Squashed 'import-layers/yocto-poky/' changes from dc8508f6099..67491b0c104
Yocto 2.2.2 (Morty)
Change-Id: Id9a452e28940d9f166957de243d9cb1d8818704e
git-subtree-dir: import-layers/yocto-poky
git-subtree-split: 67491b0c104101bb9f366d697edd23c895be4302
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
new file mode 100644
index 0000000..75bc211
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-6170.patch
@@ -0,0 +1,1090 @@
+From 1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Wed, 2 Nov 2016 17:31:27 +1100
+Subject: [PATCH] 4504. [security] Allow the maximum number of records in a
+ zone to be specified. This provides a control for issues raised in
+ CVE-2016-6170. [RT #42143]
+
+(cherry picked from commit 5f8412a4cb5ee14a0e8cddd4107854b40ee3291e)
+
+Upstream-Status: Backport
+[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=1bbcfe2fc84f57b1e4e075fb3bc2a1dd0a3a851f]
+
+CVE: CVE-2016-6170
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CHANGES | 4 +
+ bin/named/config.c | 1 +
+ bin/named/named.conf.docbook | 3 +
+ bin/named/update.c | 16 +++
+ bin/named/zoneconf.c | 7 ++
+ bin/tests/system/nsupdate/clean.sh | 1 +
+ bin/tests/system/nsupdate/ns3/named.conf | 7 ++
+ bin/tests/system/nsupdate/ns3/too-big.test.db.in | 10 ++
+ bin/tests/system/nsupdate/setup.sh | 2 +
+ bin/tests/system/nsupdate/tests.sh | 15 +++
+ bin/tests/system/xfer/clean.sh | 1 +
+ bin/tests/system/xfer/ns1/axfr-too-big.db | 10 ++
+ bin/tests/system/xfer/ns1/ixfr-too-big.db.in | 13 +++
+ bin/tests/system/xfer/ns1/named.conf | 11 ++
+ bin/tests/system/xfer/ns6/named.conf | 14 +++
+ bin/tests/system/xfer/setup.sh | 2 +
+ bin/tests/system/xfer/tests.sh | 26 +++++
+ doc/arm/Bv9ARM-book.xml | 21 ++++
+ doc/arm/notes.xml | 9 ++
+ lib/bind9/check.c | 2 +
+ lib/dns/db.c | 13 +++
+ lib/dns/ecdb.c | 3 +-
+ lib/dns/include/dns/db.h | 20 ++++
+ lib/dns/include/dns/rdataslab.h | 13 +++
+ lib/dns/include/dns/result.h | 6 +-
+ lib/dns/include/dns/zone.h | 28 ++++-
+ lib/dns/rbtdb.c | 127 +++++++++++++++++++++--
+ lib/dns/rdataslab.c | 13 +++
+ lib/dns/result.c | 9 +-
+ lib/dns/sdb.c | 3 +-
+ lib/dns/sdlz.c | 3 +-
+ lib/dns/xfrin.c | 22 +++-
+ lib/dns/zone.c | 23 +++-
+ lib/isccfg/namedconf.c | 1 +
+ 34 files changed, 444 insertions(+), 15 deletions(-)
+ create mode 100644 bin/tests/system/nsupdate/ns3/too-big.test.db.in
+ create mode 100644 bin/tests/system/xfer/ns1/axfr-too-big.db
+ create mode 100644 bin/tests/system/xfer/ns1/ixfr-too-big.db.in
+
+diff --git a/CHANGES b/CHANGES
+index 41cfce5..97d2e60 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,7 @@
++4504. [security] Allow the maximum number of records in a zone to
++ be specified. This provides a control for issues
++ raised in CVE-2016-6170. [RT #42143]
++
+ 4489. [security] It was possible to trigger assertions when processing
+ a response. (CVE-2016-8864) [RT #43465]
+
+diff --git a/bin/named/config.c b/bin/named/config.c
+index f06348c..c24e334 100644
+--- a/bin/named/config.c
++++ b/bin/named/config.c
+@@ -209,6 +209,7 @@ options {\n\
+ max-transfer-time-out 120;\n\
+ max-transfer-idle-in 60;\n\
+ max-transfer-idle-out 60;\n\
++ max-records 0;\n\
+ max-retry-time 1209600; /* 2 weeks */\n\
+ min-retry-time 500;\n\
+ max-refresh-time 2419200; /* 4 weeks */\n\
+diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
+index 4c99a61..c2d173a 100644
+--- a/bin/named/named.conf.docbook
++++ b/bin/named/named.conf.docbook
+@@ -338,6 +338,7 @@ options {
+ };
+
+ max-journal-size <replaceable>size_no_default</replaceable>;
++ max-records <replaceable>integer</replaceable>;
+ max-transfer-time-in <replaceable>integer</replaceable>;
+ max-transfer-time-out <replaceable>integer</replaceable>;
+ max-transfer-idle-in <replaceable>integer</replaceable>;
+@@ -527,6 +528,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
+ };
+
+ max-journal-size <replaceable>size_no_default</replaceable>;
++ max-records <replaceable>integer</replaceable>;
+ max-transfer-time-in <replaceable>integer</replaceable>;
+ max-transfer-time-out <replaceable>integer</replaceable>;
+ max-transfer-idle-in <replaceable>integer</replaceable>;
+@@ -624,6 +626,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
+ };
+
+ max-journal-size <replaceable>size_no_default</replaceable>;
++ max-records <replaceable>integer</replaceable>;
+ max-transfer-time-in <replaceable>integer</replaceable>;
+ max-transfer-time-out <replaceable>integer</replaceable>;
+ max-transfer-idle-in <replaceable>integer</replaceable>;
+diff --git a/bin/named/update.c b/bin/named/update.c
+index 83b1a05..cc2a611 100644
+--- a/bin/named/update.c
++++ b/bin/named/update.c
+@@ -2455,6 +2455,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
+ isc_boolean_t had_dnskey;
+ dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);
+ dns_ttl_t maxttl = 0;
++ isc_uint32_t maxrecords;
++ isc_uint64_t records;
+
+ INSIST(event->ev_type == DNS_EVENT_UPDATE);
+
+@@ -3138,6 +3140,20 @@ update_action(isc_task_t *task, isc_event_t *event) {
+ }
+ }
+
++ maxrecords = dns_zone_getmaxrecords(zone);
++ if (maxrecords != 0U) {
++ result = dns_db_getsize(db, ver, &records, NULL);
++ if (result == ISC_R_SUCCESS && records > maxrecords) {
++ update_log(client, zone, ISC_LOG_ERROR,
++ "records in zone (%"
++ ISC_PRINT_QUADFORMAT
++ "u) exceeds max-records (%u)",
++ records, maxrecords);
++ result = DNS_R_TOOMANYRECORDS;
++ goto failure;
++ }
++ }
++
+ journalfile = dns_zone_getjournal(zone);
+ if (journalfile != NULL) {
+ update_log(client, zone, LOGLEVEL_DEBUG,
+diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
+index 4ee3dfe..14dd8ce 100644
+--- a/bin/named/zoneconf.c
++++ b/bin/named/zoneconf.c
+@@ -978,6 +978,13 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
+ dns_zone_setmaxttl(raw, maxttl);
+ }
+
++ obj = NULL;
++ result = ns_config_get(maps, "max-records", &obj);
++ INSIST(result == ISC_R_SUCCESS && obj != NULL);
++ dns_zone_setmaxrecords(mayberaw, cfg_obj_asuint32(obj));
++ if (zone != mayberaw)
++ dns_zone_setmaxrecords(zone, 0);
++
+ if (raw != NULL && filename != NULL) {
+ #define SIGNED ".signed"
+ size_t signedlen = strlen(filename) + sizeof(SIGNED);
+diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
+index aaefc02..ea25545 100644
+--- a/bin/tests/system/nsupdate/clean.sh
++++ b/bin/tests/system/nsupdate/clean.sh
+@@ -32,6 +32,7 @@ rm -f ns3/example.db.jnl ns3/example.db
+ rm -f ns3/nsec3param.test.db.signed.jnl ns3/nsec3param.test.db ns3/nsec3param.test.db.signed ns3/dsset-nsec3param.test.
+ rm -f ns3/dnskey.test.db.signed.jnl ns3/dnskey.test.db ns3/dnskey.test.db.signed ns3/dsset-dnskey.test.
+ rm -f ns3/K*
++rm -f ns3/too-big.test.db
+ rm -f dig.out.*
+ rm -f jp.out.ns3.*
+ rm -f Kxxx.*
+diff --git a/bin/tests/system/nsupdate/ns3/named.conf b/bin/tests/system/nsupdate/ns3/named.conf
+index 2abd522..68ff27a 100644
+--- a/bin/tests/system/nsupdate/ns3/named.conf
++++ b/bin/tests/system/nsupdate/ns3/named.conf
+@@ -60,3 +60,10 @@ zone "dnskey.test" {
+ allow-update { any; };
+ file "dnskey.test.db.signed";
+ };
++
++zone "too-big.test" {
++ type master;
++ allow-update { any; };
++ max-records 3;
++ file "too-big.test.db";
++};
+diff --git a/bin/tests/system/nsupdate/ns3/too-big.test.db.in b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
+new file mode 100644
+index 0000000..7ff1e4a
+--- /dev/null
++++ b/bin/tests/system/nsupdate/ns3/too-big.test.db.in
+@@ -0,0 +1,10 @@
++; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++$TTL 10
++too-big.test. IN SOA too-big.test. hostmaster.too-big.test. 1 3600 900 2419200 3600
++too-big.test. IN NS too-big.test.
++too-big.test. IN A 10.53.0.3
+diff --git a/bin/tests/system/nsupdate/setup.sh b/bin/tests/system/nsupdate/setup.sh
+index 828255e..43c4094 100644
+--- a/bin/tests/system/nsupdate/setup.sh
++++ b/bin/tests/system/nsupdate/setup.sh
+@@ -27,12 +27,14 @@ test -r $RANDFILE || $GENRANDOM 400 $RANDFILE
+ rm -f ns1/*.jnl ns1/example.db ns2/*.jnl ns2/example.bk
+ rm -f ns2/update.bk ns2/update.alt.bk
+ rm -f ns3/example.db.jnl
++rm -f ns3/too-big.test.db.jnl
+
+ cp -f ns1/example1.db ns1/example.db
+ sed 's/example.nil/other.nil/g' ns1/example1.db > ns1/other.db
+ sed 's/example.nil/unixtime.nil/g' ns1/example1.db > ns1/unixtime.db
+ sed 's/example.nil/keytests.nil/g' ns1/example1.db > ns1/keytests.db
+ cp -f ns3/example.db.in ns3/example.db
++cp -f ns3/too-big.test.db.in ns3/too-big.test.db
+
+ # update_test.pl has its own zone file because it
+ # requires a specific NS record set.
+diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
+index 78d501e..0a6bbd3 100755
+--- a/bin/tests/system/nsupdate/tests.sh
++++ b/bin/tests/system/nsupdate/tests.sh
+@@ -581,5 +581,20 @@ if [ $ret -ne 0 ]; then
+ status=1
+ fi
+
++n=`expr $n + 1`
++echo "I:check that adding too many records is blocked ($n)"
++ret=0
++$NSUPDATE -v << EOF > nsupdate.out-$n 2>&1 && ret=1
++server 10.53.0.3 5300
++zone too-big.test.
++update add r1.too-big.test 3600 IN TXT r1.too-big.test
++send
++EOF
++grep "update failed: SERVFAIL" nsupdate.out-$n > /dev/null || ret=1
++DIG +tcp @10.53.0.3 -p 5300 r1.too-big.test TXT > dig.out.ns3.test$n
++grep "status: NXDOMAIN" dig.out.ns3.test$n > /dev/null || ret=1
++grep "records in zone (4) exceeds max-records (3)" ns3/named.run > /dev/null || ret=1
++[ $ret = 0 ] || { echo I:failed; status=1; }
++
+ echo "I:exit status: $status"
+ exit $status
+diff --git a/bin/tests/system/xfer/clean.sh b/bin/tests/system/xfer/clean.sh
+index 48aa159..da62a33 100644
+--- a/bin/tests/system/xfer/clean.sh
++++ b/bin/tests/system/xfer/clean.sh
+@@ -36,3 +36,4 @@ rm -f ns7/*.db ns7/*.bk ns7/*.jnl
+ rm -f */named.memstats
+ rm -f */named.run
+ rm -f */ans.run
++rm -f ns1/ixfr-too-big.db ns1/ixfr-too-big.db.jnl
+diff --git a/bin/tests/system/xfer/ns1/axfr-too-big.db b/bin/tests/system/xfer/ns1/axfr-too-big.db
+new file mode 100644
+index 0000000..d43760d
+--- /dev/null
++++ b/bin/tests/system/xfer/ns1/axfr-too-big.db
+@@ -0,0 +1,10 @@
++; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++$TTL 3600
++@ IN SOA . . 0 0 0 0 0
++@ IN NS .
++$GENERATE 1-29 host$ A 1.2.3.$
+diff --git a/bin/tests/system/xfer/ns1/ixfr-too-big.db.in b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
+new file mode 100644
+index 0000000..318bb77
+--- /dev/null
++++ b/bin/tests/system/xfer/ns1/ixfr-too-big.db.in
+@@ -0,0 +1,13 @@
++; Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC")
++;
++; This Source Code Form is subject to the terms of the Mozilla Public
++; License, v. 2.0. If a copy of the MPL was not distributed with this
++; file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++$TTL 3600
++@ IN SOA . . 0 0 0 0 0
++@ IN NS ns1
++@ IN NS ns6
++ns1 IN A 10.53.0.1
++ns6 IN A 10.53.0.6
++$GENERATE 1-25 host$ A 1.2.3.$
+diff --git a/bin/tests/system/xfer/ns1/named.conf b/bin/tests/system/xfer/ns1/named.conf
+index 07dad85..1d29292 100644
+--- a/bin/tests/system/xfer/ns1/named.conf
++++ b/bin/tests/system/xfer/ns1/named.conf
+@@ -44,3 +44,14 @@ zone "slave" {
+ type master;
+ file "slave.db";
+ };
++
++zone "axfr-too-big" {
++ type master;
++ file "axfr-too-big.db";
++};
++
++zone "ixfr-too-big" {
++ type master;
++ allow-update { any; };
++ file "ixfr-too-big.db";
++};
+diff --git a/bin/tests/system/xfer/ns6/named.conf b/bin/tests/system/xfer/ns6/named.conf
+index c9421b1..a12a92c 100644
+--- a/bin/tests/system/xfer/ns6/named.conf
++++ b/bin/tests/system/xfer/ns6/named.conf
+@@ -52,3 +52,17 @@ zone "slave" {
+ masters { 10.53.0.1; };
+ file "slave.bk";
+ };
++
++zone "axfr-too-big" {
++ type slave;
++ max-records 30;
++ masters { 10.53.0.1; };
++ file "axfr-too-big.bk";
++};
++
++zone "ixfr-too-big" {
++ type slave;
++ max-records 30;
++ masters { 10.53.0.1; };
++ file "ixfr-too-big.bk";
++};
+diff --git a/bin/tests/system/xfer/setup.sh b/bin/tests/system/xfer/setup.sh
+index 56ca901..c55abf8 100644
+--- a/bin/tests/system/xfer/setup.sh
++++ b/bin/tests/system/xfer/setup.sh
+@@ -33,3 +33,5 @@ cp -f ns4/named.conf.base ns4/named.conf
+
+ cp ns2/slave.db.in ns2/slave.db
+ touch -t 200101010000 ns2/slave.db
++
++cp -f ns1/ixfr-too-big.db.in ns1/ixfr-too-big.db
+diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh
+index 67b2a1a..fe33f0a 100644
+--- a/bin/tests/system/xfer/tests.sh
++++ b/bin/tests/system/xfer/tests.sh
+@@ -368,5 +368,31 @@ $DIGCMD nil. TXT | grep 'incorrect key AXFR' >/dev/null && {
+ status=1
+ }
+
++n=`expr $n + 1`
++echo "I:test that a zone with too many records is rejected (AXFR) ($n)"
++tmp=0
++grep "'axfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
++if test $tmp != 0 ; then echo "I:failed"; fi
++status=`expr $status + $tmp`
++
++n=`expr $n + 1`
++echo "I:test that a zone with too many records is rejected (IXFR) ($n)"
++tmp=0
++grep "'ixfr-too-big./IN.*: too many records" ns6/named.run >/dev/null && tmp=1
++$NSUPDATE << EOF
++zone ixfr-too-big
++server 10.53.0.1 5300
++update add the-31st-record.ixfr-too-big 0 TXT this is it
++send
++EOF
++for i in 1 2 3 4 5 6 7 8
++do
++ grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null && break
++ sleep 1
++done
++grep "'ixfr-too-big/IN'.*: too many records" ns6/named.run >/dev/null || tmp=1
++if test $tmp != 0 ; then echo "I:failed"; fi
++status=`expr $status + $tmp`
++
+ echo "I:exit status: $status"
+ exit $status
+diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
+index 848b582..0369505 100644
+--- a/doc/arm/Bv9ARM-book.xml
++++ b/doc/arm/Bv9ARM-book.xml
+@@ -4858,6 +4858,7 @@ badresp:1,adberr:0,findfail:0,valfail:0]
+ <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+ <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+ <optional> queryport-pool-updateinterval <replaceable>number</replaceable>; </optional>
++ <optional> max-records <replaceable>number</replaceable>; </optional>
+ <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
+ <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
+ <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
+@@ -8164,6 +8165,16 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
+ </varlistentry>
+
+ <varlistentry>
++ <term><command>max-records</command></term>
++ <listitem>
++ <para>
++ The maximum number of records permitted in a zone.
++ The default is zero which means unlimited.
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term><command>host-statistics-max</command></term>
+ <listitem>
+ <para>
+@@ -12056,6 +12067,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
+ </varlistentry>
+
+ <varlistentry>
++ <term><command>max-records</command></term>
++ <listitem>
++ <para>
++ See the description of
++ <command>max-records</command> in <xref linkend="server_resource_limits"/>.
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term><command>max-transfer-time-in</command></term>
+ <listitem>
+ <para>
+diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
+index 095eb5b..36495e7 100644
+--- a/doc/arm/notes.xml
++++ b/doc/arm/notes.xml
+@@ -52,6 +52,15 @@
+ <itemizedlist>
+ <listitem>
+ <para>
++ Added the ability to specify the maximum number of records
++ permitted in a zone (max-records #;). This provides a mechanism
++ to block overly large zone transfers, which is a potential risk
++ with slave zones from other parties, as described in CVE-2016-6170.
++ [RT #42143]
++ </para>
++ </listitem>
++ <listitem>
++ <para>
+ Duplicate EDNS COOKIE options in a response could trigger
+ an assertion failure. This flaw is disclosed in CVE-2016-2088.
+ [RT #41809]
+diff --git a/lib/bind9/check.c b/lib/bind9/check.c
+index b8c05dd..edb7534 100644
+--- a/lib/bind9/check.c
++++ b/lib/bind9/check.c
+@@ -1510,6 +1510,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
+ REDIRECTZONE },
+ { "masters", SLAVEZONE | STUBZONE | REDIRECTZONE },
+ { "max-ixfr-log-size", MASTERZONE | SLAVEZONE | STREDIRECTZONE },
++ { "max-records", MASTERZONE | SLAVEZONE | STUBZONE | STREDIRECTZONE |
++ STATICSTUBZONE | REDIRECTZONE },
+ { "max-refresh-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
+ { "max-retry-time", SLAVEZONE | STUBZONE | STREDIRECTZONE },
+ { "max-transfer-idle-in", SLAVEZONE | STUBZONE | STREDIRECTZONE },
+diff --git a/lib/dns/db.c b/lib/dns/db.c
+index 7e4f357..ced94a5 100644
+--- a/lib/dns/db.c
++++ b/lib/dns/db.c
+@@ -999,6 +999,19 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+ }
+
+ isc_result_t
++dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
++ isc_uint64_t *bytes)
++{
++ REQUIRE(DNS_DB_VALID(db));
++ REQUIRE(dns_db_iszone(db) == ISC_TRUE);
++
++ if (db->methods->getsize != NULL)
++ return ((db->methods->getsize)(db, version, records, bytes));
++
++ return (ISC_R_NOTFOUND);
++}
++
++isc_result_t
+ dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+ isc_stdtime_t resign)
+ {
+diff --git a/lib/dns/ecdb.c b/lib/dns/ecdb.c
+index 553a339..b5d04d2 100644
+--- a/lib/dns/ecdb.c
++++ b/lib/dns/ecdb.c
+@@ -587,7 +587,8 @@ static dns_dbmethods_t ecdb_methods = {
+ NULL, /* findnodeext */
+ NULL, /* findext */
+ NULL, /* setcachestats */
+- NULL /* hashsize */
++ NULL, /* hashsize */
++ NULL /* getsize */
+ };
+
+ static isc_result_t
+diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
+index a4a4482..aff42d6 100644
+--- a/lib/dns/include/dns/db.h
++++ b/lib/dns/include/dns/db.h
+@@ -195,6 +195,8 @@ typedef struct dns_dbmethods {
+ dns_rdataset_t *sigrdataset);
+ isc_result_t (*setcachestats)(dns_db_t *db, isc_stats_t *stats);
+ unsigned int (*hashsize)(dns_db_t *db);
++ isc_result_t (*getsize)(dns_db_t *db, dns_dbversion_t *version,
++ isc_uint64_t *records, isc_uint64_t *bytes);
+ } dns_dbmethods_t;
+
+ typedef isc_result_t
+@@ -1485,6 +1487,24 @@ dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+ */
+
+ isc_result_t
++dns_db_getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
++ isc_uint64_t *bytes);
++/*%<
++ * Get the number of records in the given version of the database as well
++ * as the number bytes used to store those records.
++ *
++ * Requires:
++ * \li 'db' is a valid zone database.
++ * \li 'version' is NULL or a valid version.
++ * \li 'records' is NULL or a pointer to return the record count in.
++ * \li 'bytes' is NULL or a pointer to return the byte count in.
++ *
++ * Returns:
++ * \li #ISC_R_SUCCESS
++ * \li #ISC_R_NOTIMPLEMENTED
++ */
++
++isc_result_t
+ dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+ isc_boolean_t create, dns_dbnode_t **nodep);
+ /*%<
+diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
+index 3ac44b8..2e1e759 100644
+--- a/lib/dns/include/dns/rdataslab.h
++++ b/lib/dns/include/dns/rdataslab.h
+@@ -104,6 +104,7 @@ dns_rdataslab_tordataset(unsigned char *slab, unsigned int reservelen,
+ * Ensures:
+ *\li 'rdataset' is associated and points to a valid rdataest.
+ */
++
+ unsigned int
+ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+ /*%<
+@@ -116,6 +117,18 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen);
+ *\li The number of bytes in the slab, including the reservelen.
+ */
+
++unsigned int
++dns_rdataslab_count(unsigned char *slab, unsigned int reservelen);
++/*%<
++ * Return the number of records in the rdataslab
++ *
++ * Requires:
++ *\li 'slab' points to a slab.
++ *
++ * Returns:
++ *\li The number of records in the slab.
++ */
++
+ isc_result_t
+ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
+ unsigned int reservelen, isc_mem_t *mctx,
+diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
+index 7d11c2b..93d1fd5 100644
+--- a/lib/dns/include/dns/result.h
++++ b/lib/dns/include/dns/result.h
+@@ -157,8 +157,12 @@
+ #define DNS_R_BADCDS (ISC_RESULTCLASS_DNS + 111)
+ #define DNS_R_BADCDNSKEY (ISC_RESULTCLASS_DNS + 112)
+ #define DNS_R_OPTERR (ISC_RESULTCLASS_DNS + 113)
++#define DNS_R_BADDNSTAP (ISC_RESULTCLASS_DNS + 114)
++#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115)
++#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116)
++#define DNS_R_TOOMANYRECORDS (ISC_RESULTCLASS_DNS + 117)
+
+-#define DNS_R_NRESULTS 114 /*%< Number of results */
++#define DNS_R_NRESULTS 118 /*%< Number of results */
+
+ /*
+ * DNS wire format rcodes.
+diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
+index a9367f1..227540b 100644
+--- a/lib/dns/include/dns/zone.h
++++ b/lib/dns/include/dns/zone.h
+@@ -296,6 +296,32 @@ dns_zone_getfile(dns_zone_t *zone);
+ */
+
+ void
++dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t records);
++/*%<
++ * Sets the maximim number of records permitted in a zone.
++ * 0 implies unlimited.
++ *
++ * Requires:
++ *\li 'zone' to be valid initialised zone.
++ *
++ * Returns:
++ *\li void
++ */
++
++isc_uint32_t
++dns_zone_getmaxrecords(dns_zone_t *zone);
++/*%<
++ * Gets the maximim number of records permitted in a zone.
++ * 0 implies unlimited.
++ *
++ * Requires:
++ *\li 'zone' to be valid initialised zone.
++ *
++ * Returns:
++ *\li isc_uint32_t maxrecords.
++ */
++
++void
+ dns_zone_setmaxttl(dns_zone_t *zone, isc_uint32_t maxttl);
+ /*%<
+ * Sets the max ttl of the zone.
+@@ -316,7 +342,7 @@ dns_zone_getmaxttl(dns_zone_t *zone);
+ *\li 'zone' to be valid initialised zone.
+ *
+ * Returns:
+- *\li isc_uint32_t maxttl.
++ *\li dns_ttl_t maxttl.
+ */
+
+ isc_result_t
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 62becfc..72d722f 100644
+--- a/lib/dns/rbtdb.c
++++ b/lib/dns/rbtdb.c
+@@ -209,6 +209,7 @@ typedef isc_uint64_t rbtdb_serial_t;
+ #define free_rbtdb_callback free_rbtdb_callback64
+ #define free_rdataset free_rdataset64
+ #define getnsec3parameters getnsec3parameters64
++#define getsize getsize64
+ #define getoriginnode getoriginnode64
+ #define getrrsetstats getrrsetstats64
+ #define getsigningtime getsigningtime64
+@@ -589,6 +590,13 @@ typedef struct rbtdb_version {
+ isc_uint16_t iterations;
+ isc_uint8_t salt_length;
+ unsigned char salt[DNS_NSEC3_SALTSIZE];
++
++ /*
++ * records and bytes are covered by rwlock.
++ */
++ isc_rwlock_t rwlock;
++ isc_uint64_t records;
++ isc_uint64_t bytes;
+ } rbtdb_version_t;
+
+ typedef ISC_LIST(rbtdb_version_t) rbtdb_versionlist_t;
+@@ -1130,6 +1138,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
+ INSIST(refs == 0);
+ UNLINK(rbtdb->open_versions, rbtdb->current_version, link);
+ isc_refcount_destroy(&rbtdb->current_version->references);
++ isc_rwlock_destroy(&rbtdb->current_version->rwlock);
+ isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
+ sizeof(rbtdb_version_t));
+ }
+@@ -1383,6 +1392,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
+
+ static isc_result_t
+ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
++ isc_result_t result;
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+ rbtdb_version_t *version;
+
+@@ -1415,13 +1425,28 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
+ version->salt_length = 0;
+ memset(version->salt, 0, sizeof(version->salt));
+ }
+- rbtdb->next_serial++;
+- rbtdb->future_version = version;
+- }
++ result = isc_rwlock_init(&version->rwlock, 0, 0);
++ if (result != ISC_R_SUCCESS) {
++ isc_refcount_destroy(&version->references);
++ isc_mem_put(rbtdb->common.mctx, version,
++ sizeof(*version));
++ version = NULL;
++ } else {
++ RWLOCK(&rbtdb->current_version->rwlock,
++ isc_rwlocktype_read);
++ version->records = rbtdb->current_version->records;
++ version->bytes = rbtdb->current_version->bytes;
++ RWUNLOCK(&rbtdb->current_version->rwlock,
++ isc_rwlocktype_read);
++ rbtdb->next_serial++;
++ rbtdb->future_version = version;
++ }
++ } else
++ result = ISC_R_NOMEMORY;
+ RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
+
+ if (version == NULL)
+- return (ISC_R_NOMEMORY);
++ return (result);
+
+ *versionp = version;
+
+@@ -2681,6 +2706,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
+
+ if (cleanup_version != NULL) {
+ INSIST(EMPTY(cleanup_version->changed_list));
++ isc_rwlock_destroy(&cleanup_version->rwlock);
+ isc_mem_put(rbtdb->common.mctx, cleanup_version,
+ sizeof(*cleanup_version));
+ }
+@@ -6254,6 +6280,26 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ else
+ rbtnode->data = newheader;
+ newheader->next = topheader->next;
++ if (rbtversion != NULL)
++ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
++ if (rbtversion != NULL && !header_nx) {
++ rbtversion->records -=
++ dns_rdataslab_count((unsigned char *)header,
++ sizeof(*header));
++ rbtversion->bytes -=
++ dns_rdataslab_size((unsigned char *)header,
++ sizeof(*header));
++ }
++ if (rbtversion != NULL && !newheader_nx) {
++ rbtversion->records +=
++ dns_rdataslab_count((unsigned char *)newheader,
++ sizeof(*newheader));
++ rbtversion->bytes +=
++ dns_rdataslab_size((unsigned char *)newheader,
++ sizeof(*newheader));
++ }
++ if (rbtversion != NULL)
++ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+ if (loading) {
+ /*
+ * There are no other references to 'header' when
+@@ -6355,6 +6401,16 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
+ newheader->down = NULL;
+ rbtnode->data = newheader;
+ }
++ if (rbtversion != NULL && !newheader_nx) {
++ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
++ rbtversion->records +=
++ dns_rdataslab_count((unsigned char *)newheader,
++ sizeof(*newheader));
++ rbtversion->bytes +=
++ dns_rdataslab_size((unsigned char *)newheader,
++ sizeof(*newheader));
++ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
++ }
+ idx = newheader->node->locknum;
+ if (IS_CACHE(rbtdb)) {
+ ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+@@ -6811,6 +6867,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ */
+ newheader->additional_auth = NULL;
+ newheader->additional_glue = NULL;
++ rbtversion->records +=
++ dns_rdataslab_count((unsigned char *)newheader,
++ sizeof(*newheader));
++ rbtversion->bytes +=
++ dns_rdataslab_size((unsigned char *)newheader,
++ sizeof(*newheader));
+ } else if (result == DNS_R_NXRRSET) {
+ /*
+ * This subtraction would remove all of the rdata;
+@@ -6846,6 +6908,12 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+ * topheader.
+ */
+ INSIST(rbtversion->serial >= topheader->serial);
++ rbtversion->records -=
++ dns_rdataslab_count((unsigned char *)header,
++ sizeof(*header));
++ rbtversion->bytes -=
++ dns_rdataslab_size((unsigned char *)header,
++ sizeof(*header));
+ if (topheader_prev != NULL)
+ topheader_prev->next = newheader;
+ else
+@@ -7172,6 +7240,7 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
+ unsigned char *limit = ((unsigned char *) base) + filesize;
+ unsigned char *p;
+ size_t size;
++ unsigned int count;
+
+ REQUIRE(rbtnode != NULL);
+
+@@ -7179,6 +7248,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
+ p = (unsigned char *) header;
+
+ size = dns_rdataslab_size(p, sizeof(*header));
++ count = dns_rdataslab_count(p, sizeof(*header));;
++ rbtdb->current_version->records += count;
++ rbtdb->current_version->bytes += size;
+ isc_crc64_update(crc, p, size);
+ #ifdef DEBUG
+ hexdump("hashing header", p, sizeof(rdatasetheader_t));
+@@ -7777,6 +7849,33 @@ getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
+ }
+
+ static isc_result_t
++getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
++ isc_uint64_t *bytes)
++{
++ dns_rbtdb_t *rbtdb;
++ isc_result_t result = ISC_R_SUCCESS;
++ rbtdb_version_t *rbtversion = version;
++
++ rbtdb = (dns_rbtdb_t *)db;
++
++ REQUIRE(VALID_RBTDB(rbtdb));
++ INSIST(rbtversion == NULL || rbtversion->rbtdb == rbtdb);
++
++ if (rbtversion == NULL)
++ rbtversion = rbtdb->current_version;
++
++ RWLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
++ if (records != NULL)
++ *records = rbtversion->records;
++
++ if (bytes != NULL)
++ *bytes = rbtversion->bytes;
++ RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_read);
++
++ return (result);
++}
++
++static isc_result_t
+ setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
+ dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+ isc_stdtime_t oldresign;
+@@ -7972,7 +8071,8 @@ static dns_dbmethods_t zone_methods = {
+ NULL,
+ NULL,
+ NULL,
+- hashsize
++ hashsize,
++ getsize
+ };
+
+ static dns_dbmethods_t cache_methods = {
+@@ -8018,7 +8118,8 @@ static dns_dbmethods_t cache_methods = {
+ NULL,
+ NULL,
+ setcachestats,
+- hashsize
++ hashsize,
++ NULL
+ };
+
+ isc_result_t
+@@ -8310,6 +8411,20 @@ dns_rbtdb_create
+ rbtdb->current_version->salt_length = 0;
+ memset(rbtdb->current_version->salt, 0,
+ sizeof(rbtdb->current_version->salt));
++ result = isc_rwlock_init(&rbtdb->current_version->rwlock, 0, 0);
++ if (result != ISC_R_SUCCESS) {
++ isc_refcount_destroy(&rbtdb->current_version->references);
++ isc_mem_put(mctx, rbtdb->current_version,
++ sizeof(*rbtdb->current_version));
++ rbtdb->current_version = NULL;
++ isc_refcount_decrement(&rbtdb->references, NULL);
++ isc_refcount_destroy(&rbtdb->references);
++ free_rbtdb(rbtdb, ISC_FALSE, NULL);
++ return (result);
++ }
++
++ rbtdb->current_version->records = 0;
++ rbtdb->current_version->bytes = 0;
+ rbtdb->future_version = NULL;
+ ISC_LIST_INIT(rbtdb->open_versions);
+ /*
+diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
+index e29dc84..63e3728 100644
+--- a/lib/dns/rdataslab.c
++++ b/lib/dns/rdataslab.c
+@@ -523,6 +523,19 @@ dns_rdataslab_size(unsigned char *slab, unsigned int reservelen) {
+ return ((unsigned int)(current - slab));
+ }
+
++unsigned int
++dns_rdataslab_count(unsigned char *slab, unsigned int reservelen) {
++ unsigned int count;
++ unsigned char *current;
++
++ REQUIRE(slab != NULL);
++
++ current = slab + reservelen;
++ count = *current++ * 256;
++ count += *current++;
++ return (count);
++}
++
+ /*
+ * Make the dns_rdata_t 'rdata' refer to the slab item
+ * beginning at '*current', which is part of a slab of type
+diff --git a/lib/dns/result.c b/lib/dns/result.c
+index 7be4f57..a621909 100644
+--- a/lib/dns/result.c
++++ b/lib/dns/result.c
+@@ -167,11 +167,16 @@ static const char *text[DNS_R_NRESULTS] = {
+ "covered by negative trust anchor", /*%< 110 DNS_R_NTACOVERED */
+ "bad CDS", /*%< 111 DNS_R_BADCSD */
+ "bad CDNSKEY", /*%< 112 DNS_R_BADCDNSKEY */
+- "malformed OPT option" /*%< 113 DNS_R_OPTERR */
++ "malformed OPT option", /*%< 113 DNS_R_OPTERR */
++ "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP */
++
++ "TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */
++ "SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */
++ "too many records", /*%< 117 DNS_R_TOOMANYRECORDS */
+ };
+
+ static const char *rcode_text[DNS_R_NRCODERESULTS] = {
+- "NOERROR", /*%< 0 DNS_R_NOEROR */
++ "NOERROR", /*%< 0 DNS_R_NOERROR */
+ "FORMERR", /*%< 1 DNS_R_FORMERR */
+ "SERVFAIL", /*%< 2 DNS_R_SERVFAIL */
+ "NXDOMAIN", /*%< 3 DNS_R_NXDOMAIN */
+diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
+index abfeeb0..19397e0 100644
+--- a/lib/dns/sdb.c
++++ b/lib/dns/sdb.c
+@@ -1298,7 +1298,8 @@ static dns_dbmethods_t sdb_methods = {
+ findnodeext,
+ findext,
+ NULL, /* setcachestats */
+- NULL /* hashsize */
++ NULL, /* hashsize */
++ NULL /* getsize */
+ };
+
+ static isc_result_t
+diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
+index b1198a4..0e3163d 100644
+--- a/lib/dns/sdlz.c
++++ b/lib/dns/sdlz.c
+@@ -1269,7 +1269,8 @@ static dns_dbmethods_t sdlzdb_methods = {
+ findnodeext,
+ findext,
+ NULL, /* setcachestats */
+- NULL /* hashsize */
++ NULL, /* hashsize */
++ NULL /* getsize */
+ };
+
+ /*
+diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
+index 2a6c1b4..ac566e1 100644
+--- a/lib/dns/xfrin.c
++++ b/lib/dns/xfrin.c
+@@ -149,6 +149,9 @@ struct dns_xfrin_ctx {
+ unsigned int nrecs; /*%< Number of records recvd */
+ isc_uint64_t nbytes; /*%< Number of bytes received */
+
++ unsigned int maxrecords; /*%< The maximum number of
++ records set for the zone */
++
+ isc_time_t start; /*%< Start time of the transfer */
+ isc_time_t end; /*%< End time of the transfer */
+
+@@ -309,10 +312,18 @@ axfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+ static isc_result_t
+ axfr_apply(dns_xfrin_ctx_t *xfr) {
+ isc_result_t result;
++ isc_uint64_t records;
+
+ CHECK(dns_diff_load(&xfr->diff, xfr->axfr.add, xfr->axfr.add_private));
+ xfr->difflen = 0;
+ dns_diff_clear(&xfr->diff);
++ if (xfr->maxrecords != 0U) {
++ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
++ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
++ result = DNS_R_TOOMANYRECORDS;
++ goto failure;
++ }
++ }
+ result = ISC_R_SUCCESS;
+ failure:
+ return (result);
+@@ -396,6 +407,7 @@ ixfr_putdata(dns_xfrin_ctx_t *xfr, dns_diffop_t op,
+ static isc_result_t
+ ixfr_apply(dns_xfrin_ctx_t *xfr) {
+ isc_result_t result;
++ isc_uint64_t records;
+
+ if (xfr->ver == NULL) {
+ CHECK(dns_db_newversion(xfr->db, &xfr->ver));
+@@ -403,6 +415,13 @@ ixfr_apply(dns_xfrin_ctx_t *xfr) {
+ CHECK(dns_journal_begin_transaction(xfr->ixfr.journal));
+ }
+ CHECK(dns_diff_apply(&xfr->diff, xfr->db, xfr->ver));
++ if (xfr->maxrecords != 0U) {
++ result = dns_db_getsize(xfr->db, xfr->ver, &records, NULL);
++ if (result == ISC_R_SUCCESS && records > xfr->maxrecords) {
++ result = DNS_R_TOOMANYRECORDS;
++ goto failure;
++ }
++ }
+ if (xfr->ixfr.journal != NULL) {
+ result = dns_journal_writediff(xfr->ixfr.journal, &xfr->diff);
+ if (result != ISC_R_SUCCESS)
+@@ -759,7 +778,7 @@ xfrin_reset(dns_xfrin_ctx_t *xfr) {
+
+ static void
+ xfrin_fail(dns_xfrin_ctx_t *xfr, isc_result_t result, const char *msg) {
+- if (result != DNS_R_UPTODATE) {
++ if (result != DNS_R_UPTODATE && result != DNS_R_TOOMANYRECORDS) {
+ xfrin_log(xfr, ISC_LOG_ERROR, "%s: %s",
+ msg, isc_result_totext(result));
+ if (xfr->is_ixfr)
+@@ -852,6 +871,7 @@ xfrin_create(isc_mem_t *mctx,
+ xfr->nmsg = 0;
+ xfr->nrecs = 0;
+ xfr->nbytes = 0;
++ xfr->maxrecords = dns_zone_getmaxrecords(zone);
+ isc_time_now(&xfr->start);
+
+ xfr->tsigkey = NULL;
+diff --git a/lib/dns/zone.c b/lib/dns/zone.c
+index 90e558d..2b0d8e4 100644
+--- a/lib/dns/zone.c
++++ b/lib/dns/zone.c
+@@ -253,6 +253,8 @@ struct dns_zone {
+ isc_uint32_t maxretry;
+ isc_uint32_t minretry;
+
++ isc_uint32_t maxrecords;
++
+ isc_sockaddr_t *masters;
+ isc_dscp_t *masterdscps;
+ dns_name_t **masterkeynames;
+@@ -10088,6 +10090,20 @@ dns_zone_setmaxretrytime(dns_zone_t *zone, isc_uint32_t val) {
+ zone->maxretry = val;
+ }
+
++isc_uint32_t
++dns_zone_getmaxrecords(dns_zone_t *zone) {
++ REQUIRE(DNS_ZONE_VALID(zone));
++
++ return (zone->maxrecords);
++}
++
++void
++dns_zone_setmaxrecords(dns_zone_t *zone, isc_uint32_t val) {
++ REQUIRE(DNS_ZONE_VALID(zone));
++
++ zone->maxrecords = val;
++}
++
+ static isc_boolean_t
+ notify_isqueued(dns_zone_t *zone, unsigned int flags, dns_name_t *name,
+ isc_sockaddr_t *addr, dns_tsigkey_t *key)
+@@ -14431,7 +14447,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+ DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR);
+
+ TIME_NOW(&now);
+- switch (result) {
++ switch (xfrresult) {
+ case ISC_R_SUCCESS:
+ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+ /*FALLTHROUGH*/
+@@ -14558,6 +14574,11 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
+ DNS_ZONE_SETFLAG(zone, DNS_ZONEFLAG_NOIXFR);
+ goto same_master;
+
++ case DNS_R_TOOMANYRECORDS:
++ DNS_ZONE_JITTER_ADD(&now, zone->refresh, &zone->refreshtime);
++ inc_stats(zone, dns_zonestatscounter_xfrfail);
++ break;
++
+ default:
+ next_master:
+ /*
+diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
+index 780ab46..e7ff1cc 100644
+--- a/lib/isccfg/namedconf.c
++++ b/lib/isccfg/namedconf.c
+@@ -1679,6 +1679,7 @@ zone_clauses[] = {
+ { "masterfile-format", &cfg_type_masterformat, 0 },
+ { "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
+ { "max-journal-size", &cfg_type_sizenodefault, 0 },
++ { "max-records", &cfg_type_uint32, 0 },
+ { "max-refresh-time", &cfg_type_uint32, 0 },
+ { "max-retry-time", &cfg_type_uint32, 0 },
+ { "max-transfer-idle-in", &cfg_type_uint32, 0 },
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
new file mode 100644
index 0000000..b52d680
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind/CVE-2016-8864.patch
@@ -0,0 +1,219 @@
+From c1d0599a246f646d1c22018f8fa09459270a44b8 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 21 Oct 2016 14:55:10 +1100
+Subject: [PATCH] 4489. [security] It was possible to trigger assertions when
+ processing a response. (CVE-2016-8864) [RT #43465]
+
+(cherry picked from commit bd6f27f5c353133b563fe69100b2f168c129f3ca)
+
+Upstream-Status: Backport
+[https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=commit;h=c1d0599a246f646d1c22018f8fa09459270a44b8]
+
+CVE: CVE-2016-8864
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ CHANGES | 3 +++
+ lib/dns/resolver.c | 69 +++++++++++++++++++++++++++++++++++++-----------------
+ 2 files changed, 50 insertions(+), 22 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 5c8c61a..41cfce5 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -1,3 +1,6 @@
++4489. [security] It was possible to trigger assertions when processing
++ a response. (CVE-2016-8864) [RT #43465]
++
+ 4467. [security] It was possible to trigger an assertion when
+ rendering a message. (CVE-2016-2776) [RT #43139]
+
+diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
+index ba1ae23..13c8b44 100644
+--- a/lib/dns/resolver.c
++++ b/lib/dns/resolver.c
+@@ -612,7 +612,9 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
+ valarg->addrinfo = addrinfo;
+
+ if (!ISC_LIST_EMPTY(fctx->validators))
+- INSIST((valoptions & DNS_VALIDATOR_DEFER) != 0);
++ valoptions |= DNS_VALIDATOR_DEFER;
++ else
++ valoptions &= ~DNS_VALIDATOR_DEFER;
+
+ result = dns_validator_create(fctx->res->view, name, type, rdataset,
+ sigrdataset, fctx->rmessage,
+@@ -5526,13 +5528,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ rdataset,
+ sigrdataset,
+ valoptions, task);
+- /*
+- * Defer any further validations.
+- * This prevents multiple validators
+- * from manipulating fctx->rmessage
+- * simultaneously.
+- */
+- valoptions |= DNS_VALIDATOR_DEFER;
+ }
+ } else if (CHAINING(rdataset)) {
+ if (rdataset->type == dns_rdatatype_cname)
+@@ -5647,6 +5642,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
+ eresult == DNS_R_NCACHENXRRSET);
+ }
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -5897,6 +5897,11 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
+ fctx->attributes |= FCTX_ATTR_HAVEANSWER;
+ if (event != NULL) {
+ event->result = eresult;
++ if (adbp != NULL && *adbp != NULL) {
++ if (anodep != NULL && *anodep != NULL)
++ dns_db_detachnode(*adbp, anodep);
++ dns_db_detach(adbp);
++ }
+ dns_db_attach(fctx->cache, adbp);
+ dns_db_transfernode(fctx->cache, &node, anodep);
+ clone_results(fctx);
+@@ -6718,13 +6723,15 @@ static isc_result_t
+ answer_response(fetchctx_t *fctx) {
+ isc_result_t result;
+ dns_message_t *message;
+- dns_name_t *name, *dname, *qname, tname, *ns_name;
++ dns_name_t *name, *dname = NULL, *qname, *dqname, tname, *ns_name;
++ dns_name_t *cname = NULL;
+ dns_rdataset_t *rdataset, *ns_rdataset;
+ isc_boolean_t done, external, chaining, aa, found, want_chaining;
+- isc_boolean_t have_answer, found_cname, found_type, wanted_chaining;
++ isc_boolean_t have_answer, found_cname, found_dname, found_type;
++ isc_boolean_t wanted_chaining;
+ unsigned int aflag;
+ dns_rdatatype_t type;
+- dns_fixedname_t fdname, fqname;
++ dns_fixedname_t fdname, fqname, fqdname;
+ dns_view_t *view;
+
+ FCTXTRACE("answer_response");
+@@ -6738,6 +6745,7 @@ answer_response(fetchctx_t *fctx) {
+
+ done = ISC_FALSE;
+ found_cname = ISC_FALSE;
++ found_dname = ISC_FALSE;
+ found_type = ISC_FALSE;
+ chaining = ISC_FALSE;
+ have_answer = ISC_FALSE;
+@@ -6747,12 +6755,13 @@ answer_response(fetchctx_t *fctx) {
+ aa = ISC_TRUE;
+ else
+ aa = ISC_FALSE;
+- qname = &fctx->name;
++ dqname = qname = &fctx->name;
+ type = fctx->type;
+ view = fctx->res->view;
++ dns_fixedname_init(&fqdname);
+ result = dns_message_firstname(message, DNS_SECTION_ANSWER);
+ while (!done && result == ISC_R_SUCCESS) {
+- dns_namereln_t namereln;
++ dns_namereln_t namereln, dnamereln;
+ int order;
+ unsigned int nlabels;
+
+@@ -6760,6 +6769,8 @@ answer_response(fetchctx_t *fctx) {
+ dns_message_currentname(message, DNS_SECTION_ANSWER, &name);
+ external = ISC_TF(!dns_name_issubdomain(name, &fctx->domain));
+ namereln = dns_name_fullcompare(qname, name, &order, &nlabels);
++ dnamereln = dns_name_fullcompare(dqname, name, &order,
++ &nlabels);
+ if (namereln == dns_namereln_equal) {
+ wanted_chaining = ISC_FALSE;
+ for (rdataset = ISC_LIST_HEAD(name->list);
+@@ -6854,7 +6865,7 @@ answer_response(fetchctx_t *fctx) {
+ }
+ } else if (rdataset->type == dns_rdatatype_rrsig
+ && rdataset->covers ==
+- dns_rdatatype_cname
++ dns_rdatatype_cname
+ && !found_type) {
+ /*
+ * We're looking for something else,
+@@ -6884,11 +6895,18 @@ answer_response(fetchctx_t *fctx) {
+ * a CNAME or DNAME).
+ */
+ INSIST(!external);
+- if (aflag ==
+- DNS_RDATASETATTR_ANSWER) {
++ if ((rdataset->type !=
++ dns_rdatatype_cname) ||
++ !found_dname ||
++ (aflag ==
++ DNS_RDATASETATTR_ANSWER))
++ {
+ have_answer = ISC_TRUE;
++ if (rdataset->type ==
++ dns_rdatatype_cname)
++ cname = name;
+ name->attributes |=
+- DNS_NAMEATTR_ANSWER;
++ DNS_NAMEATTR_ANSWER;
+ }
+ rdataset->attributes |= aflag;
+ if (aa)
+@@ -6982,11 +7000,11 @@ answer_response(fetchctx_t *fctx) {
+ return (DNS_R_FORMERR);
+ }
+
+- if (namereln != dns_namereln_subdomain) {
++ if (dnamereln != dns_namereln_subdomain) {
+ char qbuf[DNS_NAME_FORMATSIZE];
+ char obuf[DNS_NAME_FORMATSIZE];
+
+- dns_name_format(qname, qbuf,
++ dns_name_format(dqname, qbuf,
+ sizeof(qbuf));
+ dns_name_format(name, obuf,
+ sizeof(obuf));
+@@ -7001,7 +7019,7 @@ answer_response(fetchctx_t *fctx) {
+ want_chaining = ISC_TRUE;
+ POST(want_chaining);
+ aflag = DNS_RDATASETATTR_ANSWER;
+- result = dname_target(rdataset, qname,
++ result = dname_target(rdataset, dqname,
+ nlabels, &fdname);
+ if (result == ISC_R_NOSPACE) {
+ /*
+@@ -7018,10 +7036,13 @@ answer_response(fetchctx_t *fctx) {
+
+ dname = dns_fixedname_name(&fdname);
+ if (!is_answertarget_allowed(view,
+- qname, rdataset->type,
+- dname, &fctx->domain)) {
++ dqname, rdataset->type,
++ dname, &fctx->domain))
++ {
+ return (DNS_R_SERVFAIL);
+ }
++ dqname = dns_fixedname_name(&fqdname);
++ dns_name_copy(dname, dqname, NULL);
+ } else {
+ /*
+ * We've found a signature that
+@@ -7046,6 +7067,10 @@ answer_response(fetchctx_t *fctx) {
+ INSIST(!external);
+ if (aflag == DNS_RDATASETATTR_ANSWER) {
+ have_answer = ISC_TRUE;
++ found_dname = ISC_TRUE;
++ if (cname != NULL)
++ cname->attributes &=
++ ~DNS_NAMEATTR_ANSWER;
+ name->attributes |=
+ DNS_NAMEATTR_ANSWER;
+ }
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
index 4e2e856..8160625 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/bind/bind_9.10.3-P3.bb
@@ -27,6 +27,8 @@
file://CVE-2016-2088.patch \
file://CVE-2016-2775.patch \
file://CVE-2016-2776.patch \
+ file://CVE-2016-8864.patch \
+ file://CVE-2016-6170.patch \
"
SRC_URI[md5sum] = "bcf7e772b616f7259420a3edc5df350a"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch
new file mode 100644
index 0000000..c545811
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/0003-stats-Fix-bad-file-descriptor-initialisation.patch
@@ -0,0 +1,102 @@
+From c7f4151fb053b0d0691d8f10d7e3690265d28889 Mon Sep 17 00:00:00 2001
+From: Lukasz Nowak <lnowak@tycoint.com>
+Date: Wed, 26 Oct 2016 18:13:02 +0100
+Subject: [PATCH] stats: Fix bad file descriptor initialisation
+
+Stats file code initialises its file descriptor field to 0. But 0 is
+a valid fd value. -1 should be used instead. This causes problems
+when an error happens before a stats file is open (e.g. mkdir
+fails). The clean-up procedure, stats_free() calls close(fd). When fd
+is 0, this first closes stdin, and then any files/sockets which
+received fd=0, re-used by the OS.
+
+Fixed several instances of bad file descriptor field handling, in case
+of errors.
+
+The bug results with connman freezing if there is no read/write storage
+directory available, and there are multiple active interfaces
+(fd=0 gets re-used for sockets in that case).
+
+The patch was imported from the Connman git repository
+(git://git.kernel.org/pub/scm/network/connman) as of commit id
+c7f4151fb053b0d0691d8f10d7e3690265d28889.
+
+Upstream-Status: Accepted
+Signed-off-by: Lukasz Nowak <lnowak@tycoint.com>
+---
+ src/stats.c | 15 +++++++++++++++
+ src/util.c | 4 ++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/stats.c b/src/stats.c
+index 26343b1..c3ca738 100644
+--- a/src/stats.c
++++ b/src/stats.c
+@@ -378,6 +378,7 @@ static int stats_file_setup(struct stats_file *file)
+ strerror(errno), file->name);
+
+ TFR(close(file->fd));
++ file->fd = -1;
+ g_free(file->name);
+ file->name = NULL;
+
+@@ -393,6 +394,7 @@ static int stats_file_setup(struct stats_file *file)
+ err = stats_file_remap(file, size);
+ if (err < 0) {
+ TFR(close(file->fd));
++ file->fd = -1;
+ g_free(file->name);
+ file->name = NULL;
+
+@@ -649,6 +651,13 @@ static int stats_file_history_update(struct stats_file *data_file)
+ bzero(history_file, sizeof(struct stats_file));
+ bzero(temp_file, sizeof(struct stats_file));
+
++ /*
++ * 0 is a valid file descriptor - fd needs to be initialized
++ * to -1 to handle errors correctly
++ */
++ history_file->fd = -1;
++ temp_file->fd = -1;
++
+ err = stats_open(history_file, data_file->history_name);
+ if (err < 0)
+ return err;
+@@ -682,6 +691,12 @@ int __connman_stats_service_register(struct connman_service *service)
+ if (!file)
+ return -ENOMEM;
+
++ /*
++ * 0 is a valid file descriptor - fd needs to be initialized
++ * to -1 to handle errors correctly
++ */
++ file->fd = -1;
++
+ g_hash_table_insert(stats_hash, service, file);
+ } else {
+ return -EALREADY;
+diff --git a/src/util.c b/src/util.c
+index e6532c8..732d451 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -63,7 +63,7 @@ int __connman_util_init(void)
+ {
+ int r = 0;
+
+- if (f > 0)
++ if (f >= 0)
+ return 0;
+
+ f = open(URANDOM, O_RDONLY);
+@@ -86,7 +86,7 @@ int __connman_util_init(void)
+
+ void __connman_util_cleanup(void)
+ {
+- if (f > 0)
++ if (f >= 0)
+ close(f);
+
+ f = -1;
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
new file mode 100644
index 0000000..45f78f1
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman/CVE-2017-12865.patch
@@ -0,0 +1,87 @@
+From 5c281d182ecdd0a424b64f7698f32467f8f67b71 Mon Sep 17 00:00:00 2001
+From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
+Date: Wed, 9 Aug 2017 10:16:46 +0300
+Subject: dnsproxy: Fix crash on malformed DNS response
+
+If the response query string is malformed, we might access memory
+pass the end of "name" variable in parse_response().
+
+CVE: CVE-2017-12865
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/network/connman/connman.git/patch/?id=5c281d182ecdd0a424b64f7698f32467f8f67b71]
+
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ src/dnsproxy.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnsproxy.c b/src/dnsproxy.c
+index 38ac5bf..40b4f15 100644
+--- a/src/dnsproxy.c
++++ b/src/dnsproxy.c
+@@ -838,7 +838,7 @@ static struct cache_entry *cache_check(gpointer request, int *qtype, int proto)
+ static int get_name(int counter,
+ unsigned char *pkt, unsigned char *start, unsigned char *max,
+ unsigned char *output, int output_max, int *output_len,
+- unsigned char **end, char *name, int *name_len)
++ unsigned char **end, char *name, size_t max_name, int *name_len)
+ {
+ unsigned char *p;
+
+@@ -859,7 +859,7 @@ static int get_name(int counter,
+
+ return get_name(counter + 1, pkt, pkt + offset, max,
+ output, output_max, output_len, end,
+- name, name_len);
++ name, max_name, name_len);
+ } else {
+ unsigned label_len = *p;
+
+@@ -869,6 +869,9 @@ static int get_name(int counter,
+ if (*output_len > output_max)
+ return -ENOBUFS;
+
++ if ((*name_len + 1 + label_len + 1) > max_name)
++ return -ENOBUFS;
++
+ /*
+ * We need the original name in order to check
+ * if this answer is the correct one.
+@@ -900,14 +903,14 @@ static int parse_rr(unsigned char *buf, unsigned char *start,
+ unsigned char *response, unsigned int *response_size,
+ uint16_t *type, uint16_t *class, int *ttl, int *rdlen,
+ unsigned char **end,
+- char *name)
++ char *name, size_t max_name)
+ {
+ struct domain_rr *rr;
+ int err, offset;
+ int name_len = 0, output_len = 0, max_rsp = *response_size;
+
+ err = get_name(0, buf, start, max, response, max_rsp,
+- &output_len, end, name, &name_len);
++ &output_len, end, name, max_name, &name_len);
+ if (err < 0)
+ return err;
+
+@@ -1033,7 +1036,8 @@ static int parse_response(unsigned char *buf, int buflen,
+ memset(rsp, 0, sizeof(rsp));
+
+ ret = parse_rr(buf, ptr, buf + buflen, rsp, &rsp_len,
+- type, class, ttl, &rdlen, &next, name);
++ type, class, ttl, &rdlen, &next, name,
++ sizeof(name) - 1);
+ if (ret != 0) {
+ err = ret;
+ goto out;
+@@ -1099,7 +1103,7 @@ static int parse_response(unsigned char *buf, int buflen,
+ */
+ ret = get_name(0, buf, next - rdlen, buf + buflen,
+ rsp, rsp_len, &output_len, &end,
+- name, &name_len);
++ name, sizeof(name) - 1, &name_len);
+ if (ret != 0) {
+ /* just ignore the error at this point */
+ ptr = next;
+--
+cgit v1.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
index 6ea1a08..d8793ac 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/connman/connman_1.33.bb
@@ -5,6 +5,8 @@
file://connman \
file://no-version-scripts.patch \
file://includes.patch \
+ file://0003-stats-Fix-bad-file-descriptor-initialisation.patch \
+ file://CVE-2017-12865.patch \
"
SRC_URI_append_libc-musl = " file://0002-resolve-musl-does-not-implement-res_ninit.patch"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch
new file mode 100644
index 0000000..683246c
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils/fix-protocol-minor-version-fall-back.patch
@@ -0,0 +1,55 @@
+From 78bb645a42c216b37b8d930c7c849a3fa89babf8 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.com>
+Date: Sat, 16 Jan 2016 12:02:30 -0500
+Subject: [PATCH] Fix protocol minor version fall-back
+
+mount.nfs currently expects mount(2) to fail with EPROTONOSUPPORT if
+the kernel doesn't understand the requested NFS version.
+
+Unfortunately if the requested minor is not known to the kernel
+it returns -EINVAL.
+In kernels since 3.11 this can happen in nfs4_alloc_client(), if
+compiled without NFS_V4_2.
+
+More generally it can happen in in nfs_validate_text_mount_data()
+when nfs_parse_mount_options() returns 0 because
+nfs_parse_version_string()
+didn't recognise the version.
+
+EPROTONOSUPPORT is only returned if NFSv4 support is completely compiled
+out.
+
+So nfs_autonegotiate needs to check for EINVAL as well as
+EPROTONOSUPPORT.
+
+URL: https://bugzilla.opensuse.org/show_bug.cgi?id=959211
+Reported-by: Takashi Iwai <tiwai@suse.com>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Signed-off-by: Steve Dickson <steved@redhat.com>
+
+
+Upstream-Status: Backport
+http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=patch;h=78bb645a42c216b37b8d930c7c849a3fa89babf8
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ utils/mount/stropts.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/utils/mount/stropts.c b/utils/mount/stropts.c
+index c8f5a6d..86829a9 100644
+--- a/utils/mount/stropts.c
++++ b/utils/mount/stropts.c
+@@ -841,6 +841,9 @@ check_result:
+ case EPROTONOSUPPORT:
+ /* A clear indication that the server or our
+ * client does not support NFS version 4 and minor */
++ case EINVAL:
++ /* A less clear indication that our client
++ * does not support NFSv4 minor version. */
+ if (mi->version.v_mode == V_GENERAL &&
+ mi->version.minor == 0)
+ return result;
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb
index 8540503..a2bebe0 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/nfs-utils/nfs-utils_1.3.3.bb
@@ -33,6 +33,7 @@
file://nfs-utils-debianize-start-statd.patch \
file://0001-nfs-utils-statd-fix-a-segfault-caused-by-improper-us.patch \
file://bugfix-adjust-statd-service-name.patch \
+ file://fix-protocol-minor-version-fall-back.patch \
"
SRC_URI[md5sum] = "cd6b568c2e9301cc3bfac09d87fbbc0b"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
new file mode 100644
index 0000000..b26ee81
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh/fix-CVE-2016-8858.patch
@@ -0,0 +1,39 @@
+Fix CVE-2016-8858 of openssh
+
+Backport patch from upstream and drop the change of comment which can NOT be applied.
+
+Upstream-Status: Backport [ https://anongit.mindrot.org/openssh.git/commit/?id=ec165c3 ]
+CVE: CVE-2016-8858
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+---
+From ec165c392ca54317dbe3064a8c200de6531e89ad Mon Sep 17 00:00:00 2001
+From: "markus@openbsd.org" <markus@openbsd.org>
+Date: Mon, 10 Oct 2016 19:28:48 +0000
+Subject: [PATCH] upstream commit
+
+Unregister the KEXINIT handler after message has been
+received. Otherwise an unauthenticated peer can repeat the KEXINIT and cause
+allocation of up to 128MB -- until the connection is closed. Reported by
+shilei-c at 360.cn
+
+Upstream-ID: 43649ae12a27ef94290db16d1a98294588b75c05
+---
+ kex.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/kex.c b/kex.c
+index 3f97f8c..6a94bc5 100644
+--- a/kex.c
++++ b/kex.c
+@@ -481,6 +481,7 @@ kex_input_kexinit(int type, u_int32_t seq, void *ctxt)
+ if (kex == NULL)
+ return SSH_ERR_INVALID_ARGUMENT;
+
++ ssh_dispatch_set(ssh, SSH2_MSG_KEXINIT, NULL);
+ ptr = sshpkt_ptr(ssh, &dlen);
+ if ((r = sshbuf_put(kex->peer, ptr, dlen)) != 0)
+ return r;
+--
+2.10.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
index 039b0ff..94eb0ed 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssh/openssh_7.3p1.bb
@@ -25,6 +25,7 @@
file://openssh-7.1p1-conditional-compile-des-in-cipher.patch \
file://openssh-7.1p1-conditional-compile-des-in-pkcs11.patch \
file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
+ file://fix-CVE-2016-8858.patch \
"
PAM_SRC_URI = "file://sshd"
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
index f3a2c5a..2ef8b38 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl.inc
@@ -107,18 +107,24 @@
linux-gnu64-x86_64)
target=linux-x86_64
;;
- linux-mips)
- target=debian-mips
+ linux-gnun32-mips*el)
+ target=debian-mipsn32el
;;
- linux-mipsel)
+ linux-gnun32-mips*)
+ target=debian-mipsn32
+ ;;
+ linux-mips*64*el)
+ target=debian-mips64el
+ ;;
+ linux-mips*64*)
+ target=debian-mips64
+ ;;
+ linux-mips*el)
target=debian-mipsel
;;
- linux-*-mips64 | linux-mips64)
- target=debian-mips64
- ;;
- linux-*-mips64el | linux-mips64el)
- target=debian-mips64el
- ;;
+ linux-mips*)
+ target=debian-mips
+ ;;
linux-microblaze*|linux-nios2*)
target=linux-generic32
;;
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
new file mode 100644
index 0000000..04ef526
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0001-CVE-2017-3731.patch
@@ -0,0 +1,46 @@
+From 0cde9a9645c949fd0acf657dadc747676245cfaf Mon Sep 17 00:00:00 2001
+From: Alexandru Moise <alexandru.moise@windriver.com>
+Date: Tue, 7 Feb 2017 11:13:19 +0200
+Subject: [PATCH 1/2] crypto/evp: harden RC4_MD5 cipher.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory (or bogus
+MAC value is produced if x86 MD5 assembly module is involved). Since
+hash operation is read-only it is not considered to be exploitable
+beyond a DoS condition.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+8e20499629b6bcf868d0072c7011e590b5c2294d
+
+Upstream-Status: Backport
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ crypto/evp/e_rc4_hmac_md5.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
+index 5e92855..3293419 100644
+--- a/crypto/evp/e_rc4_hmac_md5.c
++++ b/crypto/evp/e_rc4_hmac_md5.c
+@@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
+ len = p[arg - 2] << 8 | p[arg - 1];
+
+ if (!ctx->encrypt) {
++ if (len < MD5_DIGEST_LENGTH)
++ return -1;
+ len -= MD5_DIGEST_LENGTH;
+ p[arg - 2] = len >> 8;
+ p[arg - 1] = len;
+--
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
new file mode 100644
index 0000000..b56b2d5
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/0002-CVE-2017-3731.patch
@@ -0,0 +1,53 @@
+From 6427f1accc54b515bb899370f1a662bfcb1caa52 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise <alexandru.moise@windriver.com>
+Date: Tue, 7 Feb 2017 11:16:13 +0200
+Subject: [PATCH 2/2] crypto/evp: harden AEAD ciphers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Originally a crash in 32-bit build was reported CHACHA20-POLY1305
+cipher. The crash is triggered by truncated packet and is result
+of excessive hashing to the edge of accessible memory. Since hash
+operation is read-only it is not considered to be exploitable
+beyond a DoS condition. Other ciphers were hardened.
+
+Thanks to Robert Święcki for report.
+
+CVE-2017-3731
+
+Backported from upstream commit:
+2198b3a55de681e1f3c23edb0586afe13f438051
+
+Upstream-Status: Backport
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ crypto/evp/e_aes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
+index 1734a82..16dcd10 100644
+--- a/crypto/evp/e_aes.c
++++ b/crypto/evp/e_aes.c
+@@ -1235,10 +1235,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
+ {
+ unsigned int len = c->buf[arg - 2] << 8 | c->buf[arg - 1];
+ /* Correct length for explicit IV */
++ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
+ /* If decrypting correct for tag too */
+- if (!c->encrypt)
++ if (!c->encrypt) {
++ if (len < EVP_GCM_TLS_TAG_LEN)
++ return 0;
+ len -= EVP_GCM_TLS_TAG_LEN;
++ }
+ c->buf[arg - 2] = len >> 8;
+ c->buf[arg - 1] = len & 0xff;
+ }
+--
+2.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch
new file mode 100644
index 0000000..83a74cd
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/CVE-2016-7055.patch
@@ -0,0 +1,43 @@
+From 57c4b9f6a2f800b41ce2836986fe33640f6c3f8a Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro@openssl.org>
+Date: Sun, 6 Nov 2016 18:33:17 +0100
+Subject: [PATCH] bn/asm/x86_64-mont.pl: fix for CVE-2016-7055 (Low severity).
+
+Reviewed-by: Rich Salz <rsalz@openssl.org>
+(cherry picked from commit 2fac86d9abeaa643677d1ffd0a139239fdf9406a)
+
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/57c4b9f6a2f800b41ce2836986fe33640f6c3f8a]
+CVE: CVE-2016-7055
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ crypto/bn/asm/x86_64-mont.pl | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
+index 044fd7e..80492d8 100755
+--- a/crypto/bn/asm/x86_64-mont.pl
++++ b/crypto/bn/asm/x86_64-mont.pl
+@@ -1148,18 +1148,17 @@ $code.=<<___;
+ mulx 2*8($aptr),%r15,%r13 # ...
+ adox -3*8($tptr),%r11
+ adcx %r15,%r12
+- adox $zero,%r12
++ adox -2*8($tptr),%r12
+ adcx $zero,%r13
++ adox $zero,%r13
+
+ mov $bptr,8(%rsp) # off-load &b[i]
+- .byte 0x67
+ mov $mi,%r15
+ imulq 24(%rsp),$mi # "t[0]"*n0
+ xor %ebp,%ebp # xor $zero,$zero # cf=0, of=0
+
+ mulx 3*8($aptr),%rax,%r14
+ mov $mi,%rdx
+- adox -2*8($tptr),%r12
+ adcx %rax,%r13
+ adox -1*8($tptr),%r13
+ adcx $zero,%r14
+--
+2.7.4
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
new file mode 100644
index 0000000..58c9ee7
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/Use-SHA256-not-MD5-as-default-digest.patch
@@ -0,0 +1,69 @@
+From d795f5f20a29adecf92c09459a3ee07ffac01a99 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz@akamai.com>
+Date: Sat, 13 Jun 2015 17:03:39 -0400
+Subject: [PATCH] Use SHA256 not MD5 as default digest.
+
+Commit f8547f62c212837dbf44fb7e2755e5774a59a57b upstream.
+
+Upstream-Status: Backport
+Backport from OpenSSL 2.0 to OpenSSL 1.0.2
+Commit f8547f62c212837dbf44fb7e2755e5774a59a57b
+
+CVE: CVE-2004-2761
+
+ The MD5 Message-Digest Algorithm is not collision resistant,
+ which makes it easier for context-dependent attackers to
+ conduct spoofing attacks, as demonstrated by attacks on the
+ use of MD5 in the signature algorithm of an X.509 certificate.
+
+Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
+Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
+Signed-off-by: T.O. Radzy Radzykewycz <radzy@windriver.com>
+---
+ apps/ca.c | 2 +-
+ apps/dgst.c | 2 +-
+ apps/enc.c | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/apps/ca.c b/apps/ca.c
+index 3b7336c..8f3a84b 100644
+--- a/apps/ca.c
++++ b/apps/ca.c
+@@ -1612,7 +1612,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
+ } else
+ BIO_printf(bio_err, "Signature ok\n");
+
+- if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
++ if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
+ goto err;
+
+ ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
+diff --git a/apps/dgst.c b/apps/dgst.c
+index 95e5fa3..0d1529f 100644
+--- a/apps/dgst.c
++++ b/apps/dgst.c
+@@ -442,7 +442,7 @@ int MAIN(int argc, char **argv)
+ goto end;
+ }
+ if (md == NULL)
+- md = EVP_md5();
++ md = EVP_sha256();
+ if (!EVP_DigestInit_ex(mctx, md, impl)) {
+ BIO_printf(bio_err, "Error setting digest %s\n", pname);
+ ERR_print_errors(bio_err);
+diff --git a/apps/enc.c b/apps/enc.c
+index 7b7c70b..a7d944c 100644
+--- a/apps/enc.c
++++ b/apps/enc.c
+@@ -344,7 +344,7 @@ int MAIN(int argc, char **argv)
+ }
+
+ if (dgst == NULL) {
+- dgst = EVP_md5();
++ dgst = EVP_sha256();
+ }
+
+ if (bufsize != NULL) {
+--
+1.9.1
+
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
index f67f415..6620fdc 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl/openssl-c_rehash.sh
@@ -114,11 +114,11 @@
LINKFILE=${HASH}.${TAG}${SUFFIX}
done
- echo "${1} => ${LINKFILE}"
+ echo "${3} => ${LINKFILE}"
# assume any system with a POSIX shell will either support symlinks or
# do something to handle this gracefully
- ln -s ${1} ${LINKFILE}
+ ln -s ${3} ${LINKFILE}
return 0
}
@@ -142,7 +142,19 @@
ls -1 *.pem *.cer *.crt *.crl 2>/dev/null | while read FILE
do
- check_file ${FILE}
+ REAL_FILE=${FILE}
+ # if we run on build host then get to the real files in rootfs
+ if [ -n "${SYSROOT}" -a -h ${FILE} ]
+ then
+ FILE=$( readlink ${FILE} )
+ # check the symlink is absolute (or dangling in other word)
+ if [ "x/" = "x$( echo ${FILE} | cut -c1 -)" ]
+ then
+ REAL_FILE=${SYSROOT}/${FILE}
+ fi
+ fi
+
+ check_file ${REAL_FILE}
local FILE_TYPE=${?}
local TYPE_STR=''
@@ -157,7 +169,7 @@
continue
fi
- link_hash ${FILE} ${TYPE_STR}
+ link_hash ${REAL_FILE} ${TYPE_STR} ${FILE}
done
}
diff --git a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
index 257e3cf..b6fb126 100644
--- a/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
+++ b/import-layers/yocto-poky/meta/recipes-connectivity/openssl/openssl_1.0.2j.bb
@@ -5,6 +5,7 @@
DEPENDS += "cryptodev-linux"
CFLAG += "-DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS"
+CFLAG_append_class-native = " -fPIC"
LIC_FILES_CHKSUM = "file://LICENSE;md5=27ffa5d74bb5a337056c14b2ef93fbf6"
@@ -40,6 +41,9 @@
file://configure-musl-target.patch \
file://parallel.patch \
file://openssl-util-perlpath.pl-cwd.patch \
+ file://CVE-2016-7055.patch \
+ file://0001-CVE-2017-3731.patch \
+ file://0002-CVE-2017-3731.patch \
"
SRC_URI[md5sum] = "96322138f0b69e61b7212bc53d5e912b"
SRC_URI[sha256sum] = "e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431"