- 06 Oct, 2019 1 commit
-
-
Tinderbox User authored
-
- 13 May, 2019 2 commits
-
-
Ondřej Surý authored
Remove UNSPEC rrtype See merge request !1933
-
(cherry picked from commit a8e2ca6f)
-
- 09 May, 2019 5 commits
-
-
Witold Krecicki authored
Resolve "named can crash under udp load on macos" See merge request !1916
-
already sent a recv/send event. When doing isc_socket_cancel we need to purge the event that might already be in flight. If it has been launched already we need to inform it that it has to bail. (cherry picked from commit 1286d74c)
-
-
Evan Hunt authored
-
- 26 Apr, 2019 2 commits
-
-
Ondřej Surý authored
Replace atomic operations in bin/named/client.c with isc_refcount reference counting See merge request !1879
-
Ondřej Surý authored
(cherry picked from commit ef49780d)
-
- 25 Apr, 2019 15 commits
-
-
Ondřej Surý authored
Resolve "tcp-clients mostly ineffective" See merge request !1873
-
(cherry picked from commit ef15f7360784c5ec7341f3e4856a759cf1e2aedb) (cherry picked from commit 802600b1)
-
in the "refactor tcpquota and pipeline refs" commit, the counting of active interfaces was tightened in such a way that named could fail to listen on an interface if there were more interfaces than tcp-clients. when checking the quota to start accepting on an interface, if the number of active clients was above zero, then it was presumed that some other client was able to handle accepting new connections. this, however, ignored the fact that the current client could be included in that count, so if the quota was already exceeded before all the interfaces were listening, some interfaces would never listen. we now check whether the current client has been marked active; if so, then the number of active clients on the interface must be greater than 1, not 0. (cherry picked from commit 71fead4c3e03b178d6e6e3ff7592b45cf5f94069) (cherry picked from commit 78565872)
-
- if the TCP quota has been exceeded but there are no clients listening for new connections on the interface, we can now force attachment to the quota using isc_quota_force(), instead of carrying on with the quota not attached. - the TCP client quota is now referenced via a reference-counted 'ns_tcpconn' object, one of which is created whenever a client begins listening for new connections, and attached to by members of that client's pipeline group. when the last reference to the tcpconn object is detached, it is freed and the TCP quota slot is released. - reduce code duplication by adding mark_tcp_active() function - convert counters to atomic (cherry picked from commit 7e822237) (cherry picked from commit 86a7d4c1)
-
- ensure that tcpactive is cleaned up correctly when accept() fails. - set 'client->tcpattached' when the client is attached to the tcpquota. carry this value on to new clients sharing the same pipeline group. don't call isc_quota_detach() on the tcpquota unless tcpattached is set. this way clients that were allowed to accept TCP connections despite being over quota (and therefore, were never attached to the quota) will not inadvertently detach from it and mess up the accounting. - simplify the code for tcpquota disconnection by using a new function tcpquota_disconnect(). - before deciding whether to reject a new connection due to quota exhaustion, check to see whether there are at least two active clients. previously, this was "at least one", but that could be insufficient if there was one other client in READING state (waiting for messages on an open connection) but none in READY (listening for new connections). - before deciding whether a TCP client object can to go inactive, we must ensure there are enough other clients to maintain service afterward -- both accepting new connections and reading/processing new queries. A TCP client can't shut down unless at least one client is accepting new connections and (in the case of pipelined clients) at least one additional client is waiting to read. (cherry picked from commit c7394738) (cherry picked from commit 7d6518aa)
-
the TCP client quota could still be ineffective under some circumstances. this change: - improves quota accounting to ensure that TCP clients are properly limited, while still guaranteeing that at least one client is always available to serve TCP connections on each interface. - uses more descriptive names and removes one (ntcptarget) that was no longer needed - adds comments (cherry picked from commit a43fe7cd) (cherry picked from commit 7278b66c)
-
tcp-clients settings could be exceeded in some cases by creating more and more active TCP clients that are over the set quota limit, which in the end could lead to a DoS attack by e.g. exhaustion of file descriptors. If TCP client we're closing went over the quota (so it's not attached to a quota) mark it as mortal - so that it will be destroyed and not set up to listen for new connections - unless it's the last client for a specific interface. (cherry picked from commit 9ef6eb4c) (cherry picked from commit 264384fb)
-
Ondřej Surý authored
Resolve "CVE-2019-6467: lib/ns/query.c:9176: INSIST(!qctx->is_zone) failed, back trace" See merge request !1869
-
(cherry picked from commit 82b03ce2)
-
- Always set is_zonep in query_getdb; previously it was only set if result was ISC_R_SUCCESS or ISC_R_NOTFOUND. - Don't reset is_zone for redirect. - Style cleanup. (cherry picked from commit 3352270bdbbb39b167072aa282c6b310ffd96a7d) (cherry picked from commit e2500c60) (cherry picked from commit 4f00c86e)
-
Ondřej Surý authored
Resolve "pass the correct name to redirect and redirect2" See merge request !1866
-
(cherry picked from commit 29b792a1)
-
- 17 Apr, 2019 2 commits
-
-
Ondřej Surý authored
(v9_12) Refactor the DNS_RDATASET_FIXED code to use macros instead of ifdefs See merge request !1819
-
Ondřej Surý authored
(cherry picked from commit 4edbb773)
-
- 21 Mar, 2019 3 commits
-
-
Mark Andrews authored
Resolve "--enable-fips-mode option breaks build of hmacmd5.c and md5.c" See merge request !1733
-
Mark Andrews authored
(cherry picked from commit d3976fe4)
-
Mark Andrews authored
(cherry picked from commit 98a37c9a)
-
- 20 Mar, 2019 3 commits
-
-
Ondřej Surý authored
(v9_12) Update and sort the top level .gitignore to ignore automake files See merge request !1729
-
Ondřej Surý authored
(cherry picked from commit b9d524ed)
-
Ondřej Surý authored
(cherry picked from commit 5c67d1d1)
-
- 27 Feb, 2019 2 commits
-
-
Tinderbox User authored
-
Tinderbox User authored
-
- 21 Feb, 2019 5 commits
-
-
Tinderbox User authored
-
Tinderbox User authored
-
Evan Hunt authored
-
Evan Hunt authored
-
-