Add limits to the size of received AXFR, in megabytes

This prevents resource exhaustion in case the master is sending a
very large amount of data in an update.

pdns/common_startup.cc

@@ -170,6 +170,8 @@ void declareArguments()
 
   ::arg().set("include-dir","Include *.conf files from this directory");
   ::arg().set("security-poll-suffix","Domain name from which to query security update notifications")="secpoll.powerdns.com.";
+
+  ::arg().set("xfr-max-received-mbytes", "Maximum number of megabytes received from an incoming AXFR")="100";
 }
 
 static uint64_t uptimeOfProcess(const std::string& str)

pdns/docs/pdns.xml

@@ -17863,6 +17863,17 @@ This setting will make PowerDNS renotify the slaves after an AXFR is *received*
 	    <listitem><para>
 	      Check for wildcard URL records.
 	      </para></listitem></varlistentry>
+	  <varlistentry>
+	    <term>xfr-max-received-mbytes=...</term>
+	  <listitem>
+	    <para>
+	      Specifies the maximum number of received megabytes allowed on an incoming AXFR update, to prevent
+              resource exhaustion. A value of 0 means no restriction.
+	      The default is 100. Available since 3.4.10.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
       </variablelist>
     </para>
   </chapter>

pdns/pdns.conf-dist

@@ -534,4 +534,9 @@
 #
 # webserver-print-arguments=no
 
+#################################
+# xfr-max-received-mbytes	Maximum number of megabytes received from an incoming AXFR
+#
+# xfr-max-received-mbytes=100
+
 

pdns/resolver.cc

@@ -379,8 +379,9 @@ AXFRRetriever::AXFRRetriever(const ComboAddress& remote,
         const string& tsigkeyname,
         const string& tsigalgorithm, 
         const string& tsigsecret,
-        const ComboAddress* laddr)
-: d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_tsigPos(0), d_nonSignedMessages(0)
+        const ComboAddress* laddr,
+        size_t maxReceivedBytes)
+  : d_tsigkeyname(tsigkeyname), d_tsigsecret(tsigsecret), d_receivedBytes(0), d_maxReceivedBytes(maxReceivedBytes), d_tsigPos(0), d_nonSignedMessages(0)
 {
   ComboAddress local;
   if (laddr != NULL) {
@@ -461,8 +462,14 @@ int AXFRRetriever::getChunk(Resolver::res_t &res) // Implementation is making su
   int len=getLength();
   if(len<0)
     throw ResolverException("EOF trying to read axfr chunk from remote TCP client");
-
-  timeoutReadn(len); 
+
+  if (d_maxReceivedBytes > 0 && (d_maxReceivedBytes - d_receivedBytes) < (size_t) len)
+    throw ResolverException("Reached the maximum number of received bytes during AXFR");
+
+  timeoutReadn(len);
+
+  d_receivedBytes += (uint16_t) len;
+
   MOADNSParser mdp(d_buf.get(), len);
 
   int err = parseResult(mdp, "", 0, 0, &res);

pdns/resolver.hh

@@ -85,7 +85,8 @@ class AXFRRetriever : public boost::noncopyable
         const string& tsigkeyname=string(),
         const string& tsigalgorithm=string(),
         const string& tsigsecret=string(),
-        const ComboAddress* laddr = NULL);
+        const ComboAddress* laddr = NULL,
+        size_t maxReceivedBytes=0);
 	~AXFRRetriever();
     int getChunk(Resolver::res_t &res);  
 
@@ -104,6 +105,8 @@ class AXFRRetriever : public boost::noncopyable
     string d_tsigsecret;
     string d_prevMac; // RFC2845 4.4
     string d_signData;
+    size_t d_receivedBytes;
+    size_t d_maxReceivedBytes;
     uint32_t d_tsigPos;
     uint d_nonSignedMessages; // RFC2845 4.4
     TSIGRecordContent d_trc;

pdns/slavecommunicator.cc

@@ -151,7 +151,7 @@ void CommunicatorClass::suck(const string &domain,const string &remote)
     vector<DNSResourceRecord> rrs;
 
     ComboAddress raddr(remote, 53);
-    AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr);
+    AXFRRetriever retriever(raddr, domain.c_str(), tsigkeyname, tsigalgorithm, tsigsecret, (laddr.sin4.sin_family == 0) ? NULL : &laddr, ((size_t) ::arg().asNum("xfr-max-received-mbytes")) * 1024 * 1024);
     Resolver::res_t recs;
     while(retriever.getChunk(recs)) {
       if(first) {