diff -up bind-9.3.6-P1/bin/named/config.c.CVE-2014-8500 bind-9.3.6-P1/bin/named/config.c --- bind-9.3.6-P1/bin/named/config.c.CVE-2014-8500 2014-12-10 13:32:18.753869797 +0100 +++ bind-9.3.6-P1/bin/named/config.c 2014-12-10 13:32:18.956870266 +0100 @@ -76,6 +76,8 @@ options {\n\ #endif "\ recursive-clients 1000;\n\ + max-recursion-depth 7;\n\ + max-recursion-queries 50;\n\ rrset-order {order cyclic;};\n\ serial-queries 20;\n\ serial-query-rate 20;\n\ diff -up bind-9.3.6-P1/bin/named/query.c.CVE-2014-8500 bind-9.3.6-P1/bin/named/query.c --- bind-9.3.6-P1/bin/named/query.c.CVE-2014-8500 2014-12-10 13:32:18.803869913 +0100 +++ bind-9.3.6-P1/bin/named/query.c 2014-12-10 13:32:18.957870269 +0100 @@ -2159,10 +2159,11 @@ query_recurse(ns_client_t *client, dns_r if (client->query.timerset == ISC_FALSE) ns_client_settimeout(client, 60); - result = dns_resolver_createfetch(client->view->resolver, + result = dns_resolver_createfetch3(client->view->resolver, client->query.qname, qtype, qdomain, nameservers, NULL, client->query.fetchoptions, + 0, NULL, client->task, query_resume, client, rdataset, sigrdataset, diff -up bind-9.3.6-P1/bin/named/server.c.CVE-2014-8500 bind-9.3.6-P1/bin/named/server.c --- bind-9.3.6-P1/bin/named/server.c.CVE-2014-8500 2014-12-10 13:32:18.832869980 +0100 +++ bind-9.3.6-P1/bin/named/server.c 2014-12-10 13:32:18.958870271 +0100 @@ -1324,6 +1324,16 @@ configure_view(dns_view_t *view, const c view->enableedns = cfg_obj_asboolean(obj); obj = NULL; + result = ns_config_get(maps, "max-recursion-depth", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setmaxdepth(view->resolver, cfg_obj_asuint32(obj)); + + obj = NULL; + result = ns_config_get(maps, "max-recursion-queries", &obj); + INSIST(result == ISC_R_SUCCESS); + dns_resolver_setmaxqueries(view->resolver, cfg_obj_asuint32(obj)); + + obj = NULL; result = ns_config_get(maps, "dnssec-enable", &obj); INSIST(result == ISC_R_SUCCESS); view->enablednssec = cfg_obj_asboolean(obj); diff -up bind-9.3.6-P1/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 bind-9.3.6-P1/doc/arm/Bv9ARM-book.xml --- bind-9.3.6-P1/doc/arm/Bv9ARM-book.xml.CVE-2014-8500 2008-09-28 01:50:37.000000000 +0200 +++ bind-9.3.6-P1/doc/arm/Bv9ARM-book.xml 2014-12-10 13:32:18.959870273 +0100 @@ -2957,6 +2957,8 @@ statement in the <filename>named.conf</f <optional> additional-from-cache <replaceable>yes_or_no</replaceable> ; </optional> <optional> random-device <replaceable>path_name</replaceable> ; </optional> <optional> max-cache-size <replaceable>size_spec</replaceable> ; </optional> + <optional> max-recursion-depth <replaceable>number</replaceable> ; </optional> + <optional> max-recursion-queries <replaceable>number</replaceable> ; </optional> <optional> match-mapped-addresses <replaceable>yes_or_no</replaceable>; </optional> <optional> preferred-glue ( <replaceable>A</replaceable> | <replaceable>AAAA</replaceable> | <replaceable>NONE</replaceable> ); </optional> <optional> edns-udp-size <replaceable>number</replaceable>; </optional> @@ -4250,6 +4252,35 @@ The default is 0. </para> </listitem></varlistentry> + <varlistentry id="max-recursion-depth"> + <term><command>max-recursion-depth</command></term> + <listitem> + <para> + Sets the maximum number of levels of recursion + that are permitted at any one time while servicing + a recursive query. Resolving a name may require + looking up a name server address, which in turn + requires resolving another name, etc; if the number + of indirections exceeds this value, the recursive + query is terminated and returns SERVFAIL. The + default is 7. + </para> + </listitem> + </varlistentry> + + <varlistentry id="max-recursion-queries"> + <term><command>max-recursion-queries</command></term> + <listitem> + <para> + Sets the maximum number of iterative queries that + may be sent while servicing a recursive query. + If more queries are sent, the recursive query + is terminated and returns SERVFAIL. The default + is 50. + </para> + </listitem> + </varlistentry> + <varlistentry><term><command>tcp-listen-queue</command></term> <listitem><para>The listen queue depth. The default and minimum is 3. If the kernel supports the accept filter "dataready" this also controls how diff -up bind-9.3.6-P1/lib/dns/adb.c.CVE-2014-8500 bind-9.3.6-P1/lib/dns/adb.c --- bind-9.3.6-P1/lib/dns/adb.c.CVE-2014-8500 2008-10-17 05:34:53.000000000 +0200 +++ bind-9.3.6-P1/lib/dns/adb.c 2014-12-10 13:44:58.750626863 +0100 @@ -198,6 +198,7 @@ struct dns_adbfetch { dns_adbentry_t *entry; dns_fetch_t *fetch; dns_rdataset_t rdataset; + unsigned int depth; }; /* @@ -305,6 +306,7 @@ static void cancel_fetches_at_name(dns_a static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t, dns_rdatatype_t); static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t, + unsigned int, isc_counter_t *qc, dns_rdatatype_t); static inline void check_exit(dns_adb_t *); static void timer_cleanup(isc_task_t *, isc_event_t *); @@ -2282,6 +2284,19 @@ dns_adb_createfind(dns_adb_t *adb, isc_t unsigned int options, isc_stdtime_t now, dns_name_t *target, in_port_t port, dns_adbfind_t **findp) { + return (dns_adb_createfind2(adb, task, action, arg, name, + zone, options, now, + target, port, 0, NULL, findp)); +} + +isc_result_t +dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + void *arg, dns_name_t *name, dns_name_t *zone, + unsigned int options, + isc_stdtime_t now, dns_name_t *target, + in_port_t port, unsigned int depth, isc_counter_t *qc, + dns_adbfind_t **findp) +{ dns_adbfind_t *find; dns_adbname_t *adbname; int bucket; @@ -2500,7 +2515,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t * Start V4. */ if (WANT_INET(wanted_fetches) && - fetch_name(adbname, start_at_zone, + fetch_name(adbname, start_at_zone, depth, qc, dns_rdatatype_a) == ISC_R_SUCCESS) { DP(DEF_LEVEL, "dns_adb_createfind: started A fetch for name %p", @@ -2511,7 +2526,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_t * Start V6. */ if (WANT_INET6(wanted_fetches) && - fetch_name(adbname, start_at_zone, + fetch_name(adbname, start_at_zone, depth, qc, dns_rdatatype_aaaa) == ISC_R_SUCCESS) { DP(DEF_LEVEL, "dns_adb_createfind: " @@ -3236,6 +3251,12 @@ fetch_callback(isc_task_t *task, isc_eve DP(DEF_LEVEL, "adb: fetch of '%s' %s failed: %s", buf, address_type == DNS_ADBFIND_INET ? "A" : "AAAA", dns_result_totext(dev->result)); + /* + * Don't record a failure unless this is the initial + * fetch of a chain. + */ + if (fetch->depth > 1) + goto out; /* XXXMLG Don't pound on bad servers. */ if (address_type == DNS_ADBFIND_INET) { name->expire_v4 = ISC_MIN(name->expire_v4, now + 300); @@ -3271,9 +3292,8 @@ fetch_callback(isc_task_t *task, isc_eve } static isc_result_t -fetch_name(dns_adbname_t *adbname, - isc_boolean_t start_at_zone, - dns_rdatatype_t type) +fetch_name(dns_adbname_t *adbname, isc_boolean_t start_at_zone, + unsigned int depth, isc_counter_t *qc, dns_rdatatype_t type) { isc_result_t result; dns_adbfetch_t *fetch = NULL; @@ -3318,12 +3338,14 @@ fetch_name(dns_adbname_t *adbname, result = ISC_R_NOMEMORY; goto cleanup; } + fetch->depth = depth; - result = dns_resolver_createfetch(adb->view->resolver, &adbname->name, - type, name, nameservers, NULL, - options, adb->task, fetch_callback, - adbname, &fetch->rdataset, NULL, - &fetch->fetch); + result = dns_resolver_createfetch3(adb->view->resolver, &adbname->name, + type, name, nameservers, NULL, + options, depth, qc, + adb->task, fetch_callback, adbname, + &fetch->rdataset, NULL, + &fetch->fetch); if (result != ISC_R_SUCCESS) goto cleanup; diff -up bind-9.3.6-P1/lib/dns/include/dns/adb.h.CVE-2014-8500 bind-9.3.6-P1/lib/dns/include/dns/adb.h --- bind-9.3.6-P1/lib/dns/include/dns/adb.h.CVE-2014-8500 2004-03-06 09:13:50.000000000 +0100 +++ bind-9.3.6-P1/lib/dns/include/dns/adb.h 2014-12-10 13:32:18.960870276 +0100 @@ -301,6 +301,13 @@ dns_adb_createfind(dns_adb_t *adb, isc_t void *arg, dns_name_t *name, dns_name_t *zone, unsigned int options, isc_stdtime_t now, dns_name_t *target, in_port_t port, dns_adbfind_t **find); +isc_result_t +dns_adb_createfind2(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action, + void *arg, dns_name_t *name, dns_name_t *zone, + unsigned int options, + isc_stdtime_t now, dns_name_t *target, in_port_t port, + unsigned int depth, isc_counter_t *qc, + dns_adbfind_t **find); /* * Main interface for clients. The adb will look up the name given in * "name" and will build up a list of found addresses, and perhaps start diff -up bind-9.3.6-P1/lib/dns/include/dns/resolver.h.CVE-2014-8500 bind-9.3.6-P1/lib/dns/include/dns/resolver.h --- bind-9.3.6-P1/lib/dns/include/dns/resolver.h.CVE-2014-8500 2014-12-10 13:32:18.791869885 +0100 +++ bind-9.3.6-P1/lib/dns/include/dns/resolver.h 2014-12-10 13:32:18.960870276 +0100 @@ -236,6 +236,17 @@ dns_resolver_createfetch(dns_resolver_t dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp); +isc_result_t +dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, + dns_rdatatype_t type, + dns_name_t *domain, dns_rdataset_t *nameservers, + dns_forwarders_t *forwarders, + unsigned int options, unsigned int depth, + isc_counter_t *qc, isc_task_t *task, + isc_taskaction_t action, void *arg, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + dns_fetch_t **fetchp); /* * Recurse to answer a question. * @@ -466,6 +477,30 @@ dns_resolver_printbadcache(dns_resolver_ * * Requires: * resolver to be valid. + */ + +void +dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth); +unsigned int +dns_resolver_getmaxdepth(dns_resolver_t *resolver); +/*% + * Get and set how many NS indirections will be followed when looking for + * nameserver addresses. + * + * Requires: + * resolver to be valid. + */ + +void +dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries); +unsigned int +dns_resolver_getmaxqueries(dns_resolver_t *resolver); +/*% + * Get and set how many iterative queries will be allowed before + * terminating a recursive query. + * + * Requires: + * resolver to be valid. */ ISC_LANG_ENDDECLS diff -up bind-9.3.6-P1/lib/dns/resolver.c.CVE-2014-8500 bind-9.3.6-P1/lib/dns/resolver.c --- bind-9.3.6-P1/lib/dns/resolver.c.CVE-2014-8500 2014-12-10 13:32:18.947870246 +0100 +++ bind-9.3.6-P1/lib/dns/resolver.c 2014-12-10 13:32:18.962870280 +0100 @@ -19,6 +19,7 @@ #include <config.h> +#include <isc/counter.h> #include <isc/print.h> #include <isc/string.h> #include <isc/task.h> @@ -99,6 +100,16 @@ #define QTRACE(m) #endif +/* The default maximum number of recursions to follow before giving up. */ +#ifndef DEFAULT_RECURSION_DEPTH +#define DEFAULT_RECURSION_DEPTH 7 +#endif + +/* The default maximum number of iterative queries to allow before giving up. */ +#ifndef DEFAULT_MAX_QUERIES +#define DEFAULT_MAX_QUERIES 50 +#endif + /* * Maximum EDNS0 input packet size. */ @@ -194,6 +205,7 @@ struct fetchctx { dns_adb_t * adb; isc_boolean_t ns_ttl_ok; isc_uint32_t ns_ttl; + isc_counter_t * qc; /* * The number of events we're waiting for. @@ -227,6 +239,7 @@ struct fetchctx { * Number of queries that reference this context. */ unsigned int nqueries; + unsigned int depth; }; #define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!') @@ -332,6 +345,8 @@ struct dns_resolver { isc_rwlock_t mbslock; #endif dns_rbt_t * mustbesecure; + unsigned int maxdepth; + unsigned int maxqueries; /* Locked by lock. */ unsigned int references; isc_boolean_t exiting; @@ -1927,11 +1942,11 @@ findname(fetchctx_t *fctx, dns_name_t *n * See what we know about this address. */ find = NULL; - result = dns_adb_createfind(fctx->adb, + result = dns_adb_createfind2(fctx->adb, res->buckets[fctx->bucketnum].task, fctx_finddone, fctx, name, &fctx->domain, options, now, NULL, - res->view->dstport, &find); + res->view->dstport, fctx->depth + 1, fctx->qc, &find); if (result != ISC_R_SUCCESS) { if (result == DNS_R_ALIAS) { /* @@ -2038,6 +2053,14 @@ fctx_getaddresses(fetchctx_t *fctx, isc_ pruned = ISC_FALSE; stdoptions = 0; /* Keep compiler happy. */ + if (fctx->depth > res->maxdepth) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), + "too much NS indirection resolving '%s'", + fctx->info); + return (DNS_R_SERVFAIL); + } + /* * Forwarders. */ @@ -2511,6 +2534,16 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t } } + result = isc_counter_increment(fctx->qc); + if (result != ISC_R_SUCCESS) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER, + DNS_LOGMODULE_RESOLVER, ISC_LOG_DEBUG(3), + "exceeded max queries resolving '%s'", + fctx->info); + fctx_done(fctx, DNS_R_SERVFAIL); + return; + } + result = fctx_query(fctx, addrinfo, fctx->options); if (result != ISC_R_SUCCESS) fctx_done(fctx, result); @@ -2555,6 +2588,7 @@ fctx_destroy(fetchctx_t *fctx) { isc_mem_put(res->mctx, sa, sizeof(*sa)); } + isc_counter_detach(&fctx->qc); isc_timer_detach(&fctx->timer); dns_message_destroy(&fctx->rmessage); dns_message_destroy(&fctx->qmessage); @@ -2873,7 +2907,8 @@ log_ns_ttl(fetchctx_t *fctx, const char static isc_result_t fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type, dns_name_t *domain, dns_rdataset_t *nameservers, - unsigned int options, unsigned int bucketnum, fetchctx_t **fctxp) + unsigned int options, unsigned int bucketnum, unsigned int depth, + isc_counter_t *qc, fetchctx_t **fctxp) { fetchctx_t *fctx; isc_result_t result; @@ -2893,6 +2928,17 @@ fctx_create(dns_resolver_t *res, dns_nam fctx = isc_mem_get(res->mctx, sizeof(*fctx)); if (fctx == NULL) return (ISC_R_NOMEMORY); + + fctx->qc = NULL; + if (qc != NULL) { + isc_counter_attach(qc, &fctx->qc); + } else { + result = isc_counter_create(res->mctx, + res->maxqueries, &fctx->qc); + if (result != ISC_R_SUCCESS) + goto cleanup_fetch; + } + dns_name_format(name, buf, sizeof(buf)); dns_rdatatype_format(type, typebuf, sizeof(typebuf)); strcat(buf, "/"); /* checked */ @@ -2900,7 +2946,7 @@ fctx_create(dns_resolver_t *res, dns_nam fctx->info = isc_mem_strdup(res->mctx, buf); if (fctx->info == NULL) { result = ISC_R_NOMEMORY; - goto cleanup_fetch; + goto cleanup_counter; } FCTXTRACE("create"); dns_name_init(&fctx->name, NULL); @@ -2923,6 +2969,7 @@ fctx_create(dns_resolver_t *res, dns_nam fctx->state = fetchstate_init; fctx->want_shutdown = ISC_FALSE; fctx->cloned = ISC_FALSE; + fctx->depth = depth; ISC_LIST_INIT(fctx->queries); ISC_LIST_INIT(fctx->finds); ISC_LIST_INIT(fctx->altfinds); @@ -3102,6 +3149,9 @@ fctx_create(dns_resolver_t *res, dns_nam cleanup_info: isc_mem_free(res->mctx, fctx->info); + cleanup_counter: + isc_counter_detach(&fctx->qc); + cleanup_fetch: isc_mem_put(res->mctx, fctx, sizeof(*fctx)); @@ -6236,6 +6286,8 @@ dns_resolver_create(dns_view_t *view, res->badsweep = 0; res->mustbesecure = NULL; + res->maxdepth = DEFAULT_RECURSION_DEPTH; + res->maxqueries = DEFAULT_MAX_QUERIES; res->nbuckets = ntasks; res->activebuckets = ntasks; res->buckets = isc_mem_get(view->mctx, @@ -6622,6 +6674,24 @@ dns_resolver_createfetch(dns_resolver_t dns_rdataset_t *sigrdataset, dns_fetch_t **fetchp) { + return (dns_resolver_createfetch3(res, name, type, domain, + nameservers, forwarders, + options, 0, NULL, task, action, arg, + rdataset, sigrdataset, fetchp)); +} + +isc_result_t +dns_resolver_createfetch3(dns_resolver_t *res, dns_name_t *name, + dns_rdatatype_t type, + dns_name_t *domain, dns_rdataset_t *nameservers, + dns_forwarders_t *forwarders, + unsigned int options, unsigned int depth, + isc_counter_t *qc, isc_task_t *task, + isc_taskaction_t action, void *arg, + dns_rdataset_t *rdataset, + dns_rdataset_t *sigrdataset, + dns_fetch_t **fetchp) +{ dns_fetch_t *fetch; fetchctx_t *fctx = NULL; isc_result_t result; @@ -6684,11 +6754,12 @@ dns_resolver_createfetch(dns_resolver_t ISC_LIST_EMPTY(fctx->events)) { fctx = NULL; result = fctx_create(res, name, type, domain, nameservers, - options, bucketnum, &fctx); + options, bucketnum, depth, qc, &fctx); if (result != ISC_R_SUCCESS) goto unlock; new_fctx = ISC_TRUE; - } + } else if (fctx->depth > depth) + fctx->depth = depth; result = fctx_join(fctx, task, action, arg, rdataset, sigrdataset, fetch); @@ -7341,3 +7412,27 @@ dns_resolver_getmustbesecure(dns_resolve #endif return (value); } + +void +dns_resolver_setmaxdepth(dns_resolver_t *resolver, unsigned int maxdepth) { + REQUIRE(VALID_RESOLVER(resolver)); + resolver->maxdepth = maxdepth; +} + +unsigned int +dns_resolver_getmaxdepth(dns_resolver_t *resolver) { + REQUIRE(VALID_RESOLVER(resolver)); + return (resolver->maxdepth); +} + +void +dns_resolver_setmaxqueries(dns_resolver_t *resolver, unsigned int queries) { + REQUIRE(VALID_RESOLVER(resolver)); + resolver->maxqueries = queries; +} + +unsigned int +dns_resolver_getmaxqueries(dns_resolver_t *resolver) { + REQUIRE(VALID_RESOLVER(resolver)); + return (resolver->maxqueries); +} diff -up bind-9.3.6-P1/lib/isccfg/namedconf.c.CVE-2014-8500 bind-9.3.6-P1/lib/isccfg/namedconf.c --- bind-9.3.6-P1/lib/isccfg/namedconf.c.CVE-2014-8500 2014-12-10 13:32:18.760869813 +0100 +++ bind-9.3.6-P1/lib/isccfg/namedconf.c 2014-12-10 13:32:18.962870280 +0100 @@ -772,6 +772,8 @@ view_clauses[] = { { "lame-ttl", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, { "max-cache-ttl", &cfg_type_uint32, 0 }, + { "max-recursion-depth", &cfg_type_uint32, 0 }, + { "max-recursion-queries", &cfg_type_uint32, 0 }, { "transfer-format", &cfg_type_transferformat, 0 }, { "max-cache-size", &cfg_type_sizenodefault, 0 }, { "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI }, diff -up bind-9.3.6-P1/lib/isc/counter.c.CVE-2014-8500 bind-9.3.6-P1/lib/isc/counter.c --- bind-9.3.6-P1/lib/isc/counter.c.CVE-2014-8500 2014-12-10 13:32:18.963870283 +0100 +++ bind-9.3.6-P1/lib/isc/counter.c 2014-12-10 13:32:18.963870283 +0100 @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/*! \file */ + +#include <config.h> + +#include <stddef.h> + +#include <isc/counter.h> +#include <isc/magic.h> +#include <isc/mem.h> +#include <isc/util.h> + +#define COUNTER_MAGIC ISC_MAGIC('C', 'n', 't', 'r') +#define VALID_COUNTER(r) ISC_MAGIC_VALID(r, COUNTER_MAGIC) + +struct isc_counter { + unsigned int magic; + isc_mem_t *mctx; + isc_mutex_t lock; + unsigned int references; + unsigned int limit; + unsigned int used; +}; + +isc_result_t +isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp) { + isc_result_t result; + isc_counter_t *counter; + + REQUIRE(counterp != NULL && *counterp == NULL); + + counter = isc_mem_get(mctx, sizeof(*counter)); + if (counter == NULL) + return (ISC_R_NOMEMORY); + + result = isc_mutex_init(&counter->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, counter, sizeof(*counter)); + return (result); + } + + counter->mctx = NULL; + isc_mem_attach(mctx, &counter->mctx); + + counter->references = 1; + counter->limit = limit; + counter->used = 0; + + counter->magic = COUNTER_MAGIC; + *counterp = counter; + return (ISC_R_SUCCESS); +} + +isc_result_t +isc_counter_increment(isc_counter_t *counter) { + isc_result_t result = ISC_R_SUCCESS; + + LOCK(&counter->lock); + counter->used++; + if (counter->limit != 0 && counter->used >= counter->limit) + result = ISC_R_QUOTA; + UNLOCK(&counter->lock); + + return (result); +} + +unsigned int +isc_counter_used(isc_counter_t *counter) { + REQUIRE(VALID_COUNTER(counter)); + + return (counter->used); +} + +void +isc_counter_setlimit(isc_counter_t *counter, int limit) { + REQUIRE(VALID_COUNTER(counter)); + + LOCK(&counter->lock); + counter->limit = limit; + UNLOCK(&counter->lock); +} + +void +isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp) { + REQUIRE(VALID_COUNTER(source)); + REQUIRE(targetp != NULL && *targetp == NULL); + + LOCK(&source->lock); + source->references++; + INSIST(source->references > 0); + UNLOCK(&source->lock); + + *targetp = source; +} + +static void +destroy(isc_counter_t *counter) { + counter->magic = 0; + isc_mutex_destroy(&counter->lock); + isc_mem_putanddetach(&counter->mctx, counter, sizeof(*counter)); +} + +void +isc_counter_detach(isc_counter_t **counterp) { + isc_counter_t *counter; + isc_boolean_t want_destroy = ISC_FALSE; + + REQUIRE(counterp != NULL && *counterp != NULL); + counter = *counterp; + REQUIRE(VALID_COUNTER(counter)); + + *counterp = NULL; + + LOCK(&counter->lock); + INSIST(counter->references > 0); + counter->references--; + if (counter->references == 0) + want_destroy = ISC_TRUE; + UNLOCK(&counter->lock); + + if (want_destroy) + destroy(counter); +} diff -up bind-9.3.6-P1/lib/isc/include/isc/counter.h.CVE-2014-8500 bind-9.3.6-P1/lib/isc/include/isc/counter.h --- bind-9.3.6-P1/lib/isc/include/isc/counter.h.CVE-2014-8500 2014-12-10 13:32:18.963870283 +0100 +++ bind-9.3.6-P1/lib/isc/include/isc/counter.h 2014-12-10 13:32:18.963870283 +0100 @@ -0,0 +1,90 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef ISC_COUNTER_H +#define ISC_COUNTER_H 1 + +/***** + ***** Module Info + *****/ + +/*! \file isc/counter.h + * + * \brief The isc_counter_t object is a simplified version of the + * isc_quota_t object; it tracks the consumption of limited + * resources, returning an error condition when the quota is + * exceeded. However, unlike isc_quota_t, attaching and detaching + * from a counter object does not increment or decrement the counter. + */ + +/*** + *** Imports. + ***/ + +#include <isc/lang.h> +#include <isc/mutex.h> +#include <isc/types.h> + +/***** + ***** Types. + *****/ + +ISC_LANG_BEGINDECLS + +isc_result_t +isc_counter_create(isc_mem_t *mctx, int limit, isc_counter_t **counterp); +/*%< + * Allocate and initialize a counter object. + */ + +isc_result_t +isc_counter_increment(isc_counter_t *counter); +/*%< + * Increment the counter. + * + * If the counter limit is nonzero and has been reached, then + * return ISC_R_QUOTA, otherwise ISC_R_SUCCESS. (The counter is + * incremented regardless of return value.) + */ + +unsigned int +isc_counter_used(isc_counter_t *counter); +/*%< + * Return the current counter value. + */ + +void +isc_counter_setlimit(isc_counter_t *counter, int limit); +/*%< + * Set the counter limit. + */ + +void +isc_counter_attach(isc_counter_t *source, isc_counter_t **targetp); +/*%< + * Attach to a counter object, increasing its reference counter. + */ + +void +isc_counter_detach(isc_counter_t **counterp); +/*%< + * Detach (and destroy if reference counter has dropped to zero) + * a counter object. + */ + +ISC_LANG_ENDDECLS + +#endif /* ISC_COUNTER_H */ diff -up bind-9.3.6-P1/lib/isc/include/isc/Makefile.in.CVE-2014-8500 bind-9.3.6-P1/lib/isc/include/isc/Makefile.in --- bind-9.3.6-P1/lib/isc/include/isc/Makefile.in.CVE-2014-8500 2005-03-22 03:32:07.000000000 +0100 +++ bind-9.3.6-P1/lib/isc/include/isc/Makefile.in 2014-12-10 13:32:18.963870283 +0100 @@ -27,7 +27,7 @@ top_srcdir = @top_srcdir@ # install target below. # HEADERS = app.h assertions.h base64.h bitstring.h boolean.h buffer.h \ - bufferlist.h commandline.h entropy.h error.h event.h \ + bufferlist.h commandline.h counter.h entropy.h error.h event.h \ eventclass.h file.h formatcheck.h fsaccess.h \ hash.h heap.h hex.h hmacmd5.h \ interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \ diff -up bind-9.3.6-P1/lib/isc/include/isc/types.h.CVE-2014-8500 bind-9.3.6-P1/lib/isc/include/isc/types.h --- bind-9.3.6-P1/lib/isc/include/isc/types.h.CVE-2014-8500 2008-06-26 01:45:37.000000000 +0200 +++ bind-9.3.6-P1/lib/isc/include/isc/types.h 2014-12-10 13:32:18.963870283 +0100 @@ -46,6 +46,7 @@ typedef struct isc_buffer isc_buffer_t; typedef ISC_LIST(isc_buffer_t) isc_bufferlist_t; typedef struct isc_constregion isc_constregion_t; typedef struct isc_consttextregion isc_consttextregion_t; +typedef struct isc_counter isc_counter_t; /*%< Counter */ typedef struct isc_entropy isc_entropy_t; typedef struct isc_entropysource isc_entropysource_t; typedef struct isc_event isc_event_t; diff -up bind-9.3.6-P1/lib/isc/Makefile.in.CVE-2014-8500 bind-9.3.6-P1/lib/isc/Makefile.in --- bind-9.3.6-P1/lib/isc/Makefile.in.CVE-2014-8500 2014-12-10 13:32:18.725869733 +0100 +++ bind-9.3.6-P1/lib/isc/Makefile.in 2014-12-10 13:32:18.964870285 +0100 @@ -51,7 +51,7 @@ WIN32OBJS = win32/condition.@O@ win32/d # Alphabetically OBJS = @ISC_EXTRA_OBJS@ \ assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \ - bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \ + bufferlist.@O@ commandline.@O@ counter.@O@ error.@O@ event.@O@ \ hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ \ lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \ mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \ @@ -64,7 +64,7 @@ OBJS = @ISC_EXTRA_OBJS@ \ # Alphabetically SRCS = @ISC_EXTRA_SRCS@ \ assertions.c base64.c bitstring.c buffer.c \ - bufferlist.c commandline.c error.c event.c \ + bufferlist.c commandline.c counter.c error.c event.c \ heap.c hex.c hmacmd5.c \ lex.c lfsr.c lib.c log.c \ md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \ diff -up bind-9.3.6-P1/lib/isc/tests/counter_test.c.CVE-2014-8500 bind-9.3.6-P1/lib/isc/tests/counter_test.c --- bind-9.3.6-P1/lib/isc/tests/counter_test.c.CVE-2014-8500 2014-12-10 13:32:18.964870285 +0100 +++ bind-9.3.6-P1/lib/isc/tests/counter_test.c 2014-12-10 13:32:18.964870285 +0100 @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +#include <config.h> +#include <stdlib.h> + +#include <atf-c.h> + +#include <isc/counter.h> +#include <isc/result.h> + +#include "isctest.h" + +ATF_TC(isc_counter); +ATF_TC_HEAD(isc_counter, tc) { + atf_tc_set_md_var(tc, "descr", "isc counter object"); +} +ATF_TC_BODY(isc_counter, tc) { + isc_result_t result; + isc_counter_t *counter = NULL; + int i; + + result = isc_test_begin(NULL, ISC_TRUE); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + result = isc_counter_create(mctx, 0, &counter); + ATF_REQUIRE_EQ(result, ISC_R_SUCCESS); + + for (i = 0; i < 10; i++) { + result = isc_counter_increment(counter); + ATF_CHECK_EQ(result, ISC_R_SUCCESS); + } + + ATF_CHECK_EQ(isc_counter_used(counter), 10); + + isc_counter_setlimit(counter, 15); + for (i = 0; i < 10; i++) { + result = isc_counter_increment(counter); + if (result != ISC_R_SUCCESS) + break; + } + + ATF_CHECK_EQ(isc_counter_used(counter), 15); + + isc_counter_detach(&counter); + isc_test_end(); +} + +/* + * Main + */ +ATF_TP_ADD_TCS(tp) { + ATF_TP_ADD_TC(tp, isc_counter); + return (atf_no_error()); +} +