Merge branch '3394-security-cve-2022-2795-mitigation-v9_18' into 'security-v9_18'

[CVE-2022-2795] [v9_18] Bound the amount of work performed for delegations See merge request isc-private/bind9!452
2026-03-19 09:09:36 -04:00 · 2022-09-08 09:37:26 +00:00 · 2022-09-08 09:37:26 +00:00 · 74ba7f89d7
commit 74ba7f89d7
parent 7e27db0023 7f6cb0d0cc
3 changed files with 28 additions and 1 deletions
--- a/3
+++ b/3
@ -1,3 +1,6 @@
+5957.	[security]	Prevent excessive resource use while processing large
+			delegations. (CVE-2022-2795) [GL #3394]
+
 5956.	[func]		Make RRL code treat all QNAMEs that are subject to
 			wildcard processing within a given zone as the same
 			name. [GL #3459]
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@ -15,7 +15,14 @@ Notes for BIND 9.18.7
 Security Fixes
 ~~~~~~~~~~~~~~

- None.
+- Previously, there was no limit to the number of database lookups
+  performed while processing large delegations, which could be abused to
+  severely impact the performance of :iscman:`named` running as a
+  recursive resolver. This has been fixed. (CVE-2022-2795)
+
+  ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
+  Bremler-Barr & Shani Stajnrod from Reichman University for bringing
+  this vulnerability to our attention. :gl:`#3394`

 Known Issues
 ~~~~~~~~~~~~
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@ -211,6 +211,17 @@
 */
 #define NS_FAIL_LIMIT 4
 #define NS_RR_LIMIT   5
+/*
+ * IP address lookups are performed for at most NS_PROCESSING_LIMIT NS RRs in
+ * any NS RRset encountered, to avoid excessive resource use while processing
+ * large delegations.
+ */
+#define NS_PROCESSING_LIMIT 20
+
+STATIC_ASSERT(NS_PROCESSING_LIMIT > NS_RR_LIMIT,
+	      "The maximum number of NS RRs processed for each delegation "
+	      "(NS_PROCESSING_LIMIT) must be larger than the large delegation "
+	      "threshold (NS_RR_LIMIT).");

 /* Hash table for zone counters */
 #ifndef RES_DOMAIN_HASH_BITS
@ -3538,6 +3549,7 @@ fctx_getaddresses(fetchctx_t *fctx, bool badcache) {
 	bool need_alternate = false;
 	bool all_spilled = true;
 	unsigned int no_addresses = 0;
+	unsigned int ns_processed = 0;

 	FCTXTRACE5("getaddresses", "fctx->depth=", fctx->depth);

@ -3728,6 +3740,11 @@ normal_nses:

 		dns_rdata_reset(&rdata);
 		dns_rdata_freestruct(&ns);
+
+		if (++ns_processed >= NS_PROCESSING_LIMIT) {
+			result = ISC_R_NOMORE;
+			break;
+		}
 	}
 	if (result != ISC_R_NOMORE) {
 		return (result);