morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 08:56:15 +09:00
Code Issues Packages Projects Releases Wiki Activity

network: limit the total number of Encrypted DNS options processed

Browse Source 
We need a sensible limit on the number of Encrypted DNS options allowed
so that the set of resolvers per link does not grow without bound.

Fixes: 0c90d1d2f2 ("ndisc: Parse RFC9463 encrypted DNS (DNR) option")
This commit is contained in:
Ronan Pigott
2024-11-04 20:45:27 -07:00
committed by Lennart Poettering
parent 1da80d2ca3
commit a791fea0d6
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/network/networkd-ndisc.c
View File

@@ -30,6 +30,7 @@
#define NDISC_DNSSL_MAX 64U
#define NDISC_RDNSS_MAX 64U
#define NDISC_ENCRYPTED_DNS_MAX 64U
/* Not defined in the RFC, but let's set an upper limit to make not consume much memory.
* This should be safe as typically there should be at most 1 portal per network. */
#define NDISC_CAPTIVE_PORTAL_MAX 64U
@@ -1942,6 +1943,11 @@ static int ndisc_router_process_encrypted_dns(Link *link, sd_ndisc_router *rt) {
return 0;
}
if (set_size(link->ndisc_dnr) >= NDISC_ENCRYPTED_DNS_MAX) {
log_link_warning(link, "Too many Encrypted DNS records received. Only first %u records will be used.", NDISC_ENCRYPTED_DNS_MAX);
return 0;
}
new_entry = new(NDiscDNR, 1);
if (!new_entry)
return log_oom();