!161 [sync] PR-155: check before use daemon->shm_info

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-001-CVE-2024-43168.patch

@@ -0,0 +1,28 @@
+From 193401e7543a1e561dd634a3eaae932fa462a2b9 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Wed, 3 Apr 2024 15:40:58 +0800
+Subject: [PATCH] fix heap-buffer-overflow issue in function cfg_mark_ports of
+ file util/config_file.c
+
+---
+ util/config_file.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 26185da0..e7b2f195 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1761,6 +1761,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ #endif
+ 	if(!mid) {
+ 		int port = atoi(str);
++		if(port < 0) {
++			log_err("Prevent out-of-bounds access to array avail");
++			return 0;
++		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
+-- 
+2.33.0
+

backport-002-CVE-2024-43168.patch

@@ -0,0 +1,56 @@
+From dfff8d23cf4145c58e5c1e99d4159d3a91a70ab7 Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Wed, 3 Apr 2024 10:16:18 +0200
+Subject: [PATCH] - For #1040: adjust error text and disallow negative ports in
+ other   parts of cfg_mark_ports.
+
+---
+ util/config_file.c | 14 +++++++++++++-
+ 1 files changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index e7b2f195..74554286 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1762,7 +1762,7 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	if(!mid) {
+ 		int port = atoi(str);
+ 		if(port < 0) {
+-			log_err("Prevent out-of-bounds access to array avail");
++			log_err("port number is negative: %d", port);
+ 			return 0;
+ 		}
+ 		if(port == 0 && strcmp(str, "0") != 0) {
+@@ -1774,6 +1774,10 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 	} else {
+ 		int i, low, high = atoi(mid+1);
+ 		char buf[16];
++		if(high < 0) {
++			log_err("port number is negative: %d", high);
++			return 0;
++		}
+ 		if(high == 0 && strcmp(mid+1, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", mid+1);
+ 			return 0;
+@@ -1786,10 +1790,18 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 			memcpy(buf, str, (size_t)(mid-str));
+ 		buf[mid-str] = 0;
+ 		low = atoi(buf);
++		if(low < 0) {
++			log_err("port number is negative: %d", low);
++			return 0;
++		}
+ 		if(low == 0 && strcmp(buf, "0") != 0) {
+ 			log_err("cannot parse port number '%s'", buf);
+ 			return 0;
+ 		}
++		if(high > num) {
++			/* Stop very high values from taking a long time. */
++			high = num;
++		}
+ 		for(i=low; i<=high; i++) {
+ 			if(i < num)
+ 				avail[i] = (allow?i:0);
+-- 
+2.33.0
+

backport-003-CVE-2024-43168.patch

@@ -0,0 +1,135 @@
+From 4497e8a154f53cd5947a6ee5aa65cf99be57152e Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 7 May 2024 11:35:52 +0000
+Subject: [PATCH] Fix potential overflow bug while parsing port in function
+ cfg_mark_ports
+
+---
+ util/config_file.c | 76 ++++++++++++++++++++++++++++++----------------
+ 1 file changed, 50 insertions(+), 26 deletions(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 2b67d4c1..4a3b7d77 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -42,6 +42,7 @@
+ #include "config.h"
+ #include <ctype.h>
+ #include <stdarg.h>
++#include <errno.h>
+ #ifdef HAVE_TIME_H
+ #include <time.h>
+ #endif
+@@ -1772,6 +1773,38 @@ init_outgoing_availports(int* a, int num)
+ 	}
+ }
+ 
++static int
++extract_port_from_str(const char* str, int max_port) {
++	char* endptr;
++	if (str == NULL || *str == '\0') {
++		log_err("str: '%s' is invalid", str);
++		return -1;
++	}
++
++	long int value = strtol(str, &endptr, 10);
++	if ((endptr == str) || (*endptr != '\0'))  {
++		log_err("cannot parse port number '%s'", str);
++		return -1;
++	}
++
++	if (errno == ERANGE) {
++                log_err("overflow occurred when parsing '%s'", str);
++		return -1;
++	}
++
++	if (value == 0 && strcmp(str, "0") != 0) {
++		log_err("cannot parse port number '%s'", str);
++		return -1;
++	}
++
++	if (value < 0 || value >= max_port) {
++		log_err(" '%s' is out of bounds [0, %d)", str, max_port);
++		return -1;
++	}
++
++	return (int)value;
++}
++
+ int 
+ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ {
+@@ -1782,53 +1815,44 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 		"options");
+ #endif
+ 	if(!mid) {
+-		int port = atoi(str);
+-		if(port < 0) {
+-			log_err("port number is negative: %d", port);
++		int port = extract_port_from_str(str, num);
++		if (port < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		if(port == 0 && strcmp(str, "0") != 0) {
+-			log_err("cannot parse port number '%s'", str);
+-			return 0;
+-		}
+-		if(port < num)
+-			avail[port] = (allow?port:0);
++		avail[port] = (allow?port:0);
+ 	} else {
+-		int i, low, high = atoi(mid+1);
+ 		char buf[16];
+-		if(high < 0) {
+-			log_err("port number is negative: %d", high);
+-			return 0;
+-		}
+-		if(high == 0 && strcmp(mid+1, "0") != 0) {
+-			log_err("cannot parse port number '%s'", mid+1);
++		int i, low;
++		int high = extract_port_from_str(mid+1, num);
++		if (high < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
++
+ 		if( (int)(mid-str)+1 >= (int)sizeof(buf) ) {
+ 			log_err("cannot parse port number '%s'", str);
+ 			return 0;
+ 		}
++
+ 		if(mid > str)
+ 			memcpy(buf, str, (size_t)(mid-str));
+ 		buf[mid-str] = 0;
+-		low = atoi(buf);
+-		if(low < 0) {
+-			log_err("port number is negative: %d", low);
++		low = extract_port_from_str(buf, num);
++		if (low < 0) {
++			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		if(low == 0 && strcmp(buf, "0") != 0) {
+-			log_err("cannot parse port number '%s'", buf);
++
++		if (low > high) {
++			log_err("Low value is greater than high value");
+ 			return 0;
+ 		}
+-		if(high > num) {
+-			/* Stop very high values from taking a long time. */
+-			high = num;
+-		}
++
+ 		for(i=low; i<=high; i++) {
+ 			if(i < num)
+ 				avail[i] = (allow?i:0);
+ 		}
+-		return 1;
+ 	}
+ 	return 1;
+ }
+-- 
+2.33.0
+

backport-004-CVE-2024-43168.patch

@@ -0,0 +1,44 @@
+From c085a53268940dfbb907cbaa7a690740b6c8210c Mon Sep 17 00:00:00 2001
+From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
+Date: Tue, 7 May 2024 14:05:21 +0200
+Subject: [PATCH] - Fix for #1062: declaration before statement, avoid print of
+ null,   and redundant check for array size. And changelog note for merge of
+ #1062.
+
+---
+ util/config_file.c | 8 +++++---
+ 1 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/util/config_file.c b/util/config_file.c
+index 4a3b7d77..2ac6c468 100644
+--- a/util/config_file.c
++++ b/util/config_file.c
+@@ -1776,12 +1776,13 @@ init_outgoing_availports(int* a, int num)
+ static int
+ extract_port_from_str(const char* str, int max_port) {
+ 	char* endptr;
++	long int value;
+ 	if (str == NULL || *str == '\0') {
+-		log_err("str: '%s' is invalid", str);
++		log_err("str: '%s' is invalid", (str?str:"NULL"));
+ 		return -1;
+ 	}
+ 
+-	long int value = strtol(str, &endptr, 10);
++	value = strtol(str, &endptr, 10);
+ 	if ((endptr == str) || (*endptr != '\0'))  {
+ 		log_err("cannot parse port number '%s'", str);
+ 		return -1;
+@@ -1820,7 +1821,8 @@ cfg_mark_ports(const char* str, int allow, int* avail, int num)
+ 			log_err("Failed to parse the port number");
+ 			return 0;
+ 		}
+-		avail[port] = (allow?port:0);
++		if(port < num)
++			avail[port] = (allow?port:0);
+ 	} else {
+ 		char buf[16];
+ 		int i, low;
+-- 
+2.33.0
+

backport-CVE-2024-43167.patch

@@ -0,0 +1,45 @@
+From 8e43e2574c4e02f79c562a061581cdcefe136912 Mon Sep 17 00:00:00 2001
+From: zhailiangliang <zhailiangliang@loongson.cn>
+Date: Tue, 21 May 2024 08:40:16 +0000
+Subject: [PATCH] fix null pointer dereference issue in function ub_ctx_set_fwd
+ of file libunbound/libunbound.c
+
+---
+ libunbound/libunbound.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/libunbound/libunbound.c b/libunbound/libunbound.c
+index 17057ec6..3c895514 100644
+--- a/libunbound/libunbound.c
++++ b/libunbound/libunbound.c
+@@ -981,7 +981,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	if(!addr) {
+ 		/* disable fwd mode - the root stub should be first. */
+ 		if(ctx->env->cfg->forwards &&
+-			strcmp(ctx->env->cfg->forwards->name, ".") == 0) {
++			(ctx->env->cfg->forwards->name &&
++			strcmp(ctx->env->cfg->forwards->name, ".") == 0)) {
+ 			s = ctx->env->cfg->forwards;
+ 			ctx->env->cfg->forwards = s->next;
+ 			s->next = NULL;
+@@ -1001,7 +1002,8 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 	/* it parses, add root stub in front of list */
+ 	lock_basic_lock(&ctx->cfglock);
+ 	if(!ctx->env->cfg->forwards ||
+-		strcmp(ctx->env->cfg->forwards->name, ".") != 0) {
++		(ctx->env->cfg->forwards->name &&
++		strcmp(ctx->env->cfg->forwards->name, ".") != 0)) {
+ 		s = calloc(1, sizeof(*s));
+ 		if(!s) {
+ 			lock_basic_unlock(&ctx->cfglock);
+@@ -1019,6 +1021,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
+ 		ctx->env->cfg->forwards = s;
+ 	} else {
+ 		log_assert(ctx->env->cfg->forwards);
++		log_assert(ctx->env->cfg->forwards->name);
+ 		s = ctx->env->cfg->forwards;
+ 	}
+ 	dupl = strdup(addr);
+-- 
+2.33.0
+

backport-CVE-2024-8508.patch

@@ -0,0 +1,246 @@
+From b7c61d7cc256d6a174e6179622c7fa968272c259 Mon Sep 17 00:00:00 2001
+From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
+Date: Thu, 3 Oct 2024 14:46:57 +0200
+Subject: [PATCH] - Fix CVE-2024-8508, unbounded name compression could lead to
+ denial of   service.
+
+---
+ util/data/msgencode.c | 77 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 46 insertions(+), 31 deletions(-)
+
+diff --git a/util/data/msgencode.c b/util/data/msgencode.c
+index 898ff8412..6d116fb52 100644
+--- a/util/data/msgencode.c
++++ b/util/data/msgencode.c
+@@ -62,6 +62,10 @@
+ #define RETVAL_TRUNC	-4
+ /** return code that means all is peachy keen. Equal to DNS rcode NOERROR */
+ #define RETVAL_OK	0
++/** Max compressions we are willing to perform; more than that will result
++ *  in semi-compressed messages, or truncated even on TCP for huge messages, to
++ *  avoid locking the CPU for long */
++#define MAX_COMPRESSION_PER_MESSAGE 120
+ 
+ /**
+  * Data structure to help domain name compression in outgoing messages.
+@@ -284,15 +288,17 @@ write_compressed_dname(sldns_buffer* pkt, uint8_t* dname, int labs,
+ 
+ /** compress owner name of RR, return RETVAL_OUTMEM RETVAL_TRUNC */
+ static int
+-compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	size_t owner_pos, uint16_t* owner_ptr, int owner_labs)
++compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t owner_pos, uint16_t* owner_ptr, int owner_labs,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	if(!*owner_ptr) {
+ 		/* compress first time dname */
+-		if((p = compress_tree_lookup(tree, key->rk.dname, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			(p = compress_tree_lookup(tree, key->rk.dname,
+ 			owner_labs, &insertpt))) {
+ 			if(p->labs == owner_labs) 
+ 				/* avoid ptr chains, since some software is
+@@ -301,6 +307,7 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(!write_compressed_dname(pkt, key->rk.dname, 
+ 				owner_labs, p))
+ 				return RETVAL_TRUNC;
++			(*compress_count)++;
+ 			/* check if typeclass+4 ttl + rdatalen is available */
+ 			if(sldns_buffer_remaining(pkt) < 4+4+2)
+ 				return RETVAL_TRUNC;
+@@ -313,7 +320,8 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			if(owner_pos <= PTR_MAX_OFFSET)
+ 				*owner_ptr = htons(PTR_CREATE(owner_pos));
+ 		}
+-		if(!compress_tree_store(key->rk.dname, owner_labs, 
++		if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++			!compress_tree_store(key->rk.dname, owner_labs,
+ 			owner_pos, region, p, insertpt))
+ 			return RETVAL_OUTMEM;
+ 	} else {
+@@ -333,20 +341,24 @@ compress_owner(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 
+ /** compress any domain name to the packet, return RETVAL_* */
+ static int
+-compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs, 
+-	struct regional* region, struct compress_tree_node** tree)
++compress_any_dname(uint8_t* dname, sldns_buffer* pkt, int labs,
++	struct regional* region, struct compress_tree_node** tree,
++	size_t* compress_count)
+ {
+ 	struct compress_tree_node* p;
+ 	struct compress_tree_node** insertpt = NULL;
+ 	size_t pos = sldns_buffer_position(pkt);
+-	if((p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		(p = compress_tree_lookup(tree, dname, labs, &insertpt))) {
+ 		if(!write_compressed_dname(pkt, dname, labs, p))
+ 			return RETVAL_TRUNC;
++		(*compress_count)++;
+ 	} else {
+ 		if(!dname_buffer_write(pkt, dname))
+ 			return RETVAL_TRUNC;
+ 	}
+-	if(!compress_tree_store(dname, labs, pos, region, p, insertpt))
++	if(*compress_count < MAX_COMPRESSION_PER_MESSAGE &&
++		!compress_tree_store(dname, labs, pos, region, p, insertpt))
+ 		return RETVAL_OUTMEM;
+ 	return RETVAL_OK;
+ }
+@@ -364,9 +376,9 @@ type_rdata_compressable(struct ub_packed_rrset_key* key)
+ 
+ /** compress domain names in rdata, return RETVAL_* */
+ static int
+-compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen, 
+-	struct regional* region, struct compress_tree_node** tree, 
+-	const sldns_rr_descriptor* desc)
++compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
++	struct regional* region, struct compress_tree_node** tree,
++	const sldns_rr_descriptor* desc, size_t* compress_count)
+ {
+ 	int labs, r, rdf = 0;
+ 	size_t dname_len, len, pos = sldns_buffer_position(pkt);
+@@ -380,8 +392,8 @@ compress_rdata(sldns_buffer* pkt, uint8_t* rdata, size_t todolen,
+ 		switch(desc->_wireformat[rdf]) {
+ 		case LDNS_RDF_TYPE_DNAME:
+ 			labs = dname_count_size_labels(rdata, &dname_len);
+-			if((r=compress_any_dname(rdata, pkt, labs, region, 
+-				tree)) != RETVAL_OK)
++			if((r=compress_any_dname(rdata, pkt, labs, region,
++				tree, compress_count)) != RETVAL_OK)
+ 				return r;
+ 			rdata += dname_len;
+ 			todolen -= dname_len;
+@@ -449,7 +461,8 @@ static int
+ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt, 
+ 	uint16_t* num_rrs, time_t timenow, struct regional* region,
+ 	int do_data, int do_sig, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	size_t i, j, owner_pos;
+ 	int r, owner_labs;
+@@ -477,9 +490,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 		for(i=0; i<data->count; i++) {
+ 			/* rrset roundrobin */
+ 			j = (i + rr_offset) % data->count;
+-			if((r=compress_owner(key, pkt, region, tree, 
+-				owner_pos, &owner_ptr, owner_labs))
+-				!= RETVAL_OK)
++			if((r=compress_owner(key, pkt, region, tree,
++				owner_pos, &owner_ptr, owner_labs,
++				compress_count)) != RETVAL_OK)
+ 				return r;
+ 			sldns_buffer_write(pkt, &key->rk.type, 2);
+ 			sldns_buffer_write(pkt, &key->rk.rrset_class, 2);
+@@ -489,8 +502,8 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 			else	sldns_buffer_write_u32(pkt, data->rr_ttl[j]-adjust);
+ 			if(c) {
+ 				if((r=compress_rdata(pkt, data->rr_data[j],
+-					data->rr_len[j], region, tree, c))
+-					!= RETVAL_OK)
++					data->rr_len[j], region, tree, c,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 			} else {
+ 				if(sldns_buffer_remaining(pkt) < data->rr_len[j])
+@@ -510,9 +523,9 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, sldns_buffer* pkt,
+ 					return RETVAL_TRUNC;
+ 				sldns_buffer_write(pkt, &owner_ptr, 2);
+ 			} else {
+-				if((r=compress_any_dname(key->rk.dname, 
+-					pkt, owner_labs, region, tree))
+-					!= RETVAL_OK)
++				if((r=compress_any_dname(key->rk.dname,
++					pkt, owner_labs, region, tree,
++					compress_count)) != RETVAL_OK)
+ 					return r;
+ 				if(sldns_buffer_remaining(pkt) < 
+ 					4+4+data->rr_len[i])
+@@ -544,7 +557,8 @@ static int
+ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 	sldns_buffer* pkt, size_t rrsets_before, time_t timenow, 
+ 	struct regional* region, struct compress_tree_node** tree,
+-	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset)
++	sldns_pkt_section s, uint16_t qtype, int dnssec, size_t rr_offset,
++	size_t* compress_count)
+ {
+ 	int r;
+ 	size_t i, setstart;
+@@ -560,7 +574,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				/* Bad, but if due to size must set TC bit */
+ 				/* trim off the rrset neatly. */
+@@ -573,7 +587,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 1, 0, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -584,7 +598,7 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
+ 			setstart = sldns_buffer_position(pkt);
+ 			if((r=packed_rrset_encode(rep->rrsets[rrsets_before+i], 
+ 				pkt, num_rrs, timenow, region, 0, 1, tree,
+-				s, qtype, dnssec, rr_offset))
++				s, qtype, dnssec, rr_offset, compress_count))
+ 				!= RETVAL_OK) {
+ 				sldns_buffer_set_position(pkt, setstart);
+ 				return r;
+@@ -677,6 +691,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	struct compress_tree_node* tree = 0;
+ 	int r;
+ 	size_t rr_offset;
++	size_t compress_count=0;
+ 
+ 	sldns_buffer_clear(buffer);
+ 	if(udpsize < sldns_buffer_limit(buffer))
+@@ -723,7 +738,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		arep.rrsets = &qinfo->local_alias->rrset;
+ 		if((r=insert_section(&arep, 1, &ancount, buffer, 0,
+ 			timezero, region, &tree, LDNS_SECTION_ANSWER,
+-			qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) {
++			qinfo->qtype, dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -738,7 +753,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 	/* insert answer section */
+ 	if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 		0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+-		dnssec, rr_offset)) != RETVAL_OK) {
++		dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 		if(r == RETVAL_TRUNC) {
+ 			/* create truncated message */
+ 			sldns_buffer_write_u16_at(buffer, 6, ancount);
+@@ -756,7 +771,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 		if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ 			rep->an_numrrsets, timenow, region, &tree,
+ 			LDNS_SECTION_AUTHORITY, qinfo->qtype,
+-			dnssec, rr_offset)) != RETVAL_OK) {
++			dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 			if(r == RETVAL_TRUNC) {
+ 				/* create truncated message */
+ 				sldns_buffer_write_u16_at(buffer, 8, nscount);
+@@ -773,7 +788,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ 			if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
+ 				rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
+ 				&tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+-				dnssec, rr_offset)) != RETVAL_OK) {
++				dnssec, rr_offset, &compress_count)) != RETVAL_OK) {
+ 				if(r == RETVAL_TRUNC) {
+ 					/* no need to set TC bit, this is the additional */
+ 					sldns_buffer_write_u16_at(buffer, 10, arcount);

backport-check-before-use-daemon-shm_info.patch

@@ -0,0 +1,27 @@
+From 073c7301ebdf7511320ec817ad7ecacf6b45c4be Mon Sep 17 00:00:00 2001
+From: eaglegai <31752768+eaglegai@users.noreply.github.com>
+Date: Tue, 21 Jan 2025 22:47:51 +0800
+Subject: [PATCH] check before use daemon->shm_info (#1229)
+
+fix core after the command `unbound-control stop unbound`
+
+fix:https://github.com/NLnetLabs/unbound/issues/1228
+
+Signed-off-by: eaglegai <eaglegai@163.com>
+---
+ util/shm_side/shm_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/shm_side/shm_main.c b/util/shm_side/shm_main.c
+index 6fd1f5ea6..751d6d649 100644
+--- a/util/shm_side/shm_main.c
++++ b/util/shm_side/shm_main.c
+@@ -195,7 +195,7 @@ void shm_main_shutdown(struct daemon* daemon)
+ {
+ #ifdef HAVE_SHMGET
+ 	/* web are OK, just disabled */
+-	if(!daemon->cfg->shm_enable)
++	if(!daemon->cfg->shm_enable || !daemon->shm_info)
+ 		return;
+ 
+ 	verbose(VERB_DETAIL, "SHM shutdown - KEY [%d] - ID CTL [%d] ARR [%d] - PTR CTL [%p] ARR [%p]",

unbound.spec

@@ -2,7 +2,7 @@
 
 Name:          unbound
 Version:       1.17.1
-Release:       6
+Release:       11
 Summary:       Unbound is a validating, recursive, caching DNS resolver
 License:       BSD-3-Clause
 Url:           https://nlnetlabs.nl/projects/unbound/about/
@@ -28,6 +28,13 @@ Patch4:        backport-pre-CVE-2024-33655-Downstream-DNS-Cookies-a-la-RFC7873-a
 Patch5:        backport-pre-CVE-2024-33655-Fix-possibly-unaligned-memory-access-in-parse_edns_options_from_query.patch
 Patch6:        backport-pre-CVE-2024-33655-Fix-out-of-bounds-read-in-parse_edns_options_from_query.patch
 Patch7:        backport-CVE-2024-33655.patch
+Patch8:        backport-CVE-2024-43167.patch
+Patch9:        backport-001-CVE-2024-43168.patch
+Patch10:       backport-002-CVE-2024-43168.patch
+Patch11:       backport-003-CVE-2024-43168.patch
+Patch12:       backport-004-CVE-2024-43168.patch
+Patch13:       backport-CVE-2024-8508.patch
+Patch14:       backport-check-before-use-daemon-shm_info.patch
 
 BuildRequires: make flex swig pkgconfig systemd
 BuildRequires: libevent-devel expat-devel openssl-devel python3-devel
@@ -265,6 +272,36 @@ popd
 %{_sbindir}/unbound-streamtcp
 
 %changelog
+* Thu Jan 23 2025 gaihuiying <eaglegai@163.com> - 1.17.1-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:backport upstream to add check to fix coredump
+
+* Wed Oct 16 2024 gaihuiying <eaglegai@163.com> - 1.17.1-10
+- Type:cves
+- CVE:CVE-2024-8508
+- SUG:NA
+- DESC:fix CVE-2024-8508
+
+* Thu Aug 29 2024 gaihuiying <eaglegai@163.com> - 1.17.1-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:correct cve number
+
+* Mon Aug 26 2024 gaihuiying <eaglegai@163.com> - 1.17.1-8
+- Type:cves
+- CVE:CVE-2024-43168
+- SUG:NA
+- DESC:fix CVE-2024-43168 better
+
+* Mon Aug 19 2024 gaihuiying <eaglegai@163.com> - 1.17.1-7
+- Type:cves
+- CVE:CVE-2024-43167 CVE-2024-43168
+- SUG:NA
+- DESC:fix CVE-2024-43167 CVE-2024-43168
+
 * Mon Jun 24 2024 wangziliang <wangziliang@kylinos.cn> - 1.17.1-6
 - Type:bugfix
 - ID:NA
@@ -321,9 +358,9 @@ popd
 
 * Wed Aug 03 2022 yanglu <yanglu72@h-partners.com> - 1.13.2-5
 - Type:cves
-- CVE:CVE-2022-30689 CVE-2022-30699
+- CVE:CVE-2022-30698 CVE-2022-30699
 - SUG:NA
-- DESC:fix CVE-2022-30689 and CVE-2022-30699
+- DESC:fix CVE-2022-30698 and CVE-2022-30699
 
 * Tue Aug 02 2022 gaihuiying <eaglegai@163.com> - 1.13.2-4
 - Type:bugfix