From 01e7620b713e40e263354aa62d120b09096d890c Mon Sep 17 00:00:00 2001
From: zhanghao <zhanghao383@huawei.com>
Date: Sat, 6 Jan 2024 21:32:58 +0800
Subject: [PATCH] sync some patches from community

---
 ...en-creating-destroying-a-memory-pool.patch |  41 +++++
 ...rt-Check-BN_dup-results-in-rsa_check.patch |  41 +++++
 ...-are-allocated-in-opensslrsa_fromdns.patch |  30 ++++
 ...d-n-are-non-NULL-in-opensslrsa_todns.patch |  37 +++++
 ...t-primary-key-names-have-not-changed.patch |  52 +++++++
 ...med_server_t-is-properly-initialized.patch | 146 ++++++++++++++++++
 ...k-in-dns_message_checksig-SIG-0-sigs.patch |  30 ++++
 ...tscounter_recursclients-counting-bug.patch |  39 +++++
 ...rt-Free-n-on-error-path-in-rsa_check.patch |  28 ++++
 ...a-if-e-is-NULL-in-opensslrsa_verify2.patch |  29 ++++
 ...ore-parsing-of-internal-trust-anchor.patch |  29 ++++
 ...operly-when-interface-creation-fails.patch |  67 ++++++++
 ...d-was-erroneously-set-with-responses.patch |  61 ++++++++
 ...ncorrect-detach-in-update-processing.patch |  85 ++++++++++
 ...Add-a-missing-dns_db_detachnode-call.patch |  33 ++++
 bind.spec                                     |  25 ++-
 16 files changed, 772 insertions(+), 1 deletion(-)
 create mode 100644 backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
 create mode 100644 backport-Check-BN_dup-results-in-rsa_check.patch
 create mode 100644 backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
 create mode 100644 backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
 create mode 100644 backport-Check-that-primary-key-names-have-not-changed.patch
 create mode 100644 backport-Ensure-that-named_server_t-is-properly-initialized.patch
 create mode 100644 backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
 create mode 100644 backport-Fix-ns_statscounter_recursclients-counting-bug.patch
 create mode 100644 backport-Free-n-on-error-path-in-rsa_check.patch
 create mode 100644 backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
 create mode 100644 backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
 create mode 100644 backport-clean-up-properly-when-interface-creation-fails.patch
 create mode 100644 backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
 create mode 100644 backport-fix-an-incorrect-detach-in-update-processing.patch
 create mode 100644 backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch

diff --git a/backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch b/backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
new file mode 100644
index 0000000..03dbc11
--- /dev/null
+++ b/backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
@@ -0,0 +1,41 @@
+yum 32779aba8a0a5f852c611f44ecbeab5aab633e34 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Wed, 31 Aug 2022 12:30:38 +0000
+Subject: [PATCH] Add mctx attach/detach when creating/destroying a memory pool
+
+This should make sure that the memory context is not destroyed
+before the memory pool, which is using the context.
+Conflict: Context adaptation in the original patch：+ mpctx->lock = NULL;
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/32779aba8a0a5f852c611f44ecbeab5aab633e34
+(cherry picked from commit e97c3eea954e055634b72c21325d2611e960ee94)
+---
+ lib/isc/mem.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/lib/isc/mem.c b/lib/isc/mem.c
+index f84d300..33ece7a 100644
+--- a/lib/isc/mem.c
++++ b/lib/isc/mem.c
+@@ -1656,7 +1656,8 @@ isc_mempool_create(isc_mem_t *mctx0, size_t size, isc_mempool_t **mpctxp) {
+ 	mpctx->common.impmagic = MEMPOOL_MAGIC;
+ 	mpctx->common.magic = ISCAPI_MPOOL_MAGIC;
+ 	mpctx->lock = NULL;
+-	mpctx->mctx = mctx;
++	mpctx->mctx = NULL;
++	isc_mem_attach((isc_mem_t *)mctx, (isc_mem_t **)&mpctx->mctx);
+ 	/*
+ 	 * Mempools are stored as a linked list of element.
+ 	 */
+@@ -1765,7 +1766,8 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
+ 	mpctx->common.impmagic = 0;
+ 	mpctx->common.magic = 0;
+ 
+-	isc_mem_put((isc_mem_t *)mpctx->mctx, mpctx, sizeof(isc__mempool_t));
++	isc_mem_putanddetach((isc_mem_t **)&mpctx->mctx, mpctx,
++			     sizeof(isc__mempool_t));
+ 
+ 	if (lock != NULL) {
+ 		UNLOCK(lock);
+-- 
+2.33.0
+
diff --git a/backport-Check-BN_dup-results-in-rsa_check.patch b/backport-Check-BN_dup-results-in-rsa_check.patch
new file mode 100644
index 0000000..fcab131
--- /dev/null
+++ b/backport-Check-BN_dup-results-in-rsa_check.patch
@@ -0,0 +1,41 @@
+From 12f902796d4adde1dfdbda9b23578049a2e530ee Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 26 Sep 2022 12:06:44 +1000
+Subject: [PATCH] Check BN_dup results in rsa_check
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/12f902796d4adde1dfdbda9b23578049a2e530ee
+(cherry picked from commit a47235f4f5af0286aadd43eeccf946a8f35a5dc8)
+---
+ lib/dns/opensslrsa_link.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index 9bee2f0449..45570dac98 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -849,6 +849,9 @@ rsa_check(RSA *rsa, RSA *pub) {
+ 			}
+ 		} else {
+ 			n = BN_dup(n2);
++			if (n == NULL) {
++				return (ISC_R_NOMEMORY);
++			}
+ 		}
+ 		if (e1 != NULL) {
+ 			if (BN_cmp(e1, e2) != 0) {
+@@ -859,6 +862,12 @@ rsa_check(RSA *rsa, RSA *pub) {
+ 			}
+ 		} else {
+ 			e = BN_dup(e2);
++			if (e == NULL) {
++				if (n != NULL) {
++					BN_free(n);
++				}
++				return (ISC_R_NOMEMORY);
++			}
+ 		}
+ 		if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+ 			if (n != NULL) {
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch b/backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
new file mode 100644
index 0000000..b2bfd53
--- /dev/null
+++ b/backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
@@ -0,0 +1,30 @@
+From 03c5db001e79e40011c3478e14593cdad72c5c1d Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 26 Sep 2022 11:57:17 +1000
+Subject: [PATCH] Check that 'e' and 'n' are allocated in opensslrsa_fromdns
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/03c5db001e79e40011c3478e14593cdad72c5c1d
+(cherry picked from commit db70c302138f02b6e1fca6e89cf2da35b2ca0ae4)
+---
+ lib/dns/opensslrsa_link.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index b23b6323fa..b744a62df9 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -671,6 +671,11 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+ 	e = BN_bin2bn(r.base, e_bytes, NULL);
+ 	isc_region_consume(&r, e_bytes);
+ 	n = BN_bin2bn(r.base, r.length, NULL);
++	if (e == NULL || n == NULL) {
++		RSA_free(rsa);
++		return (ISC_R_NOMEMORY);
++	}
++
+ 	if (RSA_set0_key(rsa, n, e, NULL) == 0) {
+ 		if (n != NULL) {
+ 			BN_free(n);
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch b/backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
new file mode 100644
index 0000000..dd266e5
--- /dev/null
+++ b/backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
@@ -0,0 +1,37 @@
+From 0b0718fba3fb81507b7e82e6bca38007a94c475a Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 26 Sep 2022 11:52:55 +1000
+Subject: [PATCH] Check that 'e' and 'n' are non-NULL in opensslrsa_todns
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/0b0718fba3fb81507b7e82e6bca38007a94c475a
+(cherry picked from commit 5603cd69d170f49916bec3ca78ab3e4830170950)
+---
+ lib/dns/opensslrsa_link.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index 7aa743394b..b23b6323fa 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -585,13 +585,15 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+ 	if (rsa == NULL) {
+ 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+-
+-	isc_buffer_availableregion(data, &r);
+-
+ 	RSA_get0_key(rsa, &n, &e, NULL);
++	if (e == NULL || n == NULL) {
++		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
++	}
+ 	mod_bytes = BN_num_bytes(n);
+ 	e_bytes = BN_num_bytes(e);
+ 
++	isc_buffer_availableregion(data, &r);
++
+ 	if (e_bytes < 256) { /*%< key exponent is <= 2040 bits */
+ 		if (r.length < 1) {
+ 			DST_RET(ISC_R_NOSPACE);
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Check-that-primary-key-names-have-not-changed.patch b/backport-Check-that-primary-key-names-have-not-changed.patch
new file mode 100644
index 0000000..ca9ad0d
--- /dev/null
+++ b/backport-Check-that-primary-key-names-have-not-changed.patch
@@ -0,0 +1,52 @@
+From 9524c493c9534654adb5c363972adcc521c1907b Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Fri, 23 Sep 2022 16:52:44 +1000
+Subject: [PATCH] Check that primary key names have not changed
+
+When looking for changes in a catalog zone member zone we need to
+also check if the TSIG key name associated with a primary server
+has be added, removed or changed.
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/9524c493c9534654adb5c363972adcc521c1907b
+(cherry picked from commit 9172bd9b5a0b039cea187b6c7cc2c1314210c5d6)
+---
+ lib/dns/catz.c | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/catz.c b/lib/dns/catz.c
+index e46549be5e..702b081940 100644
+--- a/lib/dns/catz.c
++++ b/lib/dns/catz.c
+@@ -322,6 +322,20 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
+ 		return (false);
+ 	}
+ 
++	for (size_t i = 0; i < eb->opts.masters.count; i++) {
++		if ((ea->opts.masters.keys[i] == NULL) !=
++		    (eb->opts.masters.keys[i] == NULL)) {
++			return (false);
++		}
++		if (ea->opts.masters.keys[i] == NULL) {
++			continue;
++		}
++		if (!dns_name_equal(ea->opts.masters.keys[i],
++				    eb->opts.masters.keys[i])) {
++			return (false);
++		}
++	}
++
+ 	/* If one is NULL and the other isn't, the entries don't match */
+ 	if ((ea->opts.allow_query == NULL) != (eb->opts.allow_query == NULL)) {
+ 		return (false);
+@@ -350,7 +364,7 @@ dns_catz_entry_cmp(const dns_catz_entry_t *ea, const dns_catz_entry_t *eb) {
+ 		}
+ 	}
+ 
+-	/* xxxwpk TODO compare dscps/keys! */
++	/* xxxwpk TODO compare dscps! */
+ 	return (true);
+ }
+ 
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Ensure-that-named_server_t-is-properly-initialized.patch b/backport-Ensure-that-named_server_t-is-properly-initialized.patch
new file mode 100644
index 0000000..852c97f
--- /dev/null
+++ b/backport-Ensure-that-named_server_t-is-properly-initialized.patch
@@ -0,0 +1,146 @@
+From dff843199f3ed60090eb6e9ae60e9278c82bec5f Mon Sep 17 00:00:00 2001
+From: Tony Finch <fanf@isc.org>
+Date: Fri, 9 Sep 2022 08:21:10 +0100
+Subject: [PATCH] Ensure that named_server_t is properly initialized
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/dff843199f3ed60090eb6e9ae60e9278c82bec5f
+There was a ubsan error reporting an invalid value for interface_auto
+(a boolean value cannot be 190) because it was not initialized. To
+avoid this problem happening again, ensure the whole of the server
+structure is initialized to zero before setting the (relatively few)
+non-zero elements.
+---
+ bin/named/server.c | 72 ++++++----------------------------------------
+ 1 files changed, 9 insertions(+), 63 deletions(-)
+
+diff --git a/bin/named/server.c b/bin/named/server.c
+index 54b13f8f54..b4cbd953a9 100644
+--- a/bin/named/server.c
++++ b/bin/named/server.c
+@@ -9971,13 +9971,14 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ 	isc_result_t result;
+ 	named_server_t *server = isc_mem_get(mctx, sizeof(*server));
+ 
+-	if (server == NULL) {
+-		fatal(server, "allocating server object", ISC_R_NOMEMORY);
+-	}
+-
+-	server->mctx = mctx;
+-	server->task = NULL;
+-	server->zonemgr = NULL;
++	*server = (named_server_t){
++		.mctx = mctx,
++		.statsfile = isc_mem_strdup(mctx, "named.stats"),
++		.bindkeysfile = isc_mem_strdup(mctx, named_g_defaultbindkeys),
++		.dumpfile = isc_mem_strdup(mctx, "named_dump.db"),
++		.secrootsfile = isc_mem_strdup(mctx, "named.secroots"),
++		.recfile = isc_mem_strdup(mctx, "named.recursing"),
++	};
+ 
+ #ifdef USE_DNSRPS
+ 	CHECKFATAL(dns_dnsrps_server_create(), "initializing RPZ service "
+@@ -9985,10 +9986,8 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ #endif /* ifdef USE_DNSRPS */
+ 
+ 	/* Initialize server data structures. */
+-	server->interfacemgr = NULL;
+ 	ISC_LIST_INIT(server->kasplist);
+ 	ISC_LIST_INIT(server->viewlist);
+-	server->in_roothints = NULL;
+ 
+ 	/* Must be first. */
+ 	CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), "initializing "
+@@ -10018,7 +10017,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ 	isc_task_setname(server->task, "server", server);
+ 	isc_taskmgr_setexcltask(named_g_taskmgr, server->task);
+ 
+-	server->sctx = NULL;
+ 	CHECKFATAL(ns_server_create(mctx, get_matching_view, &server->sctx),
+ 		   "creating server context");
+ 
+@@ -10042,14 +10040,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ 		isc_app_onrun(named_g_mctx, server->task, run_server, server),
+ 		"isc_app_onrun");
+ 
+-	server->interface_timer = NULL;
+-	server->heartbeat_timer = NULL;
+-	server->pps_timer = NULL;
+-	server->tat_timer = NULL;
+-
+-	server->interface_interval = 0;
+-	server->heartbeat_interval = 0;
+-
+ 	CHECKFATAL(dns_zonemgr_create(named_g_mctx, named_g_taskmgr,
+ 				      named_g_timermgr, named_g_socketmgr,
+ 				      &server->zonemgr),
+@@ -10057,37 +10047,6 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ 	CHECKFATAL(dns_zonemgr_setsize(server->zonemgr, 1000), "dns_zonemgr_"
+ 							       "setsize");
+ 
+-	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
+-	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+-		   "isc_mem_strdup");
+-
+-	server->bindkeysfile = isc_mem_strdup(server->mctx,
+-					      named_g_defaultbindkeys);
+-	CHECKFATAL(server->bindkeysfile == NULL ? ISC_R_NOMEMORY
+-						: ISC_R_SUCCESS,
+-		   "isc_mem_strdup");
+-
+-	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
+-	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+-		   "isc_mem_strdup");
+-
+-	server->secrootsfile = isc_mem_strdup(server->mctx, "named.secroots");
+-	CHECKFATAL(server->secrootsfile == NULL ? ISC_R_NOMEMORY
+-						: ISC_R_SUCCESS,
+-		   "isc_mem_strdup");
+-
+-	server->recfile = isc_mem_strdup(server->mctx, "named.recursing");
+-	CHECKFATAL(server->recfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
+-		   "isc_mem_strdup");
+-
+-	server->hostname_set = false;
+-	server->hostname = NULL;
+-	server->version_set = false;
+-	server->version = NULL;
+-
+-	server->zonestats = NULL;
+-	server->resolverstats = NULL;
+-	server->sockstats = NULL;
+ 	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
+ 				    isc_sockstatscounter_max),
+ 		   "isc_stats_create");
+@@ -10102,28 +10061,15 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
+ 				    dns_resstatscounter_max),
+ 		   "dns_stats_create (resolver)");
+ 
+-	server->flushonshutdown = false;
+-
+-	server->controls = NULL;
+ 	CHECKFATAL(named_controls_create(server, &server->controls),
+ 		   "named_controls_create");
+-	server->dispatchgen = 0;
++
+ 	ISC_LIST_INIT(server->dispatches);
+ 
+ 	ISC_LIST_INIT(server->statschannels);
+ 
+ 	ISC_LIST_INIT(server->cachelist);
+ 
+-	server->sessionkey = NULL;
+-	server->session_keyfile = NULL;
+-	server->session_keyname = NULL;
+-	server->session_keyalg = DST_ALG_UNKNOWN;
+-	server->session_keybits = 0;
+-
+-	server->lockfile = NULL;
+-
+-	server->dtenv = NULL;
+-
+ 	server->magic = NAMED_SERVER_MAGIC;
+ 	*serverp = server;
+ }
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch b/backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
new file mode 100644
index 0000000..2cc2d24
--- /dev/null
+++ b/backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
@@ -0,0 +1,30 @@
+From 3e77d6bf87f4a8c8793c9dd2a506432a24a4366c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
+Date: Mon, 19 Sep 2022 09:07:51 +0200
+Subject: [PATCH] Fix memory leak in dns_message_checksig() - SIG(0) sigs
+
+Impact should be visible only in tests or tools because named never
+uses view == NULL, which is a necessary condition to trigger this leak.
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/3e77d6bf87f4a8c8793c9dd2a506432a24a4366c
+(cherry picked from commit 69256b3553d3b8b73b6fa4de9b030b39f1b96d34)
+---
+ lib/dns/message.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index 0b5d9355e5..7b3d72abd9 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -3227,7 +3227,8 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
+ 
+ 		dns_rdataset_init(&keyset);
+ 		if (view == NULL) {
+-			return (DNS_R_KEYUNAUTHORIZED);
++			result = DNS_R_KEYUNAUTHORIZED;
++			goto freesig;
+ 		}
+ 		result = dns_view_simplefind(view, &sig.signer,
+ 					     dns_rdatatype_key /* SIG(0) */, 0,
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Fix-ns_statscounter_recursclients-counting-bug.patch b/backport-Fix-ns_statscounter_recursclients-counting-bug.patch
new file mode 100644
index 0000000..8499382
--- /dev/null
+++ b/backport-Fix-ns_statscounter_recursclients-counting-bug.patch
@@ -0,0 +1,39 @@
+From b6aeccf697729c4c721fc71da7063bb18a89c751 Mon Sep 17 00:00:00 2001
+From: Aram Sargsyan <aram@isc.org>
+Date: Tue, 18 Oct 2022 08:54:04 +0000
+Subject: [PATCH] Fix ns_statscounter_recursclients counting bug
+
+The incrementing and decrementing of 'ns_statscounter_recursclients'
+were not properly balanced: for example, it would be incremented for
+a prefetch query but not decremented if the query failed.
+
+This commit ensures that the recursion quota and the recursive clients
+counter are always in sync with each other.
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/b6aeccf697729c4c721fc71da7063bb18a89c751
+(cherry picked from commit 82991451b41793af201d070aba654c4ea89819cb)
+---
+ lib/ns/client.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/lib/ns/client.c b/lib/ns/client.c
+index 41d3fa0..dc8a10a 100644
+--- a/lib/ns/client.c
++++ b/lib/ns/client.c
+@@ -242,10 +242,8 @@ ns_client_endrequest(ns_client_t *client) {
+ 	 */
+ 	if (client->recursionquota != NULL) {
+ 		isc_quota_detach(&client->recursionquota);
+-		if (client->query.prefetch == NULL) {
+-			ns_stats_decrement(client->sctx->nsstats,
+-					   ns_statscounter_recursclients);
+-		}
++	        ns_stats_decrement(client->sctx->nsstats,
++		                   ns_statscounter_recursclients);
+ 	}
+ 
+ 	/*
+-- 
+2.33.0
+
diff --git a/backport-Free-n-on-error-path-in-rsa_check.patch b/backport-Free-n-on-error-path-in-rsa_check.patch
new file mode 100644
index 0000000..e29cbcc
--- /dev/null
+++ b/backport-Free-n-on-error-path-in-rsa_check.patch
@@ -0,0 +1,28 @@
+From 2c8e38f359bb90bcec67419ce95d2eee81bfd7a2 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 26 Sep 2022 12:05:33 +1000
+Subject: [PATCH] Free 'n' on error path in rsa_check
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2c8e38f359bb90bcec67419ce95d2eee81bfd7a2
+(cherry picked from commit 483c5a19781b0930c6e72bb2b498130c3f83d13f)
+---
+ lib/dns/opensslrsa_link.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index b744a62df9..9bee2f0449 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -852,6 +852,9 @@ rsa_check(RSA *rsa, RSA *pub) {
+ 		}
+ 		if (e1 != NULL) {
+ 			if (BN_cmp(e1, e2) != 0) {
++				if (n != NULL) {
++					BN_free(n);
++				}
+ 				return (DST_R_INVALIDPRIVATEKEY);
+ 			}
+ 		} else {
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch b/backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
new file mode 100644
index 0000000..d5b5524
--- /dev/null
+++ b/backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
@@ -0,0 +1,29 @@
+From 6f1e04409a24b275d756fdddc1ed8fffc2d48254 Mon Sep 17 00:00:00 2001
+From: Mark Andrews <marka@isc.org>
+Date: Mon, 26 Sep 2022 11:51:05 +1000
+Subject: [PATCH] Free 'rsa' if 'e' is NULL in opensslrsa_verify2
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/6f1e04409a24b275d756fdddc1ed8fffc2d48254
+(cherry picked from commit a2b51ca6acae9e1c819e0d2e4aa1584b675c4cb7)
+---
+ lib/dns/opensslrsa_link.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
+index b0d8dd85b9..7aa743394b 100644
+--- a/lib/dns/opensslrsa_link.c
++++ b/lib/dns/opensslrsa_link.c
+@@ -333,6 +333,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
+ 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+ 	}
+ 	RSA_get0_key(rsa, NULL, &e, NULL);
++	if (e == NULL) {
++		RSA_free(rsa);
++		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
++	}
+ 	bits = BN_num_bits(e);
+ 	RSA_free(rsa);
+ 	if (bits > maxbits && maxbits != 0) {
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch b/backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
new file mode 100644
index 0000000..0fc4589
--- /dev/null
+++ b/backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
@@ -0,0 +1,29 @@
+From ba9a140e1f3165145164a5923c65461824d80ab3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
+Date: Thu, 11 Aug 2022 11:41:30 +0200
+Subject: [PATCH] Reset parser before parsing of internal trust anchor
+
+It might be reused if /etc/bind.keys exists, but failed correct parsing.
+Release traces of previous parsing attempt of different data.
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/ba9a140e1f3165145164a5923c65461824d80ab3
+(cherry picked from commit dc07394c4724c1e1235af85dd8c044af70da93ae)
+---
+ bin/delv/delv.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/bin/delv/delv.c b/bin/delv/delv.c
+index f4c7c015dd..0702eec862 100644
+--- a/bin/delv/delv.c
++++ b/bin/delv/delv.c
+@@ -852,6 +852,7 @@ setup_dnsseckeys(dns_client_t *client) {
+ 
+ 		isc_buffer_init(&b, anchortext, sizeof(anchortext) - 1);
+ 		isc_buffer_add(&b, sizeof(anchortext) - 1);
++		cfg_parser_reset(parser);
+ 		result = cfg_parse_buffer(parser, &b, NULL, 0,
+ 					  &cfg_type_bindkeys, 0, &bindkeys);
+ 		if (result != ISC_R_SUCCESS) {
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-clean-up-properly-when-interface-creation-fails.patch b/backport-clean-up-properly-when-interface-creation-fails.patch
new file mode 100644
index 0000000..2c851ea
--- /dev/null
+++ b/backport-clean-up-properly-when-interface-creation-fails.patch
@@ -0,0 +1,67 @@
+From 80a8322d6594cfaa9ffe90d3de0c315a0d34efc3 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Fri, 2 Sep 2022 15:41:26 -0700
+Subject: [PATCH] clean up properly when interface creation fails
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/80a8322d6594cfaa9ffe90d3de0c315a0d34efc3
+
+previously, if ns_clientmgr_create() failed, the interface was not
+cleaned up correctly and an assertion or segmentation fault could
+follow. this has been fixed.
+---
+ lib/ns/interfacemgr.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/lib/ns/interfacemgr.c b/lib/ns/interfacemgr.c
+index facb0d141b..51429de716 100644
+--- a/lib/ns/interfacemgr.c
++++ b/lib/ns/interfacemgr.c
+@@ -391,7 +391,7 @@ ns_interfacemgr_shutdown(ns_interfacemgr_t *mgr) {
+ static isc_result_t
+ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+ 		    const char *name, ns_interface_t **ifpret) {
+-	ns_interface_t *ifp;
++	ns_interface_t *ifp = NULL;
+ 	isc_result_t result;
+ 	int disp;
+ 
+@@ -422,13 +422,13 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+ 	ISC_LINK_INIT(ifp, link);
+ 
+ 	ns_interfacemgr_attach(mgr, &ifp->mgr);
++	isc_refcount_init(&ifp->references, 1);
++	ifp->magic = IFACE_MAGIC;
++
+ 	LOCK(&mgr->lock);
+ 	ISC_LIST_APPEND(mgr->interfaces, ifp, link);
+ 	UNLOCK(&mgr->lock);
+ 
+-	isc_refcount_init(&ifp->references, 1);
+-	ifp->magic = IFACE_MAGIC;
+-
+ 	result = ns_clientmgr_create(mgr->mctx, mgr->sctx, mgr->taskmgr,
+ 				     mgr->timermgr, ifp, mgr->ncpus,
+ 				     &ifp->clientmgr);
+@@ -444,11 +444,17 @@ ns_interface_create(ns_interfacemgr_t *mgr, isc_sockaddr_t *addr,
+ 	return (ISC_R_SUCCESS);
+ 
+ failure:
+-	isc_mutex_destroy(&ifp->lock);
++	LOCK(&ifp->mgr->lock);
++	ISC_LIST_UNLINK(ifp->mgr->interfaces, ifp, link);
++	UNLOCK(&ifp->mgr->lock);
+ 
+ 	ifp->magic = 0;
+-	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
++	ns_interfacemgr_detach(&ifp->mgr);
++	isc_refcount_decrement(&ifp->references);
++	isc_refcount_destroy(&ifp->references);
++	isc_mutex_destroy(&ifp->lock);
+ 
++	isc_mem_put(mgr->mctx, ifp, sizeof(*ifp));
+ 	return (ISC_R_UNEXPECTED);
+ }
+ 
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch b/backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
new file mode 100644
index 0000000..5e3e30d
--- /dev/null
+++ b/backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
@@ -0,0 +1,61 @@
+From e1fa6cbab82fe424a94269e3ae9e106c10bf59be Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Fri, 26 Aug 2022 15:38:34 -0700
+Subject: [PATCH] dnstap query_message field was erroneously set with responses
+
+The dnstap query_message field was in some cases being filled in
+with response messages, along with the response_message field.
+The query_message field should only be used when logging requests,
+and the response_message field only when logging responses.
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/e1fa6cbab82fe424a94269e3ae9e106c10bf59be
+---
+ lib/dns/dnstap.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
+index 30ca97e636..97f070937d 100644
+--- a/lib/dns/dnstap.c
++++ b/lib/dns/dnstap.c
+@@ -808,10 +808,11 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
+ 		dm.m.response_time_nsec = isc_time_nanoseconds(t);
+ 		dm.m.has_response_time_nsec = 1;
+ 
+-		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
+-
+-		/* Types RR and FR get both query and response times */
+-		if (msgtype == DNS_DTTYPE_CR || msgtype == DNS_DTTYPE_AR) {
++		/*
++		 * Types RR and FR can fall through and get the query
++		 * time set as well. Any other response type, break.
++		 */
++		if (msgtype != DNS_DTTYPE_RR && msgtype != DNS_DTTYPE_FR) {
+ 			break;
+ 		}
+ 
+@@ -831,8 +832,6 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
+ 		dm.m.has_query_time_sec = 1;
+ 		dm.m.query_time_nsec = isc_time_nanoseconds(t);
+ 		dm.m.has_query_time_nsec = 1;
+-
+-		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
+ 		break;
+ 	default:
+ 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSTAP,
+@@ -841,6 +840,13 @@ dns_dt_send(dns_view_t *view, dns_dtmsgtype_t msgtype, isc_sockaddr_t *qaddr,
+ 		return;
+ 	}
+ 
++	/* Query and response messages */
++	if ((msgtype & DNS_DTTYPE_QUERY) != 0) {
++		cpbuf(buf, &dm.m.query_message, &dm.m.has_query_message);
++	} else if ((msgtype & DNS_DTTYPE_RESPONSE) != 0) {
++		cpbuf(buf, &dm.m.response_message, &dm.m.has_response_message);
++	}
++
+ 	/* Zone/bailiwick */
+ 	switch (msgtype) {
+ 	case DNS_DTTYPE_AR:
+-- 
+2.23.0
\ No newline at end of file
diff --git a/backport-fix-an-incorrect-detach-in-update-processing.patch b/backport-fix-an-incorrect-detach-in-update-processing.patch
new file mode 100644
index 0000000..a62bfff
--- /dev/null
+++ b/backport-fix-an-incorrect-detach-in-update-processing.patch
@@ -0,0 +1,85 @@
+From 17924f4bdfbd99e06057c090d6ac3e8074deb642 Mon Sep 17 00:00:00 2001
+From: Evan Hunt <each@isc.org>
+Date: Fri, 2 Sep 2022 14:44:58 -0700
+Subject: [PATCH] fix an incorrect detach in update processing
+
+when processing UDPATE requests, hold the request handle until
+we either drop the request or respond to it.
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/17924f4bdfbd99e06057c090d6ac3e8074deb642
+(cherry picked from commit 00e0758e1218f82fd1fe995c161ce4243bbbbb89)
+---
+ lib/ns/update.c | 25 +++++++++++--------------
+ 1 file changed, 11 insertions(+), 14 deletions(-)
+
+diff --git a/lib/ns/update.c b/lib/ns/update.c
+index db04e60..071de25 100644
+--- a/lib/ns/update.c
++++ b/lib/ns/update.c
+@@ -1743,19 +1743,17 @@ respond(ns_client_t *client, isc_result_t result) {
+ 
+ 	msg_result = dns_message_reply(client->message, true);
+ 	if (msg_result != ISC_R_SUCCESS) {
+-		goto msg_failure;
++		isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE,
++			      NS_LOGMODULE_UPDATE, ISC_LOG_ERROR,
++			      "could not create update response message: %s",
++			      isc_result_totext(msg_result));
++		ns_client_drop(client, msg_result);
++		isc_nmhandle_detach(&client->reqhandle);
++		return;
+ 	}
+-	client->message->rcode = dns_result_torcode(result);
+ 
++	client->message->rcode = dns_result_torcode(result);
+ 	ns_client_send(client);
+-	return;
+-
+-msg_failure:
+-	isc_log_write(ns_lctx, NS_LOGCATEGORY_UPDATE, NS_LOGMODULE_UPDATE,
+-		      ISC_LOG_ERROR,
+-		      "could not create update response message: %s",
+-		      isc_result_totext(msg_result));
+-	ns_client_drop(client, msg_result);
+ 	isc_nmhandle_detach(&client->reqhandle);
+ }
+ 
+@@ -1769,7 +1767,8 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
+ 	dns_zone_t *zone = NULL, *raw = NULL;
+ 
+ 	/*
+-	 * Attach to the request handle
++	 * Attach to the request handle. This will be held until
++	 * we respond, or drop the request.
+ 	 */
+ 	isc_nmhandle_attach(handle, &client->reqhandle);
+ 
+@@ -1848,8 +1847,6 @@ ns_update_start(ns_client_t *client, isc_nmhandle_t *handle,
+ 	default:
+ 		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
+ 	}
+-
+-	isc_nmhandle_detach(&client->reqhandle);
+ 	return;
+ 
+ failure:
+@@ -1872,7 +1869,6 @@ failure:
+ 	if (zone != NULL) {
+ 		dns_zone_detach(&zone);
+ 	}
+-	isc_nmhandle_detach(&client->reqhandle);
+ }
+ 
+ /*%
+@@ -3598,6 +3594,7 @@ forward_done(isc_task_t *task, isc_event_t *event) {
+ 
+ 	isc_quota_detach(&(isc_quota_t *){ &client->manager->sctx->updquota });
+ 	isc_event_free(&event);
++	isc_nmhandle_detach(&client->reqhandle);
+ 	isc_nmhandle_detach(&client->updatehandle);
+ }
+ 
+-- 
+2.27.0
+
diff --git a/backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch b/backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch
new file mode 100644
index 0000000..54522fc
--- /dev/null
+++ b/backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch
@@ -0,0 +1,33 @@
+From 58d01b821af93448714ccb22cea15c35088bd33a Mon Sep 17 00:00:00 2001
+From: Matthijs Mekking <matthijs@isc.org>
+Date: Tue, 23 Aug 2022 10:54:42 +0200
+Subject: [PATCH] nsec3.c: Add a missing dns_db_detachnode() call
+
+There is one case in 'dns_nsec3_activex()' where it returns but forgets
+to detach the db node. Add the missing 'dns_db_detachnode()' call.
+
+This case only triggers if 'sig-signing-type' (privatetype) is set to 0
+(which by default is not), or if the function is called with 'complete'
+is set to 'true' (which at this moment do not exist).
+
+Conflict: NA
+Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/58d01b821af93448714ccb22cea15c35088bd33a
+(cherry picked from commit 0cf6c18ccb2205a1fc81431f908c8310f6136bbb)
+---
+ lib/dns/nsec3.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
+index f4f7cdeb53..45240b2499 100644
+--- a/lib/dns/nsec3.c
++++ b/lib/dns/nsec3.c
+@@ -1833,6 +1833,7 @@ dns_nsec3_activex(dns_db_t *db, dns_dbversion_t *version, bool complete,
+ 
+ try_private:
+ 	if (privatetype == 0 || complete) {
++		dns_db_detachnode(db, &node);
+ 		*answer = false;
+ 		return (ISC_R_SUCCESS);
+ 	}
+-- 
+2.23.0
\ No newline at end of file
diff --git a/bind.spec b/bind.spec
index 2393cda..7fe5e70 100644
--- a/bind.spec
+++ b/bind.spec
@@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  MPLv2.0
 Version:  9.16.23
-Release:  20
+Release:  21
 Epoch:    32
 Url:      https://www.isc.org/downloads/bind/
 #
@@ -211,6 +211,23 @@ Patch6127:backport-Disable-the-internale-memory-allocator-by-default.patch
 
 Patch6128:backport-CVE-2023-3341.patch
 
+Patch6129:backport-Add-mctx-attach-detach-when-creating-destroying-a-memory-pool.patch
+Patch6130:backport-Ensure-that-named_server_t-is-properly-initialized.patch
+Patch6131:backport-Reset-parser-before-parsing-of-internal-trust-anchor.patch
+Patch6132:backport-clean-up-properly-when-interface-creation-fails.patch
+Patch6133:backport-dnstap-query_message-field-was-erroneously-set-with-responses.patch
+Patch6134:backport-fix-an-incorrect-detach-in-update-processing.patch
+Patch6135:backport-nsec3.c-Add-a-missing-dns_db_detachnode-call.patch
+
+Patch6136:backport-Check-BN_dup-results-in-rsa_check.patch
+Patch6137:backport-Check-that-e-and-n-are-allocated-in-opensslrsa_fromdns.patch
+Patch6138:backport-Check-that-e-and-n-are-non-NULL-in-opensslrsa_todns.patch
+Patch6139:backport-Check-that-primary-key-names-have-not-changed.patch
+Patch6140:backport-Fix-memory-leak-in-dns_message_checksig-SIG-0-sigs.patch
+Patch6141:backport-Fix-ns_statscounter_recursclients-counting-bug.patch
+Patch6142:backport-Free-n-on-error-path-in-rsa_check.patch
+Patch6143:backport-Free-rsa-if-e-is-NULL-in-opensslrsa_verify2.patch
+
 Patch9000:bugfix-limit-numbers-of-test-threads.patch
 
 %{?systemd_ordering}
@@ -1219,6 +1236,12 @@ fi;
 %endif
 
 %changelog
+* Sat Jan 06 2024 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-21
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:sync some patches from community
+
 * Sat Sep 23 2023 zhanghao <zhanghao383@huawei.com> - 32:9.16.23-20
 - Type:CVE
 - CVE:CVE-2023-3341
-- 
Gitee