Mukund Sivaraman
929329d2d6
Fix various bugs reported by valgrind --tool=memcheck ( #46978 )
...
(cherry picked from commit f96133826e )
(cherry picked from commit 0374e1c3fd )
2018-01-13 11:47:46 +05:30
Tinderbox User
dc2a85bed7
update copyright notice / whitespace
2018-01-04 23:46:19 +00:00
Evan Hunt
7ff28f5bef
[v9_11] block validator deadlock and prevent use-after-free
...
4859. [bug] A loop was possible when attempting to validate
unsigned CNAME responses from secure zones;
this caused a delay in returning SERVFAIL and
also increased the chances of encountering
CVE-2017-3145. [RT #46839 ]
4858. [security] Addresses could be referenced after being freed
in resolver.c, causing an assertion failure.
(CVE-2017-3145) [RT #46839 ]
2018-01-03 19:19:46 -08:00
Michał Kępień
2d517e233f
[v9_11] Refactor reclimit system test
...
4823. [test] Refactor reclimit system test to improve its
reliability and speed. [RT #46632 ]
(cherry picked from commit 6035d557c4 )
2017-11-21 10:33:08 +01:00
Evan Hunt
5d7d67f82a
[v9_11] ignore cache when sending 5011 refresh queries
...
4771. [bug] When sending RFC 5011 refresh queries, disregard
cached DNSKEY rrsets. [RT #46251 ]
(cherry picked from commit b2597ce86b )
2017-10-11 14:24:52 -07:00
Evan Hunt
6216df5ccd
[v9_11] reduce unnecessary priming queries
...
4770. [bug] Cache additional data from priming queries as glue.
Previously they were ignored as unsigned
non-answer data from a secure zone, and never
actually got added to the cache, causing hints
to be used frequently for root-server
addresses, which triggered re-priming. [RT #45241 ]
(cherry picked from commit 5de02a075b )
2017-10-11 09:07:37 -07:00
Mark Andrews
62cce53589
tcp test got reversed
...
(cherry picked from commit b4c31c8795 )
2017-09-27 15:20:16 +10:00
Mark Andrews
d72952cf25
4739. [cleanup] Address clang static analysis warnings. [RT #45952 ]
...
(cherry picked from commit f9f3f20d2d )
2017-09-27 10:58:44 +10:00
Evan Hunt
7cd594b842
[master] cleanup strcat/strcpy
...
4722. [cleanup] Clean up uses of strcpy() and strcat() in favor of
strlcpy() and strlcat() for safety. [RT #45981 ]
(cherry picked from commit 114f95089c )
2017-09-13 00:17:16 -07:00
Evan Hunt
a2a0100e0f
[v9_11] improve handling of qcount=0 replies
...
4717. [bug] Treat replies with QCOUNT=0 as truncated if TC=1,
FORMERR if TC=0, and log the error correctly.
[RT #45836 ]
(cherry picked from commit 25b33bede4 )
2017-09-12 15:27:06 -07:00
Mark Andrews
bf216589c1
4675. [cleanup] Don't use C++ keyword class. [RT #45726 ]
2017-08-10 08:44:23 +10:00
Evan Hunt
7dbeb5e7f0
[v9_11] silence gcc 7 warnings
...
4673. [port] Silence GCC 7 warnings. [RT #45592 ]
(cherry picked from commit cdacec1dcb )
2017-08-09 00:24:16 -07:00
Mark Andrews
93049edb81
add comment
2017-08-09 10:48:33 +05:30
Evan Hunt
72f91848ef
style
2017-08-09 10:48:29 +05:30
Mark Andrews
a5f6549534
style changes from [RT #45321 ]
...
(cherry picked from commit bcb2df226f )
2017-08-09 07:49:38 +10:00
Mukund Sivaraman
6e10f87913
Fix a race in resume_dslookup() ( #45168 )
...
(cherry picked from commit c88efb83b3 )
2017-08-08 13:11:11 +05:30
Mark Andrews
bfde61d519
4654. [cleanup] Don't use C++ keywords delete, new and namespace.
...
[RT #45538 ]
(cherry picked from commit 4bf32aa587 )
2017-07-21 12:28:58 +10:00
Mark Andrews
7fcbbd6fa9
4580. [bug] 4578 introduced a regression when handling CNAME to
...
referral below the current domain. [RT #44850 ]
(cherry picked from commit 638c7c635d )
2017-03-14 15:12:03 +11:00
Mark Andrews
c006cfc5a2
Reimplement:
...
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734 ]
(cherry picked from commit f240f4a5de )
2017-03-01 12:02:39 +11:00
Evan Hunt
559cbe04e7
[v9_11] remove unnecessary INSIST and prep 9.11.1rc2
...
4578. [security] Some chaining (CNAME or DNAME) responses to upstream
queries could trigger assertion failures.
(CVE-2017-3137) [RT #44734 ]
(cherry picked from commit a1365a0042 )
2017-02-23 14:55:10 -08:00
Evan Hunt
07b7a3eade
[v9_11] store local and remote addresses in dnstap
...
4569. [func] Store both local and remote addresses in dnstap
logging, and modify dnstap-read output format to
print them. [RT #43595 ]
(cherry picked from commit 650b5e7592 )
2017-02-03 17:11:06 -08:00
Evan Hunt
05fce8cfff
[v9_11] address portability issues
...
(cherry picked from commit a2bd99a959 )
2017-01-30 16:52:32 -08:00
Evan Hunt
781f6daa74
[v9_11] change 4558 was incomplete
...
(cherry picked from commit cd668ea57f )
2017-01-30 14:11:17 -08:00
Tinderbox User
5688a47c15
update copyright notice / whitespace
2017-01-24 23:45:58 +00:00
Mark Andrews
4441328a1d
4558. [bug] Synthesised CNAME before matching DNAME was still
...
being cached when it should have been. [RT #44318 ]
(cherry picked from commit 9f4bf43b79 )
2017-01-24 17:41:17 +11:00
Mark Andrews
701aa95d96
4510. [security] Named mishandled some responses where covering RRSIG
...
records are returned without the requested data
resulting in a assertion failure. (CVE-2016-9147)
[RT #43548 ]
(cherry picked from commit 6adf421e7e )
2016-12-29 11:49:06 +11:00
Mark Andrews
b243aa40f9
4508. [security] Named incorrectly tried to cache TKEY records which
...
could trigger a assertion failure when there was
a class mismatch. (CVE-2016-9131) [RT #43522 ]
(cherry picked from commit 2c1c4b99a1 )
2016-12-29 11:17:14 +11:00
Mark Andrews
2595d1da35
4517. [security] Named could mishandle authority sections that were
...
missing RRSIGs triggering an assertion failure.
(CVE-2016-9444) [RT # 43632]
(cherry picked from commit 1df30cfd27c5a3c57fce357c54aaf6c702227d51)
2016-12-29 10:41:06 +11:00
Mark Andrews
d77cab69bf
4530. [bug] Change 4489 broke the handling of CNAME -> DNAME
...
in responses resulting in SERVFAIL being returned.
[RT #43779 ]
(cherry picked from commit 60cb462c56 )
2016-12-09 12:51:09 +11:00
Mark Andrews
7c66fc9700
4489. [security] It was possible to trigger assertions when processing
...
a response. (CVE-2016-8864) [RT #43465 ]
(cherry picked from commit bd6f27f5c3 )
2016-10-21 14:56:20 +11:00
Mark Andrews
47f8b47b8d
9.11.0rc3
2016-09-20 21:19:46 +10:00
Mark Andrews
d1cacbb374
4453. [bug] Prefetching of DS records failed to update their
...
RRSIGs. [RT #42865 ]
(cherry picked from commit f431bf02a6 )
2016-08-25 09:53:50 +10:00
Mark Andrews
f8ef82e475
sync
2016-07-12 11:34:50 +10:00
Mark Andrews
35c014cb1d
4408. [func] Continue waiting for expected response when we the
...
response we get does not match the request. [RT #41026 ]
(cherry picked from commit ec5e01747a )
2016-07-12 11:33:49 +10:00
Mark Andrews
cccfafa311
4403. [bug] Rename variables and arguments that shadow: basename,
...
clone and gai_error.
(cherry picked from commit ecfa005085 )
2016-06-29 11:26:49 +10:00
Mark Andrews
0c27b3fe77
4401. [misc] Change LICENSE to MPL 2.0.
2016-06-27 14:56:38 +10:00
Witold Krecicki
19d80ce584
4358. [test] Added American Fuzzy Lop harness that allows
...
feeding fuzzed packets into BIND.
[RT #41723 ]
2016-05-05 11:49:38 +02:00
Mukund Sivaraman
275265ab27
Log query and depth counters during fetches when querytrace is enabled ( #41787 )
2016-03-04 13:25:37 +05:30
Mark Andrews
c7aae79b62
silence may be used when unset false positive
2016-02-29 11:24:15 +11:00
Mark Andrews
2de89ee9de
Part 2 of:
...
4319. [security] Fix resolver assertion failure due to improper
DNAME handling when parsing fetch reply messages.
(CVE-2016-1286) [RT #41753 ]
2016-02-29 07:16:48 +11:00
Mark Andrews
455c0848f8
4322. [security] Duplicate EDNS COOKIE options in a response could
...
trigger an assertion failure. (CVE-2016-2088)
[RT #41809 ]
2016-02-27 11:23:50 +11:00
Mukund Sivaraman
5995fec51c
Fix resolver assertion failure due to improper DNAME handling (CVE-2016-1286) ( #41753 )
2016-02-22 12:22:43 +05:30
Mark Andrews
d372f426ca
4317. [bug] Age all unused servers on fetch timeout. [RT #41597 ]
2016-02-12 12:32:58 +11:00
Mark Andrews
73fbd4c9d3
4293. [bug] Address memory leak on priming query creation failure.
...
[RT #41512 ]
2016-01-20 16:38:11 +11:00
Tinderbox User
feb1ccdaf1
update copyright notice / whitespace
2016-01-05 23:45:26 +00:00
Evan Hunt
41494939b6
[master] fixed bogus server regression
...
4288. [bug] Fixed a regression in resolver.c:possibly_mark()
which caused known-bogus servers to be queried
anyway. [RT #41321 ]
2016-01-04 15:47:16 -08:00
Mark Andrews
c8821d124c
4260. [security] Insufficient testing when parsing a message allowed
...
records with an incorrect class to be be accepted,
triggering a REQUIRE failure when those records
were subsequently cached. (CVE-2015-8000) [RT #4098 ]
2015-11-16 13:12:20 +11:00
Mark Andrews
2f450fcd29
4253. [bug] Address fetch context reference count handling error
...
on socket error. [RT#40945]
2015-11-05 17:10:10 +11:00
Mark Andrews
6588a2b404
4238. [bug] Don't send to servers on net zero (0.0.0.0/8).
...
[RT #40947 ]
2015-10-16 08:00:15 +11:00
Evan Hunt
b66b333f59
[master] dnstap
...
4235. [func] Added support in named for "dnstap", a fast method of
capturing and logging DNS traffic, and a new command
"dnstap-read" to read a dnstap log file. Use
"configure --enable-dnstap" to enable this
feature (note that this requires libprotobuf-c
and libfstrm). See the ARM for configuration details.
Thanks to Robert Edmonds of Farsight Security.
[RT #40211 ]
2015-10-02 12:32:42 -07:00