Brad Bishop | 64c979e | 2019-11-04 13:55:29 -0500 | [diff] [blame^] | 1 | Backport patch to fix CVE-2018-5743. |
| 2 | |
| 3 | Ref: |
| 4 | https://security-tracker.debian.org/tracker/CVE-2018-5743 |
| 5 | |
| 6 | CVE: CVE-2018-5743 |
| 7 | Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/ec2d50d] |
| 8 | |
| 9 | Signed-off-by: Kai Kang <kai.kang@windriver.com> |
| 10 | |
| 11 | From ec2d50da8d81814640e28593d912f4b96c7efece Mon Sep 17 00:00:00 2001 |
| 12 | From: =?UTF-8?q?Witold=20Kr=C4=99cicki?= <wpk@isc.org> |
| 13 | Date: Thu, 3 Jan 2019 14:17:43 +0100 |
| 14 | Subject: [PATCH 1/6] fix enforcement of tcp-clients (v1) |
| 15 | |
| 16 | tcp-clients settings could be exceeded in some cases by |
| 17 | creating more and more active TCP clients that are over |
| 18 | the set quota limit, which in the end could lead to a |
| 19 | DoS attack by e.g. exhaustion of file descriptors. |
| 20 | |
| 21 | If TCP client we're closing went over the quota (so it's |
| 22 | not attached to a quota) mark it as mortal - so that it |
| 23 | will be destroyed and not set up to listen for new |
| 24 | connections - unless it's the last client for a specific |
| 25 | interface. |
| 26 | |
| 27 | (cherry picked from commit f97131d21b97381cef72b971b157345c1f9b4115) |
| 28 | (cherry picked from commit 9689ffc485df8f971f0ad81ab8ab1f5389493776) |
| 29 | --- |
| 30 | bin/named/client.c | 13 ++++++++++++- |
| 31 | 1 file changed, 12 insertions(+), 1 deletion(-) |
| 32 | |
| 33 | diff --git a/bin/named/client.c b/bin/named/client.c |
| 34 | index d482da7121..0739dd48af 100644 |
| 35 | --- a/bin/named/client.c |
| 36 | +++ b/bin/named/client.c |
| 37 | @@ -421,8 +421,19 @@ exit_check(ns_client_t *client) { |
| 38 | isc_socket_detach(&client->tcpsocket); |
| 39 | } |
| 40 | |
| 41 | - if (client->tcpquota != NULL) |
| 42 | + if (client->tcpquota != NULL) { |
| 43 | isc_quota_detach(&client->tcpquota); |
| 44 | + } else { |
| 45 | + /* |
| 46 | + * We went over quota with this client, we don't |
| 47 | + * want to restart listening unless this is the |
| 48 | + * last client on this interface, which is |
| 49 | + * checked later. |
| 50 | + */ |
| 51 | + if (TCP_CLIENT(client)) { |
| 52 | + client->mortal = true; |
| 53 | + } |
| 54 | + } |
| 55 | |
| 56 | if (client->timerset) { |
| 57 | (void)isc_timer_reset(client->timer, |
| 58 | -- |
| 59 | 2.20.1 |
| 60 | |