From c3314d0fa0756d39cab1e9d9e3cf2e36dd6273da Mon Sep 17 00:00:00 2001

From: Petr Mensik <pemensik@redhat.com>

Date: Mon, 18 Nov 2019 16:44:58 +0100

Subject: [PATCH] Limit number of queries per TCP connection

5306.	[security]	Set a limit on the number of concurrently served

			pipelined TCP queries. (CVE-2019-6477) [GL #1264]

---

 bin/named/client.c               | 73 ++++++++++++++++++++------------

 bin/named/include/named/client.h |  5 ++-

 2 files changed, 50 insertions(+), 28 deletions(-)

diff --git a/bin/named/client.c b/bin/named/client.c

index f21a77ba52..23f70edaff 100644

--- a/bin/named/client.c

+++ b/bin/named/client.c

@@ -98,7 +98,15 @@

 #define SEND_BUFFER_SIZE		4096

 #define RECV_BUFFER_SIZE		4096

+#define TCP_CLIENTS_PER_CONN		23

+/*%<

+ * Number of simultaneous ns_clients_t (queries in flight) for one

+ * TCP connection.  The number was arbitrarily picked and might be

+ * changed in the future.

+ */

+

 #ifdef ISC_PLATFORM_USETHREADS

+

 #define NMCTXS				100

 /*%<

  * Number of 'mctx pools' for clients. (Should this be configurable?)

@@ -333,7 +341,7 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) {

 	 */

 	tconn = isc_mem_allocate(ns_g_mctx, sizeof(*tconn));

-	isc_refcount_init(&tconn->refs, 1);

+	isc_refcount_init(&tconn->clients, 1);	/* Current client */

 	tconn->tcpquota = quota;

 	quota = NULL;

 	tconn->pipelined = ISC_FALSE;

@@ -350,14 +358,14 @@ tcpconn_init(ns_client_t *client, isc_boolean_t force) {

  */

 static void

 tcpconn_attach(ns_client_t *source, ns_client_t *target) {

-	int refs;

+	int old_clients;

 	REQUIRE(source->tcpconn != NULL);

 	REQUIRE(target->tcpconn == NULL);

 	REQUIRE(source->tcpconn->pipelined);

-	isc_refcount_increment(&source->tcpconn->refs, &refs);

-	INSIST(refs > 1);

+	isc_refcount_increment(&source->tcpconn->clients, &old_clients);

+	INSIST(old_clients > 1);

 	target->tcpconn = source->tcpconn;

 }

@@ -370,15 +378,15 @@ tcpconn_attach(ns_client_t *source, ns_client_t *target) {

 static void

 tcpconn_detach(ns_client_t *client) {

 	ns_tcpconn_t *tconn = NULL;

-	int refs;

+	int old_clients;

 	REQUIRE(client->tcpconn != NULL);

 	tconn = client->tcpconn;

 	client->tcpconn = NULL;

-	isc_refcount_decrement(&tconn->refs, &refs);

-	if (refs == 0) {

+	isc_refcount_decrement(&tconn->clients, &old_clients);

+	if (old_clients == 0) {

 		isc_quota_detach(&tconn->tcpquota);

 		isc_mem_free(ns_g_mctx, tconn);

 	}

@@ -2629,28 +2637,39 @@ client_request(isc_task_t *task, isc_event_t *event) {

 	/*

 	 * Pipeline TCP query processing.

 	 */

-	if (TCP_CLIENT(client) &&

-	    client->message->opcode != dns_opcode_query)

-	{

-		client->tcpconn->pipelined = ISC_FALSE;

-	}

-	if (TCP_CLIENT(client) && client->tcpconn->pipelined) {

-		/*

-		 * We're pipelining. Replace the client; the

-		 * replacement can read the TCP socket looking

-		 * for new messages and this one can process the

-		 * current message asynchronously.

-		 *

-		 * There will now be at least three clients using this

-		 * TCP socket - one accepting new connections,

-		 * one reading an existing connection to get new

-		 * messages, and one answering the message already

-		 * received.

-		 */

-		result = ns_client_replace(client);

-		if (result != ISC_R_SUCCESS) {

+	if (TCP_CLIENT(client)) {

+		if (client->message->opcode != dns_opcode_query) {

 			client->tcpconn->pipelined = ISC_FALSE;

 		}

+

+ 		/*

+		 * Limit the maximum number of simultaneous pipelined

+		 * queries on TCP connection to TCP_CLIENTS_PER_CONN.

+ 		 */

+		if ((isc_refcount_current(&client->tcpconn->clients)

+			    > TCP_CLIENTS_PER_CONN))

+		{

+ 			client->tcpconn->pipelined = ISC_FALSE;

+ 		}

+

+		if (client->tcpconn->pipelined) {

+			/*

+			 * We're pipelining. Replace the client; the

+			 * replacement can read the TCP socket looking

+			 * for new messages and this one can process the

+			 * current message asynchronously.

+			 *

+			 * There will now be at least three clients using this

+			 * TCP socket - one accepting new connections,

+			 * one reading an existing connection to get new

+			 * messages, and one answering the message already

+			 * received.

+			 */

+			result = ns_client_replace(client);

+			if (result != ISC_R_SUCCESS) {

+				client->tcpconn->pipelined = ISC_FALSE;

+			}

+		}

 	}

 	dns_opcodestats_increment(ns_g_server->opcodestats,

diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h

index 0f54d2267b..86437ade22 100644

--- a/bin/named/include/named/client.h

+++ b/bin/named/include/named/client.h

@@ -77,7 +77,10 @@

 /*% reference-counted TCP connection object */

 typedef struct ns_tcpconn {

-	isc_refcount_t		refs;

+	isc_refcount_t		clients;	/* Number of clients using

+						 * this connection. Conn can

+						 * be freed if goes to 0

+						 */

 	isc_quota_t		*tcpquota;

 	isc_boolean_t		pipelined;

 } ns_tcpconn_t;

-- 

2.20.1