Merge branch '362-check-fetch-quota-param' into 'main'

check range of fetch-quota-param parameters Closes #362 See merge request isc-projects/bind9!8444
2024-02-01 02:54:02 +00:00
parent fec06dce51 05c0e24cbe
commit 37bd2a405f
3 changed files with 80 additions and 0 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+6332.	[bug]		Range-check the arguments to fetch-quota-param.
+			[GL #362]
+
 6331.	[func]		Add HSM support for dnssec-policy. You can now
 			configure keys with a key-store that allows you to
 			set the directory to store key files and to set a
--- a/bin/tests/system/checkconf/bad-fetchparam.conf
+++ b/bin/tests/system/checkconf/bad-fetchparam.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* Bad fetch-quota-params */
+options {
+	fetch-quota-params 1 2 3 2;
+};
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -875,6 +875,61 @@ check_ratelimit(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }

+static isc_result_t
+check_fetchlimit(const cfg_obj_t *voptions, const cfg_obj_t *config,
+		 isc_log_t *logctx) {
+	const cfg_obj_t *map = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *obj = NULL;
+	double low, high, discount;
+
+	if (voptions != NULL) {
+		cfg_map_get(voptions, "fetch-quota-params", &map);
+	}
+	if (config != NULL && map == NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL) {
+			cfg_map_get(options, "fetch-quota-params", &map);
+		}
+	}
+	if (map == NULL) {
+		return (ISC_R_SUCCESS);
+	}
+
+	obj = cfg_tuple_get(map, "low");
+	low = (double)cfg_obj_asfixedpoint(obj) / 100.0;
+	if (low < 0.0 || low > 1.0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "fetch-quota-param low value (%0.1f) "
+			    "out of range",
+			    low);
+		return (ISC_R_RANGE);
+	}
+
+	obj = cfg_tuple_get(map, "high");
+	high = (double)cfg_obj_asfixedpoint(obj) / 100.0;
+	if (high < 0.0 || high > 1.0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "fetch-quota-param high value (%0.1f) "
+			    "out of range",
+			    high);
+		return (ISC_R_RANGE);
+	}
+
+	obj = cfg_tuple_get(map, "discount");
+	discount = (double)cfg_obj_asfixedpoint(obj) / 100.0;
+	if (discount < 0.0 || discount > 1.0) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "fetch-quota-param discount value (%0.1f) "
+			    "out of range",
+			    discount);
+		return (ISC_R_RANGE);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
 /*
 * Check allow-recursion and allow-recursion-on acls, and also log a
 * warning if they're inconsistent with the "recursion" option.
@@ -5739,6 +5794,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		result = tresult;
 	}

+	tresult = check_fetchlimit(voptions, config, logctx);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+	}
+
 	/*
 	 * Load plugins.
 	 */