Hello community,
here is the log from the commit of package nsd for openSUSE:Factory checked in
at 2019-09-11 10:40:45
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nsd (Old)
and /work/SRC/openSUSE:Factory/.nsd.new.7948 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nsd"
Wed Sep 11 10:40:45 2019 rev:12 rq:729937 version:4.2.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/nsd/nsd.changes 2019-07-16 08:41:13.807034348
+0200
+++ /work/SRC/openSUSE:Factory/.nsd.new.7948/nsd.changes 2019-09-11
10:41:11.971211439 +0200
@@ -1,0 +2,26 @@
+Sun Sep 8 14:13:02 UTC 2019 - Michael Ströder <mich...@stroeder.com>
+
+- New upstream release 4.2.2:
+ * Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+ dname_concatenate() function. Reported by Frederic Cambus.
+ It causes the zone parser to crash on a malformed zone file,
+ with assertions enabled, an assertion catches it.
+ * Fix #19: Out-of-bounds read caused by improper validation of
+ array index. Reported by Frederic Cambus. The zone parser
+ fails on type SIG because of mismatched definition with RRSIG.
+ * PR #23: Fix typo in nsd.conf man-page.
+ * Fix that NSD warns for wrong length of the hash in SSHFP records.
+ * Fix #25: NSD doesn't refresh zones after extended downtime,
+ it refreshes the old zones.
+ * Set no renegotiation on the SSL context to stop client
+ session renegotiation.
+ * Fix #29: SSHFP check NULL pointer dereference.
+ * Fix #30: SSHFP check failure due to missing domain name.
+ * Fix to timeval_add in minievent for remaining second in microseconds.
+ * PR #31: nsd-control: Add missing stdio header.
+ * PR #32: tsig: Fix compilation without HAVE_SSL.
+ * Cleanup tls context on xfrd exit.
+ * Fix #33: Fix segfault in service of remaining streams on exit.
+ * Fix error message for out of zone data to have more information.
+
+-------------------------------------------------------------------
Old:
----
nsd-4.2.1.tar.gz
nsd-4.2.1.tar.gz.asc
New:
----
nsd-4.2.2.tar.gz
nsd-4.2.2.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nsd.spec ++++++
--- /var/tmp/diff_new_pack.txIOOM/_old 2019-09-11 10:41:12.491211347 +0200
+++ /var/tmp/diff_new_pack.txIOOM/_new 2019-09-11 10:41:12.491211347 +0200
@@ -23,7 +23,7 @@
%define zonesdir %{configdir}/zones
%define pidfile %{_rundir}/nsd/nsd.pid
Name: nsd
-Version: 4.2.1
+Version: 4.2.2
Release: 0
#
Summary: An authoritative-only domain name server
++++++ nsd-4.2.1.tar.gz -> nsd-4.2.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/.travis.yml new/nsd-4.2.2/.travis.yml
--- old/nsd-4.2.1/.travis.yml 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/.travis.yml 2019-08-19 11:10:40.000000000 +0200
@@ -1,19 +1,66 @@
sudo: false
language: c
-compiler:
- - gcc
-addons:
- apt:
- packages:
- - autoconf
- - bison
- - flex
- - libssl-dev
- - libevent-dev
- - clang
+
+linux_gcc: &linux_gcc
+ os: linux
+ dist: xenial
+ compiler: gcc
+ addons:
+ apt:
+ update: true
+ sources: [ ubuntu-toolchain-r-test ]
+ packages: [ autoconf bison flex libssl-dev libevent-dev clang gcc-9 ]
+ before_install:
+ - eval "export CC=gcc-9"
+ - eval "export COV_COMPTYPE=gcc COV_PLATFORM=linux64"
+
+install_coverity: &install_coverity
+ if [ "${COVERITY_SCAN}" = "true" ]; then
+ COV_DIR="/tmp/coverity-scan-analysis";
+ COV_ARC="/tmp/cov-analysis-${COV_PLATFORM}.tgz";
+ test ! -d "${COV_DIR}" &&
+ mkdir -p "${COV_DIR}" &&
+ curl -s -S -F project="${TRAVIS_REPO_SLUG}"
+ -F token="${COVERITY_SCAN_TOKEN}"
+ -o "${COV_ARC}"
+ "https://scan.coverity.com/download/cxx/${COV_PLATFORM}"; &&
+ tar -xzf "${COV_ARC}" -C "${COV_DIR}";
+ COV_ANALYSIS=$(find "${COV_DIR}" -type d -name "cov-analysis*");
+ eval "export PATH=\"${PATH}:${COV_ANALYSIS}/bin\"";
+ eval "export SCAN_BUILD=\"cov-build --dir cov-int\"";
+ cov-configure --comptype ${COV_COMPTYPE} --compiler ${CC} --template;
+ fi
+
+submit_to_coverity_scan: &submit_to_coverity_scan
+ if [ "${COVERITY_SCAN}" = "true" ]; then
+ tar -czf analysis-results.tgz cov-int &&
+ curl -s -S -F project="${TRAVIS_REPO_SLUG}"
+ -F token="${COVERITY_SCAN_TOKEN}"
+ -F file=@analysis-results.tgz
+ -F version=$(git rev-parse --short HEAD)
+ -F description="Travis CI build"
+ -F email="${COVERITY_EMAIL:=s...@nlnetlabs.nl}"
+ "https://scan.coverity.com/builds";;
+ fi
+
+install:
+ - *install_coverity
+
script:
- autoconf && autoheader
- ./configure --enable-checking --disable-flto
- - make
+ - ${SCAN_BUILD} make
- make cutest && ./cutest
- (cd tpkg; tar xzf clang-analysis.tpkg; cd clang-analysis.dir; bash
clang-analysis.test)
+
+after_success:
+ - *submit_to_coverity_scan
+
+jobs:
+ include:
+ - <<: *linux_gcc
+ env: [ COVERITY_SCAN=true ]
+ if: type = cron
+ - <<: *linux_gcc
+ env: [ COVERITY_SCAN=false ]
+
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/configure new/nsd-4.2.2/configure
--- old/nsd-4.2.1/configure 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/configure 2019-08-19 11:10:40.000000000 +0200
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for NSD 4.2.1.
+# Generated by GNU Autoconf 2.69 for NSD 4.2.2.
#
# Report bugs to <nsd-b...@nlnetlabs.nl>.
#
@@ -580,8 +580,8 @@
# Identity of this package.
PACKAGE_NAME='NSD'
PACKAGE_TARNAME='nsd'
-PACKAGE_VERSION='4.2.1'
-PACKAGE_STRING='NSD 4.2.1'
+PACKAGE_VERSION='4.2.2'
+PACKAGE_STRING='NSD 4.2.2'
PACKAGE_BUGREPORT='nsd-b...@nlnetlabs.nl'
PACKAGE_URL=''
@@ -1297,7 +1297,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures NSD 4.2.1 to adapt to many kinds of systems.
+\`configure' configures NSD 4.2.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1358,7 +1358,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of NSD 4.2.1:";;
+ short | recursive ) echo "Configuration of NSD 4.2.2:";;
esac
cat <<\_ACEOF
@@ -1514,7 +1514,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-NSD configure 4.2.1
+NSD configure 4.2.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2223,7 +2223,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by NSD $as_me 4.2.1, which was
+It was created by NSD $as_me 4.2.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -10236,7 +10236,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by NSD $as_me 4.2.1, which was
+This file was extended by NSD $as_me 4.2.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -10298,7 +10298,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-NSD config.status 4.2.1
+NSD config.status 4.2.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/configure.ac new/nsd-4.2.2/configure.ac
--- old/nsd-4.2.1/configure.ac 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/configure.ac 2019-08-19 11:10:40.000000000 +0200
@@ -5,7 +5,7 @@
sinclude(acx_nlnetlabs.m4)
sinclude(dnstap/dnstap.m4)
-AC_INIT(NSD,4.2.1,nsd-b...@nlnetlabs.nl)
+AC_INIT(NSD,4.2.2,nsd-b...@nlnetlabs.nl)
AC_CONFIG_HEADER([config.h])
CFLAGS="$CFLAGS"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/dns.c new/nsd-4.2.2/dns.c
--- old/nsd-4.2.1/dns.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/dns.c 2019-08-19 11:10:40.000000000 +0200
@@ -121,10 +121,10 @@
{ TYPE_SIG, "SIG", T_SIG, 9, 9,
{ RDATA_WF_SHORT, RDATA_WF_BYTE, RDATA_WF_BYTE, RDATA_WF_LONG,
RDATA_WF_LONG, RDATA_WF_LONG, RDATA_WF_SHORT,
- RDATA_WF_UNCOMPRESSED_DNAME, RDATA_WF_BINARY },
- { RDATA_ZF_RRTYPE, RDATA_ZF_BYTE, RDATA_ZF_BYTE, RDATA_ZF_PERIOD,
- RDATA_ZF_TIME, RDATA_ZF_TIME, RDATA_ZF_SHORT, RDATA_ZF_DNAME,
- RDATA_ZF_BASE64 } },
+ RDATA_WF_LITERAL_DNAME, RDATA_WF_BINARY },
+ { RDATA_ZF_RRTYPE, RDATA_ZF_ALGORITHM, RDATA_ZF_BYTE, RDATA_ZF_PERIOD,
+ RDATA_ZF_TIME, RDATA_ZF_TIME, RDATA_ZF_SHORT,
+ RDATA_ZF_LITERAL_DNAME, RDATA_ZF_BASE64 } },
/* 25 */
{ TYPE_KEY, "KEY", T_KEY, 4, 4,
{ RDATA_WF_SHORT, RDATA_WF_BYTE, RDATA_WF_BYTE, RDATA_WF_BINARY },
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/doc/ChangeLog new/nsd-4.2.2/doc/ChangeLog
--- old/nsd-4.2.1/doc/ChangeLog 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/doc/ChangeLog 2019-08-19 11:10:40.000000000 +0200
@@ -1,3 +1,54 @@
+13 August 2019: Wouter
+ - Fix error message for out of zone data to have more information.
+
+12 August 2019: Wouter
+ - Fix #33: Fix segfault in service of remaining streams on exit.
+
+6 August 2019: Wouter
+ - Tag for 4.2.2rc1.
+
+5 August 2019: Wouter
+ - PR #31: nsd-control: Add missing stdio header.
+ - PR #32: tsig: Fix compilation without HAVE_SSL.
+ - Cleanup tls context on xfrd exit.
+
+31 July 2019: Wouter
+ - Fix #29: SSHFP check NULL pointer dereference.
+ - Fix #30: SSHFP check failure due to missing domain name.
+ - Fix to timeval_add in minievent for remaining second in microseconds.
+
+22 July 2019: Wouter
+ - Set timeout for refetch immediately, only spread load when there
+ are retries.
+
+19 July 2019: Wouter
+ - Set no renegotiation on the SSL context to stop client
+ session renegotiation.
+
+18 July 2019: Wouter
+ - Fix #25: NSD doesn't refresh zones after extended downtime,
+ it refreshes the old zones, with a random delay of a couple of
+ seconds to spread the load.
+ - Fix so that expired zones stay expired when server is down a
+ long time.
+
+17 July 2019: Wouter
+ - Fix that NSD warns for wrong length of the hash in SSHFP records.
+
+15 July 2019: Wouter
+ - PR #23: Fix typo in nsd.conf man-page.
+
+4 July 2019: Wouter
+ - Set version to 4.2.2 in development.
+ - clean memory on exit of nsd-checkzone for memory debug.
+ - Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+ dname_concatenate() function. Reported by Frederic Cambus.
+ It causes the zone parser to crash on a malformed zone file,
+ with assertions enabled, an assertion catches it.
+ - Fix #19: Out-of-bounds read caused by improper validation of
+ array index. Reported by Frederic Cambus. The zone parser
+ fails on type SIG because of mismatched definition with RRSIG.
+
2 July 2019: Wouter
- Tag for 4.2.1rc1
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/doc/README new/nsd-4.2.2/doc/README
--- old/nsd-4.2.1/doc/README 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/doc/README 2019-08-19 11:10:41.000000000 +0200
@@ -19,7 +19,7 @@
1.0 Introduction
-This is NSD Name Server Daemon (NSD) version 4.2.1.
+This is NSD Name Server Daemon (NSD) version 4.2.2.
The NLnet Labs Name Server Daemon (NSD) is an authoritative RFC compliant
DNS nameserver. It was first conceived to allow for more genetic
@@ -55,7 +55,7 @@
1.2 Quick build and install
-Step 1: Unpack the source with gtar -xzvf nsd-4.2.1.tar.gz
+Step 1: Unpack the source with gtar -xzvf nsd-4.2.2.tar.gz
Step 2: Create user nsd or any other unprivileged user of your
choice. In case of later make sure to use
@@ -109,9 +109,9 @@
Use your favorite combination of tar and gnu zip to unpack the source,
for example
-$ gtar -xzvf nsd-4.2.1.tar.gz
+$ gtar -xzvf nsd-4.2.2.tar.gz
-will unpack the source into the ./nsd-4.2.1 directory...
+will unpack the source into the ./nsd-4.2.2 directory...
2.2 Configuring NSD
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/doc/RELNOTES new/nsd-4.2.2/doc/RELNOTES
--- old/nsd-4.2.1/doc/RELNOTES 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/doc/RELNOTES 2019-08-19 11:10:40.000000000 +0200
@@ -1,5 +1,31 @@
NSD RELEASE NOTES
+4.2.2
+================
+BUG FIXES:
+ - Fix #20: CVE-2019-13207 Stack-based Buffer Overflow in the
+ dname_concatenate() function. Reported by Frederic Cambus.
+ It causes the zone parser to crash on a malformed zone file,
+ with assertions enabled, an assertion catches it.
+ - Fix #19: Out-of-bounds read caused by improper validation of
+ array index. Reported by Frederic Cambus. The zone parser
+ fails on type SIG because of mismatched definition with RRSIG.
+ - PR #23: Fix typo in nsd.conf man-page.
+ - Fix that NSD warns for wrong length of the hash in SSHFP records.
+ - Fix #25: NSD doesn't refresh zones after extended downtime,
+ it refreshes the old zones.
+ - Set no renegotiation on the SSL context to stop client
+ session renegotiation.
+ - Fix #29: SSHFP check NULL pointer dereference.
+ - Fix #30: SSHFP check failure due to missing domain name.
+ - Fix to timeval_add in minievent for remaining second in microseconds.
+ - PR #31: nsd-control: Add missing stdio header.
+ - PR #32: tsig: Fix compilation without HAVE_SSL.
+ - Cleanup tls context on xfrd exit.
+ - Fix #33: Fix segfault in service of remaining streams on exit.
+ - Fix error message for out of zone data to have more information.
+
+
4.2.1
================
FEATURES:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/mini_event.c new/nsd-4.2.2/mini_event.c
--- old/nsd-4.2.1/mini_event.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/mini_event.c 2019-08-19 11:10:40.000000000 +0200
@@ -304,8 +304,7 @@
{
if(!base)
return;
- if(base->times)
- free(base->times);
+ /* base->times is allocated in region and is freed with the region */
if(base->fds)
free(base->fds);
if(base->signals)
@@ -362,7 +361,7 @@
struct timeval* now = ev->ev_base->time_tv;
ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec;
ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec;
- while(ev->ev_timeout.tv_usec > 1000000) {
+ while(ev->ev_timeout.tv_usec >= 1000000) {
ev->ev_timeout.tv_usec -= 1000000;
ev->ev_timeout.tv_sec++;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd-checkconf.8.in
new/nsd-4.2.2/nsd-checkconf.8.in
--- old/nsd-4.2.1/nsd-checkconf.8.in 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/nsd-checkconf.8.in 2019-08-19 11:10:41.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-checkconf" "8" "Jul 9, 2019" "NLnet Labs" "nsd 4.2.1"
+.TH "nsd\-checkconf" "8" "Aug 19, 2019" "NLnet Labs" "nsd 4.2.2"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd-checkzone.8.in
new/nsd-4.2.2/nsd-checkzone.8.in
--- old/nsd-4.2.1/nsd-checkzone.8.in 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/nsd-checkzone.8.in 2019-08-19 11:10:41.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-checkzone" "8" "Jul 9, 2019" "NLnet Labs" "nsd 4.2.1"
+.TH "nsd\-checkzone" "8" "Aug 19, 2019" "NLnet Labs" "nsd 4.2.2"
.\" Copyright (c) 2014, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd-checkzone.c
new/nsd-4.2.2/nsd-checkzone.c
--- old/nsd-4.2.1/nsd-checkzone.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/nsd-checkzone.c 2019-08-19 11:10:40.000000000 +0200
@@ -61,6 +61,10 @@
errors = zonec_read(name, fname, zone);
if(errors > 0) {
printf("zone %s file %s has %u errors\n", name, fname, errors);
+#ifdef MEMCLEAN /* otherwise, the OS collects memory pages */
+ namedb_close(nsd->db);
+ region_destroy(nsd->options->region);
+#endif
exit(1);
}
printf("zone %s is ok\n", name);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd-control.8.in
new/nsd-4.2.2/nsd-control.8.in
--- old/nsd-4.2.1/nsd-control.8.in 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/nsd-control.8.in 2019-08-19 11:10:41.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd\-control" "8" "Jul 9, 2019" "NLnet Labs" "nsd 4.2.1"
+.TH "nsd\-control" "8" "Aug 19, 2019" "NLnet Labs" "nsd 4.2.2"
.\" Copyright (c) 2011, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd-control.c new/nsd-4.2.2/nsd-control.c
--- old/nsd-4.2.1/nsd-control.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/nsd-control.c 2019-08-19 11:10:40.000000000 +0200
@@ -42,8 +42,8 @@
*/
#include "config.h"
+#include <stdio.h>
#ifdef HAVE_SSL
-
#include <sys/types.h>
#include <unistd.h>
#include <string.h>
@@ -163,6 +163,12 @@
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
+ ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+#endif
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
if(!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd.8.in new/nsd-4.2.2/nsd.8.in
--- old/nsd-4.2.1/nsd.8.in 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/nsd.8.in 2019-08-19 11:10:41.000000000 +0200
@@ -1,9 +1,9 @@
-.TH "NSD" "8" "Jul 9, 2019" "NLnet Labs" "NSD 4.2.1"
+.TH "NSD" "8" "Aug 19, 2019" "NLnet Labs" "NSD 4.2.2"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
.B nsd
-\- Name Server Daemon (NSD) version 4.2.1.
+\- Name Server Daemon (NSD) version 4.2.2.
.SH "SYNOPSIS"
.B nsd
.RB [ \-4 ]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/nsd.conf.5.in new/nsd-4.2.2/nsd.conf.5.in
--- old/nsd-4.2.1/nsd.conf.5.in 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/nsd.conf.5.in 2019-08-19 11:10:41.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "nsd.conf" "5" "Jul 9, 2019" "NLnet Labs" "nsd 4.2.1"
+.TH "nsd.conf" "5" "Aug 19, 2019" "NLnet Labs" "nsd 4.2.2"
.\" Copyright (c) 2001\-2008, NLnet Labs. All rights reserved.
.\" See LICENSE for the license.
.SH "NAME"
@@ -149,7 +149,7 @@
clause.
.TP
.B ip\-address:\fR <ip4 or ip6>[@port]
-NSD will bind to the listed ip\-address. Can be give multiple times
+NSD will bind to the listed ip\-address. Can be given multiple times
to bind multiple ip\-addresses. Optionally, a port number can be given.
If none are given NSD listens to the wildcard interface. Same as commandline
option
.BR \-a.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/server.c new/nsd-4.2.2/server.c
--- old/nsd-4.2.1/server.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/server.c 2019-08-19 11:10:40.000000000 +0200
@@ -1167,9 +1167,12 @@
#else
uint32_t v = getpid() ^ time(NULL);
srandom((unsigned long)v);
+# ifdef HAVE_SSL
if(RAND_status() && RAND_bytes((unsigned char*)&v, sizeof(v)) > 0)
hash_set_raninit(v);
- else hash_set_raninit(random());
+ else
+# endif
+ hash_set_raninit(random());
#endif
rrl_mmap_init(nsd->child_count, nsd->options->rrl_size,
nsd->options->rrl_ratelimit,
@@ -1696,6 +1699,15 @@
return 0;
}
#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ SSL_CTX_free(ctx);
+ return 0;
+ }
+#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20)
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20"))
@@ -2801,7 +2813,9 @@
break;
}
}
+#ifdef MEMCLEAN
event_base_free(event_base);
+#endif
/* continue to quit after return */
}
@@ -3096,6 +3110,7 @@
}
#endif /* defined(HAVE_SENDMMSG) && !defined(NONBLOCKING_IS_BROKEN) &&
defined(HAVE_RECVMMSG) */
+#ifdef HAVE_SSL
/*
* Setup an event for the tcp handler.
*/
@@ -3118,6 +3133,7 @@
if(event_add(&data->event, &timeout) != 0)
log_msg(LOG_ERR, "event add failed");
}
+#endif /* HAVE_SSL */
static void
cleanup_tcp_handler(struct tcp_handler_data* data)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/tsig.c new/nsd-4.2.2/tsig.c
--- old/nsd-4.2.1/tsig.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/tsig.c 2019-08-19 11:10:40.000000000 +0200
@@ -19,6 +19,61 @@
#include "query.h"
#include "rbtree.h"
+#ifndef HAVE_SSL
+/* we need fixed time compare */
+#define CRYPTO_memcmp memcmp_fixedtime
+int memcmp_fixedtime(const void *s1, const void *s2, size_t n)
+{
+ size_t i;
+ const uint8_t* u1 = (const uint8_t*)s1;
+ const uint8_t* u2 = (const uint8_t*)s2;
+ int ret = 0, haveit = 0, bret = 0, bhaveit = 0;
+ /* this routine loops for every byte in the strings.
+ * every loop, it tests ==, < and >. All three. One succeeds,
+ * as every time it must be equal, smaller or larger. The one
+ * that succeeds has one if-comparison and two assignments. */
+ for(i=0; i<n; i++) {
+ if(u1[i] == u2[i]) {
+ /* waste time equal to < and > statements */
+ if(haveit) {
+ bret = -1; /* waste time */
+ bhaveit = 1;
+ } else {
+ bret = 1; /* waste time */
+ bhaveit = 1;
+ }
+ }
+ if(u1[i] < u2[i]) {
+ if(haveit) {
+ bret = -1; /* waste time equal to the else */
+ bhaveit = 1;
+ } else {
+ ret = -1;
+ haveit = 1;
+ }
+ }
+ if(u1[i] > u2[i]) {
+ if(haveit) {
+ bret = 1; /* waste time equal to the else */
+ bhaveit = 1;
+ } else {
+ ret = 1;
+ haveit = 1;
+ }
+ }
+ }
+ /* use the variables to stop the compiler from excluding them */
+ if(bhaveit) {
+ if(bret == -2)
+ ret = 0; /* never happens */
+ } else {
+ if(bret == -2)
+ ret = 0; /* never happens */
+ }
+ return ret;
+}
+#endif
+
static region_type *tsig_region;
struct tsig_key_table
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/xfrd-disk.c new/nsd-4.2.2/xfrd-disk.c
--- old/nsd-4.2.1/xfrd-disk.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/xfrd-disk.c 2019-08-19 11:10:40.000000000 +0200
@@ -289,6 +289,13 @@
zone->state = xfrd_zone_refreshing;
xfrd_set_refresh_now(zone);
}
+ if(timeout != 0 && filetime + timeout < (uint32_t)xfrd_time()) {
+ /* timeout is in the past, refresh the zone */
+ timeout = 0;
+ if(zone->state == xfrd_zone_ok)
+ zone->state = xfrd_zone_refreshing;
+ xfrd_set_refresh_now(zone);
+ }
/* There is a soa && current time is past expiry point */
if(soa_disk_acquired_read!=0 &&
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/xfrd.c new/nsd-4.2.2/xfrd.c
--- old/nsd-4.2.1/xfrd.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/xfrd.c 2019-08-19 11:10:40.000000000 +0200
@@ -402,6 +402,8 @@
xfrd_del_tempdir(xfrd->nsd);
#ifdef HAVE_SSL
daemon_remote_delete(xfrd->nsd->rc); /* ssl-delete secret keys */
+ if (xfrd->nsd->tls_ctx)
+ SSL_CTX_free(xfrd->nsd->tls_ctx);
#endif
#ifdef USE_DNSTAP
dt_collector_close(nsd.dt_collector, &nsd);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/zonec.c new/nsd-4.2.2/zonec.c
--- old/nsd-4.2.1/zonec.c 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/zonec.c 2019-08-19 11:10:40.000000000 +0200
@@ -1409,8 +1409,10 @@
assert(zone);
if (rr->type == TYPE_SOA) {
if (rr->owner != zone->apex) {
+ char s[MAXDOMAINLEN*5];
+ snprintf(s, sizeof(s), "%s",
domain_to_string(zone->apex));
zc_error_prev_line(
- "SOA record with invalid domain name");
+ "SOA record with invalid domain name, '%s' is
not '%s'", domain_to_string(rr->owner), s);
return 0;
}
if(has_soa(rr->owner)) {
@@ -1425,10 +1427,12 @@
if (!domain_is_subdomain(rr->owner, zone->apex))
{
+ char s[MAXDOMAINLEN*5];
+ snprintf(s, sizeof(s), "%s", domain_to_string(zone->apex));
if(zone_is_slave(zone->opts))
- zc_warning_prev_line("out of zone data");
+ zc_warning_prev_line("out of zone data: %s is outside
the zone for fqdn %s", domain_to_string(rr->owner), s);
else
- zc_error_prev_line("out of zone data");
+ zc_error_prev_line("out of zone data: %s is outside the
zone for fqdn %s", domain_to_string(rr->owner), s);
return 0;
}
@@ -1742,3 +1746,32 @@
parser_flush();
return errors;
}
+
+/** check SSHFP type for failures and emit warnings */
+void check_sshfp(void)
+{
+ uint8_t hash;
+ uint16_t size;
+ if(parser->current_rr.rdata_count < 3)
+ return; /* cannot check it, too few rdata elements */
+ if(!parser->current_rr.rdatas[0].data ||
+ !parser->current_rr.rdatas[1].data ||
+ !parser->current_rr.rdatas[2].data ||
+ !parser->current_rr.owner)
+ return; /* cannot check, NULLs (due to earlier errors) */
+ if(rdata_atom_size(parser->current_rr.rdatas[1]) != 1)
+ return; /* wrong size of the hash type rdata element */
+ hash = rdata_atom_data(parser->current_rr.rdatas[1])[0];
+ size = rdata_atom_size(parser->current_rr.rdatas[2]);
+ if(hash == 1 && size != 20) {
+ zc_warning_prev_line("SSHFP %s of type SHA1 has hash of "
+ "wrong length, %d bytes, should be 20",
+ domain_to_string(parser->current_rr.owner),
+ (int)size);
+ } else if(hash == 2 && size != 32) {
+ zc_warning_prev_line("SSHFP %s of type SHA256 has hash of "
+ "wrong length, %d bytes, should be 32",
+ domain_to_string(parser->current_rr.owner),
+ (int)size);
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/zonec.h new/nsd-4.2.2/zonec.h
--- old/nsd-4.2.1/zonec.h 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/zonec.h 2019-08-19 11:10:40.000000000 +0200
@@ -142,5 +142,7 @@
* The string must end with a newline after the RR. */
int zonec_parse_string(region_type* region, domain_table_type* domains,
zone_type* zone, char* str, domain_type** parsed, int* num_rrs);
+/** check SSHFP type for failures and emit warnings */
+void check_sshfp(void);
#endif /* _ZONEC_H_ */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/zparser.c new/nsd-4.2.2/zparser.c
--- old/nsd-4.2.1/zparser.c 2019-07-09 09:24:21.000000000 +0200
+++ new/nsd-4.2.2/zparser.c 2019-08-19 11:10:40.000000000 +0200
@@ -688,9 +688,9 @@
672, 673, 674, 675, 676, 688, 694, 701, 714, 721,
728, 736, 743, 750, 758, 766, 773, 777, 785, 793,
805, 813, 819, 825, 833, 843, 855, 863, 873, 876,
- 880, 886, 895, 904, 912, 918, 933, 943, 958, 968,
- 977, 986, 995, 1036, 1040, 1044, 1051, 1058, 1065, 1072,
- 1078, 1085, 1094, 1103, 1110, 1120, 1126, 1130
+ 880, 886, 895, 904, 913, 919, 934, 944, 959, 969,
+ 978, 987, 996, 1041, 1045, 1049, 1056, 1063, 1070, 1077,
+ 1083, 1090, 1099, 1108, 1115, 1125, 1131, 1135
};
#endif
@@ -2717,7 +2717,7 @@
case 144:
#line 636 "zparser.y" /* yacc.c:1648 */
- { (yyval.type) = (yyvsp[-2].type); parse_unknown_rdata((yyvsp[-2].type),
(yyvsp[0].unknown)); }
+ { (yyval.type) = (yyvsp[-2].type); parse_unknown_rdata((yyvsp[-2].type),
(yyvsp[0].unknown)); check_sshfp(); }
#line 2722 "zparser.c" /* yacc.c:1648 */
break;
@@ -3115,20 +3115,21 @@
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-5].data).str)); /* alg */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-3].data).str)); /* fp type */
zadd_rdata_wireformat(zparser_conv_hex(parser->region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len)); /* hash */
+ check_sshfp();
}
-#line 3120 "zparser.c" /* yacc.c:1648 */
+#line 3121 "zparser.c" /* yacc.c:1648 */
break;
case 214:
-#line 913 "zparser.y" /* yacc.c:1648 */
+#line 914 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_b64(parser->region,
(yyvsp[-1].data).str)); /* data blob */
}
-#line 3128 "zparser.c" /* yacc.c:1648 */
+#line 3129 "zparser.c" /* yacc.c:1648 */
break;
case 215:
-#line 919 "zparser.y" /* yacc.c:1648 */
+#line 920 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_rrtype(parser->region,
(yyvsp[-17].data).str)); /* rr covered */
zadd_rdata_wireformat(zparser_conv_algorithm(parser->region,
(yyvsp[-15].data).str)); /* alg */
@@ -3141,11 +3142,11 @@
(const uint8_t*)
(yyvsp[-3].data).str,(yyvsp[-3].data).len)); /* sig name */
zadd_rdata_wireformat(zparser_conv_b64(parser->region,
(yyvsp[-1].data).str)); /* sig data */
}
-#line 3145 "zparser.c" /* yacc.c:1648 */
+#line 3146 "zparser.c" /* yacc.c:1648 */
break;
case 216:
-#line 934 "zparser.y" /* yacc.c:1648 */
+#line 935 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_dns_name(parser->region,
(const uint8_t*) (yyvsp[-1].data).str,
(yyvsp[-1].data).len)); /* nsec name */
@@ -3153,11 +3154,11 @@
memset(nsecbits, 0, sizeof(nsecbits));
nsec_highest_rcode = 0;
}
-#line 3157 "zparser.c" /* yacc.c:1648 */
+#line 3158 "zparser.c" /* yacc.c:1648 */
break;
case 217:
-#line 944 "zparser.y" /* yacc.c:1648 */
+#line 945 "zparser.y" /* yacc.c:1648 */
{
#ifdef NSEC3
nsec3_add_params((yyvsp[-9].data).str, (yyvsp[-7].data).str,
(yyvsp[-5].data).str, (yyvsp[-3].data).str, (yyvsp[-3].data).len);
@@ -3170,11 +3171,11 @@
zc_error_prev_line("nsec3 not supported");
#endif /* NSEC3 */
}
-#line 3174 "zparser.c" /* yacc.c:1648 */
+#line 3175 "zparser.c" /* yacc.c:1648 */
break;
case 218:
-#line 959 "zparser.y" /* yacc.c:1648 */
+#line 960 "zparser.y" /* yacc.c:1648 */
{
#ifdef NSEC3
nsec3_add_params((yyvsp[-7].data).str, (yyvsp[-5].data).str,
(yyvsp[-3].data).str, (yyvsp[-1].data).str, (yyvsp[-1].data).len);
@@ -3182,44 +3183,44 @@
zc_error_prev_line("nsec3 not supported");
#endif /* NSEC3 */
}
-#line 3186 "zparser.c" /* yacc.c:1648 */
+#line 3187 "zparser.c" /* yacc.c:1648 */
break;
case 219:
-#line 969 "zparser.y" /* yacc.c:1648 */
+#line 970 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-7].data).str)); /* usage */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-5].data).str)); /* selector */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-3].data).str)); /* matching type */
zadd_rdata_wireformat(zparser_conv_hex(parser->region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len)); /* ca data */
}
-#line 3197 "zparser.c" /* yacc.c:1648 */
+#line 3198 "zparser.c" /* yacc.c:1648 */
break;
case 220:
-#line 978 "zparser.y" /* yacc.c:1648 */
+#line 979 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-7].data).str)); /* usage */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-5].data).str)); /* selector */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-3].data).str)); /* matching type */
zadd_rdata_wireformat(zparser_conv_hex(parser->region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len)); /* ca data */
}
-#line 3208 "zparser.c" /* yacc.c:1648 */
+#line 3209 "zparser.c" /* yacc.c:1648 */
break;
case 221:
-#line 987 "zparser.y" /* yacc.c:1648 */
+#line 988 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-7].data).str)); /* flags */
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-5].data).str)); /* proto */
zadd_rdata_wireformat(zparser_conv_algorithm(parser->region,
(yyvsp[-3].data).str)); /* alg */
zadd_rdata_wireformat(zparser_conv_b64(parser->region,
(yyvsp[-1].data).str)); /* hash */
}
-#line 3219 "zparser.c" /* yacc.c:1648 */
+#line 3220 "zparser.c" /* yacc.c:1648 */
break;
case 222:
-#line 996 "zparser.y" /* yacc.c:1648 */
+#line 997 "zparser.y" /* yacc.c:1648 */
{
const dname_type* name = 0;
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-6].data).str)); /* precedence */
@@ -3247,6 +3248,10 @@
if(parser->origin == error_domain) {
zc_error("cannot concatenate origin to
domain name, because origin failed to parse");
break;
+ } else if(name->name_size +
domain_dname(parser->origin)->name_size - 1 > MAXDOMAINLEN) {
+ zc_error("ipsec gateway name exceeds %d
character limit",
+ MAXDOMAINLEN);
+ break;
}
name = dname_concatenate(parser->rr_region,
name,
domain_dname(parser->origin));
@@ -3258,99 +3263,99 @@
zc_error_prev_line("unknown IPSECKEY gateway type");
}
}
-#line 3262 "zparser.c" /* yacc.c:1648 */
+#line 3267 "zparser.c" /* yacc.c:1648 */
break;
case 223:
-#line 1037 "zparser.y" /* yacc.c:1648 */
+#line 1042 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_b64(parser->region,
(yyvsp[-1].data).str)); /* public key */
}
-#line 3270 "zparser.c" /* yacc.c:1648 */
+#line 3275 "zparser.c" /* yacc.c:1648 */
break;
case 225:
-#line 1045 "zparser.y" /* yacc.c:1648 */
+#line 1050 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-3].data).str)); /* preference */
zadd_rdata_wireformat(zparser_conv_ilnp64(parser->region,
(yyvsp[-1].data).str)); /* NodeID */
}
-#line 3279 "zparser.c" /* yacc.c:1648 */
+#line 3284 "zparser.c" /* yacc.c:1648 */
break;
case 226:
-#line 1052 "zparser.y" /* yacc.c:1648 */
+#line 1057 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-3].data).str)); /* preference */
zadd_rdata_wireformat(zparser_conv_a(parser->region,
(yyvsp[-1].data).str)); /* Locator32 */
}
-#line 3288 "zparser.c" /* yacc.c:1648 */
+#line 3293 "zparser.c" /* yacc.c:1648 */
break;
case 227:
-#line 1059 "zparser.y" /* yacc.c:1648 */
+#line 1064 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-3].data).str)); /* preference */
zadd_rdata_wireformat(zparser_conv_ilnp64(parser->region,
(yyvsp[-1].data).str)); /* Locator64 */
}
-#line 3297 "zparser.c" /* yacc.c:1648 */
+#line 3302 "zparser.c" /* yacc.c:1648 */
break;
case 228:
-#line 1066 "zparser.y" /* yacc.c:1648 */
+#line 1071 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-3].data).str)); /* preference */
zadd_rdata_domain((yyvsp[-1].domain)); /* FQDN */
}
-#line 3306 "zparser.c" /* yacc.c:1648 */
+#line 3311 "zparser.c" /* yacc.c:1648 */
break;
case 229:
-#line 1073 "zparser.y" /* yacc.c:1648 */
+#line 1078 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_eui(parser->region,
(yyvsp[-1].data).str, 48));
}
-#line 3314 "zparser.c" /* yacc.c:1648 */
+#line 3319 "zparser.c" /* yacc.c:1648 */
break;
case 230:
-#line 1079 "zparser.y" /* yacc.c:1648 */
+#line 1084 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_eui(parser->region,
(yyvsp[-1].data).str, 64));
}
-#line 3322 "zparser.c" /* yacc.c:1648 */
+#line 3327 "zparser.c" /* yacc.c:1648 */
break;
case 231:
-#line 1086 "zparser.y" /* yacc.c:1648 */
+#line 1091 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-5].data).str)); /* priority */
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-3].data).str)); /* weight */
zadd_rdata_wireformat(zparser_conv_long_text(parser->region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len)); /* target */
}
-#line 3332 "zparser.c" /* yacc.c:1648 */
+#line 3337 "zparser.c" /* yacc.c:1648 */
break;
case 232:
-#line 1095 "zparser.y" /* yacc.c:1648 */
+#line 1100 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_byte(parser->region,
(yyvsp[-5].data).str)); /* Flags */
zadd_rdata_wireformat(zparser_conv_tag(parser->region,
(yyvsp[-3].data).str, (yyvsp[-3].data).len)); /* Tag */
zadd_rdata_wireformat(zparser_conv_long_text(parser->region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len)); /* Value */
}
-#line 3342 "zparser.c" /* yacc.c:1648 */
+#line 3347 "zparser.c" /* yacc.c:1648 */
break;
case 233:
-#line 1104 "zparser.y" /* yacc.c:1648 */
+#line 1109 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_b64(parser->region,
(yyvsp[-1].data).str));
}
-#line 3350 "zparser.c" /* yacc.c:1648 */
+#line 3355 "zparser.c" /* yacc.c:1648 */
break;
case 234:
-#line 1111 "zparser.y" /* yacc.c:1648 */
+#line 1116 "zparser.y" /* yacc.c:1648 */
{
zadd_rdata_wireformat(zparser_conv_serial(parser->region,
(yyvsp[-3].data).str));
zadd_rdata_wireformat(zparser_conv_short(parser->region,
(yyvsp[-1].data).str));
@@ -3358,37 +3363,37 @@
memset(nsecbits, 0, sizeof(nsecbits));
nsec_highest_rcode = 0;
}
-#line 3362 "zparser.c" /* yacc.c:1648 */
+#line 3367 "zparser.c" /* yacc.c:1648 */
break;
case 235:
-#line 1121 "zparser.y" /* yacc.c:1648 */
+#line 1126 "zparser.y" /* yacc.c:1648 */
{
/* $2 is the number of octets, currently ignored */
(yyval.unknown) = zparser_conv_hex(parser->rr_region,
(yyvsp[-1].data).str, (yyvsp[-1].data).len);
}
-#line 3372 "zparser.c" /* yacc.c:1648 */
+#line 3377 "zparser.c" /* yacc.c:1648 */
break;
case 236:
-#line 1127 "zparser.y" /* yacc.c:1648 */
+#line 1132 "zparser.y" /* yacc.c:1648 */
{
(yyval.unknown) = zparser_conv_hex(parser->rr_region, "", 0);
}
-#line 3380 "zparser.c" /* yacc.c:1648 */
+#line 3385 "zparser.c" /* yacc.c:1648 */
break;
case 237:
-#line 1131 "zparser.y" /* yacc.c:1648 */
+#line 1136 "zparser.y" /* yacc.c:1648 */
{
(yyval.unknown) = zparser_conv_hex(parser->rr_region, "", 0);
}
-#line 3388 "zparser.c" /* yacc.c:1648 */
+#line 3393 "zparser.c" /* yacc.c:1648 */
break;
-#line 3392 "zparser.c" /* yacc.c:1648 */
+#line 3397 "zparser.c" /* yacc.c:1648 */
default: break;
}
/* User semantic actions sometimes alter yychar, and that requires
@@ -3616,7 +3621,7 @@
#endif
return yyresult;
}
-#line 1135 "zparser.y" /* yacc.c:1907 */
+#line 1140 "zparser.y" /* yacc.c:1907 */
int
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nsd-4.2.1/zparser.y new/nsd-4.2.2/zparser.y
--- old/nsd-4.2.1/zparser.y 2019-07-09 09:24:20.000000000 +0200
+++ new/nsd-4.2.2/zparser.y 2019-08-19 11:10:40.000000000 +0200
@@ -633,7 +633,7 @@
| T_DLV sp rdata_dlv { if (dlv_warn) { dlv_warn = 0;
zc_warning_prev_line("DLV is experimental"); } }
| T_DLV sp rdata_unknown { if (dlv_warn) { dlv_warn = 0;
zc_warning_prev_line("DLV is experimental"); } $$ = $1; parse_unknown_rdata($1,
$3); }
| T_SSHFP sp rdata_sshfp
- | T_SSHFP sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
+ | T_SSHFP sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3);
check_sshfp(); }
| T_RRSIG sp rdata_rrsig
| T_RRSIG sp rdata_unknown { $$ = $1; parse_unknown_rdata($1, $3); }
| T_NSEC sp rdata_nsec
@@ -906,6 +906,7 @@
zadd_rdata_wireformat(zparser_conv_byte(parser->region, $1.str));
/* alg */
zadd_rdata_wireformat(zparser_conv_byte(parser->region, $3.str));
/* fp type */
zadd_rdata_wireformat(zparser_conv_hex(parser->region, $5.str,
$5.len)); /* hash */
+ check_sshfp();
}
;
@@ -1020,6 +1021,10 @@
if(parser->origin == error_domain) {
zc_error("cannot concatenate origin to
domain name, because origin failed to parse");
break;
+ } else if(name->name_size +
domain_dname(parser->origin)->name_size - 1 > MAXDOMAINLEN) {
+ zc_error("ipsec gateway name exceeds %d
character limit",
+ MAXDOMAINLEN);
+ break;
}
name = dname_concatenate(parser->rr_region,
name,
domain_dname(parser->origin));
