From fdabf4b9570a60688f9f7d1e88d885f7a3718bca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Fri, 1 Mar 2024 08:26:07 +0100
Subject: [PATCH 1/3] Add a limit to the number of RRs in RRSets
 
Previously, the number of RRs in the RRSets were internally unlimited.
As the data structure that holds the RRs is just a linked list, and
there are places where we just walk through all of the RRs, adding an
RRSet with huge number of RRs inside would slow down processing of said
RRSets.
 
The fix for end-of-life branches make the limit compile-time only for
simplicity and the limit can be changed at the compile time by adding
following define to CFLAGS:
 
    -DDNS_RDATASET_MAX_RECORDS=<limit>
 
(cherry picked from commit c5c4d00c38530390c9e1ae4c98b65fbbadfe9e5e)
 
Conflict:NA
Reference:https://gitlab.isc.org/isc-projects/bind9/-/commit/5360c90612abf51deb4a80b30e1da84fd61212a5
 
---
 bind/bind-9.11.36/configure           |  2 +-
 bind/bind-9.11.36/configure.ac        |  2 +-
 bind/bind-9.11.36/lib/dns/rdataslab.c | 12 ++++++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)
 
diff --git a/bind/bind-9.11.36/configure b/bind/bind-9.11.36/configure
index 368112f..736ff49 100755
--- a/bind/bind-9.11.36/configure
+++ b/bind/bind-9.11.36/configure
@@ -12185,7 +12185,7 @@ fi
 XTARGETS=
 case "$enable_developer" in
 yes)
-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/configure.ac b/bind/bind-9.11.36/configure.ac
index 030c4d7..cc36b6c 100644
--- a/bind/bind-9.11.36/configure.ac
+++ b/bind/bind-9.11.36/configure.ac
@@ -100,7 +100,7 @@ AC_ARG_ENABLE(developer,
 XTARGETS=
 case "$enable_developer" in
 yes)
-	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1"
+	STD_CDEFINES="$STD_CDEFINES -DISC_LIST_CHECKINIT=1 -DDNS_RDATASET_MAX_RECORDS=5000"
 	test "${enable_fixed_rrset+set}" = set || enable_fixed_rrset=yes
 	test "${enable_querytrace+set}" = set || enable_querytrace=yes
 	test "${enable_filter_aaaa+set}" = set || enable_filter_aaaa=yes
diff --git a/bind/bind-9.11.36/lib/dns/rdataslab.c b/bind/bind-9.11.36/lib/dns/rdataslab.c
index b0f77b1..347b7d2 100644
--- a/bind/bind-9.11.36/lib/dns/rdataslab.c
+++ b/bind/bind-9.11.36/lib/dns/rdataslab.c
@@ -115,6 +115,10 @@ fillin_offsets(unsigned char *offsetbase, unsigned int *offsettable,
 }
 #endif
 
+#ifndef DNS_RDATASET_MAX_RECORDS
+#define DNS_RDATASET_MAX_RECORDS 100
+#endif /* DNS_RDATASET_MAX_RECORDS */
+
 isc_result_t
 dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 			   isc_region_t *region, unsigned int reservelen)
@@ -161,6 +165,10 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		return (ISC_R_SUCCESS);
 	}
 
+	if (nitems > DNS_RDATASET_MAX_RECORDS) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
 	if (nitems > 0xffff)
 		return (ISC_R_NOSPACE);
 
@@ -654,6 +662,10 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 #endif
 	INSIST(ocount > 0 && ncount > 0);
 
+	if (ocount + ncount > DNS_RDATASET_MAX_RECORDS) {
+		return (DNS_R_TOOMANYRECORDS);
+	}
+
 #if DNS_RDATASET_FIXED
 	oncount = ncount;
 #endif
-- 
2.33.0