Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-20 02:38:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rework validate-by-DS to avoid DoS vuln without arbitrary limits.

Browse Source 
By calculating the hash of a DNSKEY once for each digest algo,
we reduce the hashing work from (no. DS) x (no. DNSKEY) to
(no. DNSKEY) x (no. distinct digests)

The number of distinct digests can never be more than 255 and
it's limited by which hashes we implement, so currently only 4.
This commit is contained in:
Simon Kelley
2024-01-04 15:57:43 +00:00
parent 06945c4b77
commit 6f23a0a75e
5 changed files with 150 additions and 166 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/forward.c
View File

@@ -1350,10 +1350,8 @@ static void return_reply(time_t now, struct frec *forward, struct dns_header *he
}
}
if ((daemon->limit_crypto - forward->validate_counter) > daemon->metrics[METRIC_CRYTO_HWM])
if ((daemon->limit_crypto - forward->validate_counter) > (int)daemon->metrics[METRIC_CRYTO_HWM])
daemon->metrics[METRIC_CRYTO_HWM] = daemon->limit_crypto - forward->validate_counter;
if (extract_request(header, n, daemon->namebuff, NULL))
my_syslog(LOG_INFO, "Validate_counter %s is %d", daemon->namebuff, daemon->limit_crypto - forward->validate_counter); /* TODO */
#endif
if (option_bool(OPT_NO_REBIND))
@@ -2436,10 +2434,8 @@ unsigned char *tcp_request(int confd, time_t now,
log_query(F_SECSTAT, domain, &a, result, 0);
if ((daemon->limit_crypto - validatecount) > daemon->metrics[METRIC_CRYTO_HWM])
if ((daemon->limit_crypto - validatecount) > (int)daemon->metrics[METRIC_CRYTO_HWM])
daemon->metrics[METRIC_CRYTO_HWM] = daemon->limit_crypto - validatecount;
if (extract_request(header, m, daemon->namebuff, NULL))
my_syslog(LOG_INFO, "Validate_counter %s is %d", daemon->namebuff, daemon->limit_crypto - validatecount); /* TODO */
}
#endif