upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix several bugs in the RBTDB dbiterator implementation

Browse source 
- the DNS_DB_NSEC3ONLY and DNS_DB_NONSEC3 flags are mutually
  exclusive; it never made sense to set both at the same time.
  to enforce this, it is now a fatal error to do so.  the
  dbiterator implementation has been cleaned up to remove
  code that treated the two as independent: if nonsec3 is
  true, we can be certain nsec3only is false, and vice versa.
- previously, iterating a database backwards omitted
  NSEC3 records even if DNS_DB_NONSEC3 had not been set. this
  has been corrected.
- when an iterator reaches the origin node of the NSEC3 tree, we
  need to skip over it and go to the next node in the sequence.
  the NSEC3 origin node is there for housekeeping purposes and
  never contains data.
- the dbiterator_test unit test has been expanded, several
  incorrect expectations have been fixed. (for example, the
  expected number of iterations has been reduced by one; we were
  previously counting the NSEC3 origin node and we should not
  have been doing so.)

(cherry picked from commit e40fd4ed06)
This commit is contained in:
Evan Hunt 2024-02-14 12:58:01 -08:00
parent fc16701eef
commit fe05278424
4 changed files with 214 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/dns/db.c
View file

@ -648,6 +648,8 @@ dns_db_createiterator(dns_db_t *db, unsigned int flags,
REQUIRE(DNS_DB_VALID(db));
REQUIRE(iteratorp != NULL && *iteratorp == NULL);
REQUIRE((flags & (DNS_DB_NSEC3ONLY | DNS_DB_NONSEC3)) !=
(DNS_DB_NSEC3ONLY | DNS_DB_NONSEC3));
return (db->methods->createiterator(db, flags, iteratorp));
}

2
lib/dns/include/dns/db.h
View file

@ -1089,6 +1089,8 @@ dns_db_createiterator(dns_db_t *db, unsigned int options,
*
* \li iteratorp != NULL && *iteratorp == NULL
*
* \li 'flags' contains at most one of #DNS_DB_NSEC3ONLY and #DNS_DB_NONSEC3.
*
* Ensures:
*
* \li On success, *iteratorp will be a valid database iterator.

157
lib/dns/rbtdb.c
View file

@ -331,6 +331,10 @@ hash_32(uint32_t val, unsigned int bits) {
#define STALEOK(rbtiterator) \
(((rbtiterator)->common.options & DNS_DB_STALEOK) != 0)
#define RBTDBITER_NSEC3_ORIGIN_NODE(rbtdb, iterator) \
((iterator)->current == &(iterator)->nsec3chain && \
(iterator)->node == (rbtdb)->nsec3_origin_node)
/*%
* Number of buckets for cache DB entries (locks, LRU lists, TTL heaps).
* There is a tradeoff issue about configuring this value: if this is too
@ -711,8 +715,7 @@ typedef struct rbtdb_dbiterator {
dns_rbtnode_t *node;
dns_rbtnode_t *deletions[DELETION_BATCH_MAX];
int delcnt;
bool nsec3only;
bool nonsec3;
enum { full, nonsec3, nsec3only } nsec3mode;
} rbtdb_dbiterator_t;
#define IS_STUB(rbtdb) (((rbtdb)->common.attributes & DNS_DBATTR_STUB) != 0)
@ -5815,6 +5818,8 @@ createiterator(dns_db_t *db, unsigned int options,
rbtdb_dbiterator_t *rbtdbiter;
REQUIRE(VALID_RBTDB(rbtdb));
REQUIRE((options & (DNS_DB_NSEC3ONLY | DNS_DB_NONSEC3)) !=
(DNS_DB_NSEC3ONLY | DNS_DB_NONSEC3));
rbtdbiter = isc_mem_get(rbtdb->common.mctx, sizeof(*rbtdbiter));
@ -5832,12 +5837,18 @@ createiterator(dns_db_t *db, unsigned int options,
dns_fixedname_init(&rbtdbiter->origin);
rbtdbiter->node = NULL;
rbtdbiter->delcnt = 0;
rbtdbiter->nsec3only = ((options & DNS_DB_NSEC3ONLY) != 0);
rbtdbiter->nonsec3 = ((options & DNS_DB_NONSEC3) != 0);
if ((options & DNS_DB_NSEC3ONLY) != 0) {
rbtdbiter->nsec3mode = nsec3only;
} else if ((options & DNS_DB_NONSEC3) != 0) {
rbtdbiter->nsec3mode = nonsec3;
} else {
rbtdbiter->nsec3mode = full;
}
memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
dns_rbtnodechain_init(&rbtdbiter->chain);
dns_rbtnodechain_init(&rbtdbiter->nsec3chain);
if (rbtdbiter->nsec3only) {
if (rbtdbiter->nsec3mode == nsec3only) {
rbtdbiter->current = &rbtdbiter->nsec3chain;
} else {
rbtdbiter->current = &rbtdbiter->chain;
@ -9221,23 +9232,48 @@ dbiterator_first(dns_dbiterator_t *iterator) {
dns_rbtnodechain_reset(&rbtdbiter->chain);
dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
if (rbtdbiter->nsec3only) {
switch (rbtdbiter->nsec3mode) {
case nsec3only:
rbtdbiter->current = &rbtdbiter->nsec3chain;
result = dns_rbtnodechain_first(rbtdbiter->current,
rbtdb->nsec3, name, origin);
} else {
break;
case nonsec3:
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->tree,
name, origin);
if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) {
break;
case full:
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbtnodechain_first(rbtdbiter->current, rbtdb->tree,
name, origin);
if (result == ISC_R_NOTFOUND) {
rbtdbiter->current = &rbtdbiter->nsec3chain;
result = dns_rbtnodechain_first(
rbtdbiter->current, rbtdb->nsec3, name, origin);
}
break;
default:
UNREACHABLE();
}
if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
NULL, &rbtdbiter->node);
/* If we're in the NSEC3 tree, skip the origin */
if (RBTDBITER_NSEC3_ORIGIN_NODE(rbtdb, rbtdbiter)) {
rbtdbiter->node = NULL;
result = dns_rbtnodechain_next(rbtdbiter->current, name,
origin);
if (result == ISC_R_SUCCESS ||
result == DNS_R_NEWORIGIN)
{
result = dns_rbtnodechain_current(
rbtdbiter->current, NULL, NULL,
&rbtdbiter->node);
}
}
if (result == ISC_R_SUCCESS) {
rbtdbiter->new_origin = true;
reference_iter_node(rbtdbiter);
@ -9282,20 +9318,61 @@ dbiterator_last(dns_dbiterator_t *iterator) {
dns_rbtnodechain_reset(&rbtdbiter->chain);
dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
result = ISC_R_NOTFOUND;
if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) {
switch (rbtdbiter->nsec3mode) {
case nsec3only:
rbtdbiter->current = &rbtdbiter->nsec3chain;
result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->nsec3,
name, origin);
}
if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) {
break;
case nonsec3:
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
name, origin);
break;
case full:
rbtdbiter->current = &rbtdbiter->nsec3chain;
result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->nsec3,
name, origin);
if (result == ISC_R_NOTFOUND) {
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbtnodechain_last(
rbtdbiter->current, rbtdb->tree, name, origin);
}
break;
default:
UNREACHABLE();
}
if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
NULL, &rbtdbiter->node);
if (RBTDBITER_NSEC3_ORIGIN_NODE(rbtdb, rbtdbiter)) {
/*
* NSEC3 tree only has an origin node.
*/
rbtdbiter->node = NULL;
switch (rbtdbiter->nsec3mode) {
case nsec3only:
result = ISC_R_NOMORE;
break;
case nonsec3:
case full:
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbtnodechain_last(
rbtdbiter->current, rbtdb->tree, name,
origin);
if (result == ISC_R_SUCCESS ||
result == DNS_R_NEWORIGIN)
{
result = dns_rbtnodechain_current(
rbtdbiter->current, NULL, NULL,
&rbtdbiter->node);
}
break;
default:
UNREACHABLE();
}
}
if (result == ISC_R_SUCCESS) {
rbtdbiter->new_origin = true;
reference_iter_node(rbtdbiter);
@ -9336,17 +9413,20 @@ dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
dns_rbtnodechain_reset(&rbtdbiter->chain);
dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
if (rbtdbiter->nsec3only) {
switch (rbtdbiter->nsec3mode) {
case nsec3only:
rbtdbiter->current = &rbtdbiter->nsec3chain;
result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
&rbtdbiter->node, rbtdbiter->current,
DNS_RBTFIND_EMPTYDATA, NULL, NULL);
} else if (rbtdbiter->nonsec3) {
break;
case nonsec3:
rbtdbiter->current = &rbtdbiter->chain;
result = dns_rbt_findnode(rbtdb->tree, name, NULL,
&rbtdbiter->node, rbtdbiter->current,
DNS_RBTFIND_EMPTYDATA, NULL, NULL);
} else {
break;
case full:
/*
* Stay on main chain if not found on either chain.
*/
@ -9366,6 +9446,9 @@ dbiterator_seek(dns_dbiterator_t *iterator, const dns_name_t *name) {
result = tresult;
}
}
break;
default:
UNREACHABLE();
}
if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
@ -9405,11 +9488,29 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
resume_iteration(rbtdbiter);
}
dereference_iter_node(rbtdbiter);
name = dns_fixedname_name(&rbtdbiter->name);
origin = dns_fixedname_name(&rbtdbiter->origin);
result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin);
if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
!rbtdbiter->nonsec3 && &rbtdbiter->nsec3chain == rbtdbiter->current)
if (rbtdbiter->current == &rbtdbiter->nsec3chain &&
(result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN))
{
/*
* If we're in the NSEC3 tree, it's empty or we've
* reached the origin, then we're done with it.
*/
result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
NULL, &rbtdbiter->node);
if (result == ISC_R_NOTFOUND ||
RBTDBITER_NSEC3_ORIGIN_NODE(rbtdb, rbtdbiter))
{
rbtdbiter->node = NULL;
result = ISC_R_NOMORE;
}
}
if (result == ISC_R_NOMORE && rbtdbiter->nsec3mode != nsec3only &&
&rbtdbiter->nsec3chain == rbtdbiter->current)
{
rbtdbiter->current = &rbtdbiter->chain;
dns_rbtnodechain_reset(rbtdbiter->current);
@ -9420,8 +9521,6 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
}
}
dereference_iter_node(rbtdbiter);
if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
@ -9457,8 +9556,8 @@ dbiterator_next(dns_dbiterator_t *iterator) {
name = dns_fixedname_name(&rbtdbiter->name);
origin = dns_fixedname_name(&rbtdbiter->origin);
result = dns_rbtnodechain_next(rbtdbiter->current, name, origin);
if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
!rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current)
if (result == ISC_R_NOMORE && rbtdbiter->nsec3mode != nonsec3 &&
&rbtdbiter->chain == rbtdbiter->current)
{
rbtdbiter->current = &rbtdbiter->nsec3chain;
dns_rbtnodechain_reset(rbtdbiter->current);
@ -9472,9 +9571,25 @@ dbiterator_next(dns_dbiterator_t *iterator) {
dereference_iter_node(rbtdbiter);
if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
/*
* If we've just started the NSEC3 tree,
* skip over the origin.
*/
rbtdbiter->new_origin = (result == DNS_R_NEWORIGIN);
result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
NULL, &rbtdbiter->node);
if (RBTDBITER_NSEC3_ORIGIN_NODE(rbtdb, rbtdbiter)) {
rbtdbiter->node = NULL;
result = dns_rbtnodechain_next(rbtdbiter->current, name,
origin);
if (result == ISC_R_SUCCESS ||
result == DNS_R_NEWORIGIN)
{
result = dns_rbtnodechain_current(
rbtdbiter->current, NULL, NULL,
&rbtdbiter->node);
}
}
}
if (result == ISC_R_SUCCESS) {
reference_iter_node(rbtdbiter);

94
tests/dns/dbiterator_test.c
View file

@ -50,7 +50,7 @@ test_create(const char *filename) {
dns_db_t *db = NULL;
dns_dbiterator_t *iter = NULL;
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);
@ -74,7 +74,7 @@ ISC_RUN_TEST_IMPL(create_nsec3) {
/* walk: walk a database */
static void
test_walk(const char *filename, int nodes) {
test_walk(const char *filename, int flags, int nodes) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbiterator_t *iter = NULL;
@ -85,10 +85,10 @@ test_walk(const char *filename, int nodes) {
name = dns_fixedname_initname(&f);
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);
result = dns_db_createiterator(db, flags, &iter);
assert_int_equal(result, ISC_R_SUCCESS);
for (result = dns_dbiterator_first(iter); result == ISC_R_SUCCESS;
@ -112,18 +112,26 @@ test_walk(const char *filename, int nodes) {
ISC_RUN_TEST_IMPL(walk) {
UNUSED(state);
test_walk(TESTS_DIR "/testdata/dbiterator/zone1.data", 12);
test_walk(TESTS_DIR "/testdata/dbiterator/zone1.data", 0, 12);
test_walk(TESTS_DIR "/testdata/dbiterator/zone1.data", DNS_DB_NONSEC3,
12);
test_walk(TESTS_DIR "/testdata/dbiterator/zone1.data", DNS_DB_NSEC3ONLY,
0);
}
ISC_RUN_TEST_IMPL(walk_nsec3) {
UNUSED(state);
test_walk(TESTS_DIR "/testdata/dbiterator/zone2.data", 33);
test_walk(TESTS_DIR "/testdata/dbiterator/zone2.data", 0, 32);
test_walk(TESTS_DIR "/testdata/dbiterator/zone2.data", DNS_DB_NONSEC3,
12);
test_walk(TESTS_DIR "/testdata/dbiterator/zone2.data", DNS_DB_NSEC3ONLY,
20);
}
/* reverse: walk database backwards */
static void
test_reverse(const char *filename) {
test_reverse(const char *filename, int flags, int nodes) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbiterator_t *iter = NULL;
@ -134,10 +142,10 @@ test_reverse(const char *filename) {
name = dns_fixedname_initname(&f);
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);
result = dns_db_createiterator(db, flags, &iter);
assert_int_equal(result, ISC_R_SUCCESS);
for (result = dns_dbiterator_last(iter); result == ISC_R_SUCCESS;
@ -152,7 +160,7 @@ test_reverse(const char *filename) {
i++;
}
assert_int_equal(i, 12);
assert_int_equal(i, nodes);
dns_dbiterator_destroy(&iter);
dns_db_detach(&db);
@ -161,18 +169,26 @@ test_reverse(const char *filename) {
ISC_RUN_TEST_IMPL(reverse) {
UNUSED(state);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone1.data");
test_reverse(TESTS_DIR "/testdata/dbiterator/zone1.data", 0, 12);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone1.data",
DNS_DB_NONSEC3, 12);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone1.data",
DNS_DB_NSEC3ONLY, 0);
}
ISC_RUN_TEST_IMPL(reverse_nsec3) {
UNUSED(state);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone2.data");
test_reverse(TESTS_DIR "/testdata/dbiterator/zone2.data", 0, 32);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone2.data",
DNS_DB_NONSEC3, 12);
test_reverse(TESTS_DIR "/testdata/dbiterator/zone2.data",
DNS_DB_NSEC3ONLY, 20);
}
/* seek: walk database starting at a particular node */
static void
test_seek_node(const char *filename, int nodes) {
test_seek_node(const char *filename, int flags, int nodes) {
isc_result_t result;
dns_db_t *db = NULL;
dns_dbiterator_t *iter = NULL;
@ -184,17 +200,22 @@ test_seek_node(const char *filename, int nodes) {
name = dns_fixedname_initname(&f1);
seekname = dns_fixedname_initname(&f2);
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);
result = dns_db_createiterator(db, flags, &iter);
assert_int_equal(result, ISC_R_SUCCESS);
result = make_name("c." TEST_ORIGIN, seekname);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_dbiterator_seek(iter, seekname);
assert_int_equal(result, ISC_R_SUCCESS);
if (flags == DNS_DB_NSEC3ONLY) {
/* "c" isn't in the NSEC3 tree but the origin node is */
assert_int_equal(result, DNS_R_PARTIALMATCH);
} else {
assert_int_equal(result, ISC_R_SUCCESS);
}
while (result == ISC_R_SUCCESS) {
result = dns_dbiterator_current(iter, &node, name);
@ -209,6 +230,31 @@ test_seek_node(const char *filename, int nodes) {
assert_int_equal(i, nodes);
/* now reset the iterator and walk backwards */
i = 0;
result = dns_dbiterator_seek(iter, seekname);
if (flags == DNS_DB_NSEC3ONLY) {
/* "c" isn't in the NSEC3 tree but the origin node is */
assert_int_equal(result, DNS_R_PARTIALMATCH);
nodes = 0;
} else {
assert_int_equal(result, ISC_R_SUCCESS);
nodes = 4;
}
while (result == ISC_R_SUCCESS) {
result = dns_dbiterator_current(iter, &node, name);
if (result == DNS_R_NEWORIGIN) {
result = ISC_R_SUCCESS;
}
assert_int_equal(result, ISC_R_SUCCESS);
dns_db_detachnode(db, &node);
result = dns_dbiterator_prev(iter);
i++;
}
assert_int_equal(i, nodes);
dns_dbiterator_destroy(&iter);
dns_db_detach(&db);
}
@ -216,13 +262,21 @@ test_seek_node(const char *filename, int nodes) {
ISC_RUN_TEST_IMPL(seek_node) {
UNUSED(state);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone1.data", 9);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone1.data", 0, 9);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone1.data",
DNS_DB_NONSEC3, 9);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone1.data",
DNS_DB_NSEC3ONLY, 0);
}
ISC_RUN_TEST_IMPL(seek_node_nsec3) {
UNUSED(state);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone2.data", 30);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone2.data", 0, 29);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone2.data",
DNS_DB_NONSEC3, 9);
test_seek_node(TESTS_DIR "/testdata/dbiterator/zone2.data",
DNS_DB_NSEC3ONLY, 0);
}
/*
@ -239,7 +293,7 @@ test_seek_empty(const char *filename) {
seekname = dns_fixedname_initname(&f1);
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);
@ -280,7 +334,7 @@ test_seek_nx(const char *filename) {
seekname = dns_fixedname_initname(&f1);
result = dns_test_loaddb(&db, dns_dbtype_cache, TEST_ORIGIN, filename);
result = dns_test_loaddb(&db, dns_dbtype_zone, TEST_ORIGIN, filename);
assert_int_equal(result, ISC_R_SUCCESS);
result = dns_db_createiterator(db, 0, &iter);