Commit a3a6947a authored by Ondřej Surý's avatar Ondřej Surý

Merge branch '615-tcp-client-crash-v9_12-v9_12_4_patch-v9_12' into 'v9_12'

Resolve "tcp-clients mostly ineffective"

See merge request !1873
parents 911a4589 bf393051
Pipeline #13902 passed with stages
in 1 minute and 4 seconds
5200. [security] tcp-clients settings could be exceeded in some cases,
which could lead to exhaustion of file descriptors.
(CVE-2018-5743) [GL #615]
5199. [security] In certain configurations, named could crash
if nxdomain-redirect was in use and a redirected
query resulted in an NXDOMAIN from the cache.
......
......@@ -8424,7 +8424,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<para>
The number of file descriptors reserved for TCP, stdio,
etc. This needs to be big enough to cover the number of
interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
interfaces <command>named</command> listens on plus
<command>tcp-clients</command>, as well as
to provide room for outgoing TCP queries and incoming zone
transfers. The default is <literal>512</literal>.
The minimum value is <literal>128</literal> and the
......
......@@ -48,6 +48,13 @@
cache. This flaw is disclosed in CVE-2019-6467. [GL #880]
</para>
</listitem>
<listitem>
<para>
The TCP client quota set using the <command>tcp-clients</command>
option could be exceeded in some cases. This could lead to
exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
</para>
</listitem>
</itemizedlist>
</section>
......
......@@ -100,6 +100,13 @@ isc_quota_attach(isc_quota_t *quota, isc_quota_t **p);
* quota if successful (ISC_R_SUCCESS or ISC_R_SOFTQUOTA).
*/
isc_result_t
isc_quota_force(isc_quota_t *quota, isc_quota_t **p);
/*%<
* Like isc_quota_attach, but will attach '*p' to the quota
* even if the hard quota has been exceeded.
*/
void
isc_quota_detach(isc_quota_t **p);
/*%<
......
......@@ -74,20 +74,39 @@ isc_quota_release(isc_quota_t *quota) {
UNLOCK(&quota->lock);
}
isc_result_t
isc_quota_attach(isc_quota_t *quota, isc_quota_t **p)
{
static isc_result_t
doattach(isc_quota_t *quota, isc_quota_t **p, bool force) {
isc_result_t result;
INSIST(p != NULL && *p == NULL);
REQUIRE(p != NULL && *p == NULL);
result = isc_quota_reserve(quota);
if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA)
if (result == ISC_R_SUCCESS || result == ISC_R_SOFTQUOTA) {
*p = quota;
} else if (result == ISC_R_QUOTA && force) {
/* attach anyway */
LOCK(&quota->lock);
quota->used++;
UNLOCK(&quota->lock);
*p = quota;
result = ISC_R_SUCCESS;
}
return (result);
}
isc_result_t
isc_quota_attach(isc_quota_t *quota, isc_quota_t **p) {
return (doattach(quota, p, false));
}
isc_result_t
isc_quota_force(isc_quota_t *quota, isc_quota_t **p) {
return (doattach(quota, p, true));
}
void
isc_quota_detach(isc_quota_t **p)
{
isc_quota_detach(isc_quota_t **p) {
INSIST(p != NULL && *p != NULL);
isc_quota_release(*p);
*p = NULL;
......
......@@ -525,6 +525,7 @@ isc_portset_removerange
isc_quota_attach
isc_quota_destroy
isc_quota_detach
isc_quota_force
isc_quota_init
isc_quota_max
isc_quota_release
......
This diff is collapsed.
......@@ -80,6 +80,13 @@
*** Types
***/
/*% reference-counted TCP connection object */
typedef struct ns_tcpconn {
isc_refcount_t refs;
isc_quota_t *tcpquota;
bool pipelined;
} ns_tcpconn_t;
/*% nameserver client structure */
struct ns_client {
unsigned int magic;
......@@ -95,7 +102,8 @@ struct ns_client {
int nupdates;
int nctls;
int references;
bool needshutdown; /*
bool tcpactive;
bool needshutdown; /*
* Used by clienttest to get
* the client to go from
* inactive to free state
......@@ -131,10 +139,9 @@ struct ns_client {
isc_stdtime_t now;
isc_time_t tnow;
dns_name_t signername; /*%< [T]SIG key name */
dns_name_t * signer; /*%< NULL if not valid sig */
bool mortal; /*%< Die after handling request */
bool pipelined; /*%< TCP queries not in sequence */
isc_quota_t *tcpquota;
dns_name_t *signer; /*%< NULL if not valid sig */
bool mortal; /*%< Die after handling request */
ns_tcpconn_t *tcpconn;
isc_quota_t *recursionquota;
ns_interface_t *interface;
......
......@@ -76,9 +76,14 @@ struct ns_interface {
/*%< UDP dispatchers. */
isc_socket_t * tcpsocket; /*%< TCP socket. */
isc_dscp_t dscp; /*%< "listen-on" DSCP value */
int ntcptarget; /*%< Desired number of concurrent
TCP accepts */
int ntcpcurrent; /*%< Current ditto, locked */
int32_t ntcpaccepting; /*%< Number of clients
ready to accept new
TCP connections on this
interface */
int32_t ntcpactive; /*%< Number of clients
servicing TCP queries
(whether accepting or
connected) */
int nudpdispatch; /*%< Number of UDP dispatches */
ns_clientmgr_t * clientmgr; /*%< Client manager. */
ISC_LINK(ns_interface_t) link;
......
......@@ -429,8 +429,9 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
* connections will be handled in parallel even though there is
* only one client initially.
*/
ifp->ntcptarget = 1;
ifp->ntcpcurrent = 0;
ifp->ntcpaccepting = 0;
ifp->ntcpactive = 0;
ifp->nudpdispatch = 0;
ifp->dscp = -1;
......@@ -565,9 +566,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
*/
(void)isc_socket_filter(ifp->tcpsocket, "dataready");
result = ns_clientmgr_createclients(ifp->clientmgr,
ifp->ntcptarget, ifp,
true);
result = ns_clientmgr_createclients(ifp->clientmgr, 1, ifp, true);
if (result != ISC_R_SUCCESS) {
UNEXPECTED_ERROR(__FILE__, __LINE__,
"TCP ns_clientmgr_createclients(): %s",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment