Skip to content

Commit

Permalink
- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
Browse files Browse the repository at this point in the history
  from the Network and Information Security Lab of Tsinghua University
  for reporting it.
  • Loading branch information
wcawijngaards committed May 1, 2024
1 parent 9abed3f commit c3206f4
Show file tree
Hide file tree
Showing 20 changed files with 412 additions and 3 deletions.
5 changes: 5 additions & 0 deletions doc/Changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
1 May 2024: Wouter
- Fix for the DNSBomb vulnerability CVE-2024-33655. Thanks to Xiang Li
from the Network and Information Security Lab of Tsinghua University
for reporting it.

29 April 2024: Yorgos
- Cleanup unnecessary strdup calls for EDE strings.

Expand Down
15 changes: 15 additions & 0 deletions doc/example.conf.in
Original file line number Diff line number Diff line change
Expand Up @@ -191,6 +191,21 @@ server:
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376

# msec before recursion replies are dropped. The work item continues.
# discard-timeout: 1900

# Max number of replies waiting for recursion per IP address.
# wait-limit: 1000

# Max replies waiting for recursion for IP address with cookie.
# wait-limit-cookie: 10000

# Apart from the default, the wait limit can be set for a netblock.
# wait-limit-netblock: 192.0.2.0/24 50000

# Apart from the default, the wait limit with cookie can be adjusted.
# wait-limit-cookie-netblock: 192.0.2.0/24 50000

# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
Expand Down
30 changes: 30 additions & 0 deletions doc/unbound.conf.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,36 @@ Increase this if you are behind a slow satellite link, to eg. 1128.
That would then avoid re\-querying every initial query because it times out.
Default is 376 msec.
.TP
.B discard\-timeout: \fI<msec>
The wait time in msec where recursion requests are dropped. This is
to stop a large number of replies from accumulating. They receive
no reply, the work item continues to recurse. It is nice to be a bit
larger than serve\-expired\-client\-timeout if that is enabled.
A value of 1900 msec is suggested. The value 0 disables it.
Default 1900 msec.
.TP
.B wait\-limit: \fI<number>
The number of replies that can wait for recursion, for an IP address.
This makes a ratelimit per IP address of waiting replies for recursion.
It stops very large amounts of queries waiting to be returned to one
destination. The value 0 disables wait limits. Default is 1000.
.TP
.B wait\-limit\-cookie: \fI<number>
The number of replies that can wait for recursion, for an IP address
that sent the query with a valid DNS cookie. Since the cookie validates
the client address, the limit can be higher. Default is 10000.
.TP
.B wait\-limit\-netblock: \fI<netblock> <number>
The wait limit for the netblock. If not given the wait\-limit value is
used. The most specific netblock is used to determine the limit. Useful for
overriding the default for a specific, group or individual, server.
The value -1 disables wait limits for the netblock.
.TP
.B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
The wait limit for the netblock, when the query has a DNS cookie.
If not given, the wait\-limit\-cookie value is used.
The value -1 disables wait limits for the netblock.
.TP
.B so\-rcvbuf: \fI<number>
If not 0, then set the SO_RCVBUF socket option to get more buffer
space on UDP port 53 incoming queries. So that short spikes on busy
Expand Down
170 changes: 168 additions & 2 deletions services/cache/infra.c
Original file line number Diff line number Diff line change
Expand Up @@ -234,6 +234,81 @@ setup_domain_limits(struct infra_cache* infra, struct config_file* cfg)
return 1;
}

/** find or create element in wait limit netblock tree */
static struct wait_limit_netblock_info*
wait_limit_netblock_findcreate(struct infra_cache* infra, char* str,
int cookie)
{
rbtree_type* tree;
struct sockaddr_storage addr;
int net;
socklen_t addrlen;
struct wait_limit_netblock_info* d;

if(!netblockstrtoaddr(str, 0, &addr, &addrlen, &net)) {
log_err("cannot parse wait limit netblock '%s'", str);
return 0;
}

/* can we find it? */
if(cookie)
tree = &infra->wait_limits_cookie_netblock;
else
tree = &infra->wait_limits_netblock;
d = (struct wait_limit_netblock_info*)addr_tree_find(tree, &addr,
addrlen, net);
if(d)
return d;

/* create it */
d = (struct wait_limit_netblock_info*)calloc(1, sizeof(*d));
if(!d)
return NULL;
d->limit = -1;
if(!addr_tree_insert(tree, &d->node, &addr, addrlen, net)) {
log_err("duplicate element in domainlimit tree");
free(d);
return NULL;
}
return d;
}


/** insert wait limit information into lookup tree */
static int
infra_wait_limit_netblock_insert(struct infra_cache* infra,
struct config_file* cfg)
{
struct config_str2list* p;
struct wait_limit_netblock_info* d;
for(p = cfg->wait_limit_netblock; p; p = p->next) {
d = wait_limit_netblock_findcreate(infra, p->str, 0);
if(!d)
return 0;
d->limit = atoi(p->str2);
}
for(p = cfg->wait_limit_cookie_netblock; p; p = p->next) {
d = wait_limit_netblock_findcreate(infra, p->str, 1);
if(!d)
return 0;
d->limit = atoi(p->str2);
}
return 1;
}

/** setup wait limits tree (0 on failure) */
static int
setup_wait_limits(struct infra_cache* infra, struct config_file* cfg)
{
addr_tree_init(&infra->wait_limits_netblock);
addr_tree_init(&infra->wait_limits_cookie_netblock);
if(!infra_wait_limit_netblock_insert(infra, cfg))
return 0;
addr_tree_init_parents(&infra->wait_limits_netblock);
addr_tree_init_parents(&infra->wait_limits_cookie_netblock);
return 1;
}

struct infra_cache*
infra_create(struct config_file* cfg)
{
Expand Down Expand Up @@ -267,6 +342,10 @@ infra_create(struct config_file* cfg)
infra_delete(infra);
return NULL;
}
if(!setup_wait_limits(infra, cfg)) {
infra_delete(infra);
return NULL;
}
infra_ip_ratelimit = cfg->ip_ratelimit;
infra->client_ip_rates = slabhash_create(cfg->ip_ratelimit_slabs,
INFRA_HOST_STARTSIZE, cfg->ip_ratelimit_size, &ip_rate_sizefunc,
Expand All @@ -287,6 +366,12 @@ static void domain_limit_free(rbnode_type* n, void* ATTR_UNUSED(arg))
}
}

/** delete wait_limit_netblock_info entries */
static void wait_limit_netblock_del(rbnode_type* n, void* ATTR_UNUSED(arg))
{
free(n);
}

void
infra_delete(struct infra_cache* infra)
{
Expand All @@ -296,6 +381,10 @@ infra_delete(struct infra_cache* infra)
slabhash_delete(infra->domain_rates);
traverse_postorder(&infra->domain_limits, domain_limit_free, NULL);
slabhash_delete(infra->client_ip_rates);
traverse_postorder(&infra->wait_limits_netblock,
wait_limit_netblock_del, NULL);
traverse_postorder(&infra->wait_limits_cookie_netblock,
wait_limit_netblock_del, NULL);
free(infra);
}

Expand Down Expand Up @@ -880,7 +969,8 @@ static void infra_create_ratedata(struct infra_cache* infra,

/** create rate data item for ip address */
static void infra_ip_create_ratedata(struct infra_cache* infra,
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow)
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
int mesh_wait)
{
hashvalue_type h = hash_addr(addr, addrlen, 0);
struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
Expand All @@ -898,6 +988,7 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
k->entry.data = d;
d->qps[0] = 1;
d->timestamp[0] = timenow;
d->mesh_wait = mesh_wait;
slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL);
}

Expand Down Expand Up @@ -1121,6 +1212,81 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
}

/* create */
infra_ip_create_ratedata(infra, addr, addrlen, timenow);
infra_ip_create_ratedata(infra, addr, addrlen, timenow, 0);
return 1;
}

int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
int cookie_valid, struct config_file* cfg)
{
struct lruhash_entry* entry;
if(cfg->wait_limit == 0)
return 1;

entry = infra_find_ip_ratedata(infra, &rep->client_addr,
rep->client_addrlen, 0);
if(entry) {
rbtree_type* tree;
struct wait_limit_netblock_info* w;
struct rate_data* d = (struct rate_data*)entry->data;
int mesh_wait = d->mesh_wait;
lock_rw_unlock(&entry->lock);

/* have the wait amount, check how much is allowed */
if(cookie_valid)
tree = &infra->wait_limits_cookie_netblock;
else tree = &infra->wait_limits_netblock;
w = (struct wait_limit_netblock_info*)addr_tree_lookup(tree,
&rep->client_addr, rep->client_addrlen);
if(w) {
if(w->limit != -1 && mesh_wait > w->limit)
return 0;
} else {
/* if there is no IP netblock specific information,
* use the configured value. */
if(mesh_wait > (cookie_valid?cfg->wait_limit_cookie:
cfg->wait_limit))
return 0;
}
}
return 1;
}

void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
time_t timenow, struct config_file* cfg)
{
struct lruhash_entry* entry;
if(cfg->wait_limit == 0)
return;

/* Find it */
entry = infra_find_ip_ratedata(infra, &rep->client_addr,
rep->client_addrlen, 1);
if(entry) {
struct rate_data* d = (struct rate_data*)entry->data;
d->mesh_wait++;
lock_rw_unlock(&entry->lock);
return;
}

/* Create it */
infra_ip_create_ratedata(infra, &rep->client_addr,
rep->client_addrlen, timenow, 1);
}

void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
struct config_file* cfg)
{
struct lruhash_entry* entry;
if(cfg->wait_limit == 0)
return;

entry = infra_find_ip_ratedata(infra, &rep->client_addr,
rep->client_addrlen, 1);
if(entry) {
struct rate_data* d = (struct rate_data*)entry->data;
if(d->mesh_wait > 0)
d->mesh_wait--;
lock_rw_unlock(&entry->lock);
}
}
28 changes: 28 additions & 0 deletions services/cache/infra.h
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,10 @@ struct infra_cache {
rbtree_type domain_limits;
/** hash table with query rates per client ip: ip_rate_key, ip_rate_data */
struct slabhash* client_ip_rates;
/** tree of addr_tree_node, with wait_limit_netblock_info information */
rbtree_type wait_limits_netblock;
/** tree of addr_tree_node, with wait_limit_netblock_info information */
rbtree_type wait_limits_cookie_netblock;
};

/** ratelimit, unless overridden by domain_limits, 0 is off */
Expand Down Expand Up @@ -184,10 +188,22 @@ struct rate_data {
/** what the timestamp is of the qps array members, counter is
* valid for that timestamp. Usually now and now-1. */
time_t timestamp[RATE_WINDOW];
/** the number of queries waiting in the mesh */
int mesh_wait;
};

#define ip_rate_data rate_data

/**
* Data to store the configuration per netblock for the wait limit
*/
struct wait_limit_netblock_info {
/** The addr tree node, this must be first. */
struct addr_tree_node node;
/** the limit on the amount */
int limit;
};

/** infra host cache default hash lookup size */
#define INFRA_HOST_STARTSIZE 32
/** bytes per zonename reserved in the hostcache, dnamelen(zonename.com.) */
Expand Down Expand Up @@ -474,4 +490,16 @@ void ip_rate_delkeyfunc(void* d, void* arg);
/* delete data */
#define ip_rate_deldatafunc rate_deldatafunc

/** See if the IP address can have another reply in the wait limit */
int infra_wait_limit_allowed(struct infra_cache* infra, struct comm_reply* rep,
int cookie_valid, struct config_file* cfg);

/** Increment number of waiting replies for IP */
void infra_wait_limit_inc(struct infra_cache* infra, struct comm_reply* rep,
time_t timenow, struct config_file* cfg);

/** Decrement number of waiting replies for IP */
void infra_wait_limit_dec(struct infra_cache* infra, struct comm_reply* rep,
struct config_file* cfg);

#endif /* SERVICES_CACHE_INFRA_H */
Loading

0 comments on commit c3206f4

Please sign in to comment.