd_notify interface to better integrate on Linux2022-09-29T10:55:38ZOndřej SurýAdd support for sd_notify interface to better integrate on LinuxThe [sd_notify()](https://www.freedesktop.org/software/systemd/man/sd_notify.html) interface allows the daemon to report its internal state back to the supervisor (systemd) in this case. It's similar to SMF interface we use on Solaris.
...The [sd_notify()](https://www.freedesktop.org/software/systemd/man/sd_notify.html) interface allows the daemon to report its internal state back to the supervisor (systemd) in this case. It's similar to SMF interface we use on Solaris.
The work here should probably abstract the two interfaces (systemd and SMF) into a common API.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)https://gitlab.isc.org/isc-projects/bind9/-/issues/3528Reduce delays in `catz` system test2022-09-29T11:30:27ZTony FinchReduce delays in `catz` system testThe `catz` system test does a lot of zone transfers. By default `named` has limits on the rate of NOTIFY messages and catalog zone updates. The test can run a lot faster if these limits are adjusted.The `catz` system test does a lot of zone transfers. By default `named` has limits on the rate of NOTIFY messages and catalog zone updates. The test can run a lot faster if these limits are adjusted.October 2022 (9.16.34, 9.16.34-S1, 9.18.8, 9.19.6)Tony FinchTony Finchhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3550isc__nm_udp_send() needs to call failed callback asynchronously2022-09-30T09:17:47ZOndřej Surýisc__nm_udp_send() needs to call failed callback asynchronously```
D:inline:[Current thread is 1 (LWP 101739)]
8960D:inline:#0 0x000000080149533a in thr_kill () from /lib/libc.so.7
8961D:inline:#1 0x000000080140dc74 in raise () from /lib/libc.so.7
8962D:inline:#2 0x00000008014bf109 in abort () fr...```
D:inline:[Current thread is 1 (LWP 101739)]
8960D:inline:#0 0x000000080149533a in thr_kill () from /lib/libc.so.7
8961D:inline:#1 0x000000080140dc74 in raise () from /lib/libc.so.7
8962D:inline:#2 0x00000008014bf109 in abort () from /lib/libc.so.7
8963D:inline:#3 0x000000000024048d in library_fatal_error (file=0x8008ad5ee "request.c", line=973, format=0x8008a047c "%s(): %s() failed with error %d (%s)", args=0x7fffdfffdb60) at main.c:277
8964D:inline:#4 0x0000000800317ab5 in isc_error_fatal (file=0x18d6b <error: Cannot access memory at address 0x18d6b>, line=6, format=0x0) at error.c:68
8965D:inline:#5 0x00000008009d278d in req_senddone (eresult=<optimized out>, region=<optimized out>, arg=<optimized out>) at request.c:987
8966D:inline:#6 0x0000000800906765 in send_done (handle=0x802ebcc00, result=ISC_R_SHUTTINGDOWN, cbarg=0x0, cbarg@entry=0x802e6ee00) at dispatch.c:1862
8967D:inline:#7 0x0000000800311ed8 in isc__nm_udp_send (handle=0x18d6b, region=0x7fffdfffdcf8, cb=0x800906730 <send_done>, cbarg=0x0) at netmgr/udp.c:715
8968D:inline:#8 0x000000080030451c in isc_nm_send (handle=0x18d6b, region=0x6, cb=0x0, cbarg=0x80149531a <thr_self+10>) at netmgr/netmgr.c:1987
8969D:inline:#9 0x00000008009066f5 in dns_dispatch_send (resp=0x80149531a <thr_self+10>, r=0x6, r@entry=0x7fffdfffdcf8, dscp=<optimized out>) at dispatch.c:1913
8970D:inline:#10 0x00000008009d2b5b in req_send (request=request@entry=0x802e977c0) at request.c:293
8971D:inline:#11 0x00000008009d23f3 in req_connected (eresult=ISC_R_SUCCESS, region=<optimized out>, arg=0x802e977c0) at request.c:951
8972D:inline:#12 0x0000000800906626 in udp_connected (handle=<optimized out>, eresult=ISC_R_SUCCESS, arg=<optimized out>) at dispatch.c:1783
8973D:inline:#13 0x00000008003048c5 in isc__nm_async_connectcb (worker=<optimized out>, ev0=ev0@entry=0x802ebcd80) at netmgr/netmgr.c:2174
8974D:inline:#14 0x00000008003014fb in process_netievent (arg=0x802ebcd80) at netmgr/netmgr.c:496
8975D:inline:#15 0x000000080031eb37 in isc__job_cb (idle=0x802e84d88) at job.c:75
8976D:inline:#16 0x000000080111d64d in ?? () from /usr/local/lib/libuv.so.1
8977D:inline:#17 0x00000008011170b6 in uv_run () from /usr/local/lib/libuv.so.1
8978D:inline:#18 0x00000008003251ba in loop_run (loop=0x801cd6530) at loop.c:266
8979D:inline:#19 loop_thread (arg=0x801cd6530) at loop.c:293
8980D:inline:#20 0x000000080033d2f6 in isc__trampoline_run (arg=0x801ce53f0) at trampoline.c:189
8981D:inline:#21 0x000000080134083a in ?? () from /lib/libthr.so.3
8982D:inline:#22 0x0000000000000000 in ?? ()
8983D:inline:Backtrace stopped: Cannot access memory at address 0x7fffdfffe000
8984D:inline:--------------------------------------------------------------------------------
```https://gitlab.isc.org/isc-projects/kea/-/issues/2003host reservations and replicated databases2022-09-30T10:13:20ZPeter Davieshost reservations and replicated databaseshost reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR u...host reservations and replicated databases:
In order to increase availability would it be possible to configure Kea so that Host Reservation (HR) lookups could be directed to one or more read only database replicates.
Also that HR update commands in the Host Commands hooks libraries (host_cmd) can be configured to use a read/write database, or to be able to identify a read/write database from the set of "hosts-databases".
Maybe something like:
```
"hosts-databases": [
{
"type": "mysql",
"name": "Repicate-1",
"user-context": {
"use": "query",
"next": "Master"
},
...
},
"type": "mysql,
"name": "Repicate-2",
"user-context": {
"use": "query",
"next": "Master"
},
"type": "mysql,
"name": "Master",
"user-context": {
"use": "update",
"next": ""
},
...
}
],
```
[support#18800](https://support.isc.org/Ticket/Display.html?id=18800)kea2.3.1Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/bind9/-/issues/3440Use DEFAULT_ALGORITHM more often2022-10-03T11:31:41ZMark AndrewsUse DEFAULT_ALGORITHM more oftenUse DEFAULT_ALGORITHM etc. where the specific choice of algorithm is not required.Use DEFAULT_ALGORITHM etc. where the specific choice of algorithm is not required.August 2022 (9.16.32, 9.16.32-S1, 9.18.6, 9.19.4)