From 131307a70e66ea434683641156204e01ac56c526 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 15 Aug 2016 14:17:02 +0530
Subject: [PATCH] Fix RPZ CIDR tree insertion bug (#43035)

---
 CHANGES                                       |  5 ++++
 bin/tests/system/rpzrecurse/ns2/db.clientip21 | 12 ++++++++
 .../rpzrecurse/ns2/named.clientip2.conf       | 27 +++++++++++++++++
 bin/tests/system/rpzrecurse/tests.sh          | 29 +++++++++++++++++++
 lib/dns/dispatch.c                            |  2 +-
 lib/dns/rpz.c                                 |  2 +-
 6 files changed, 75 insertions(+), 2 deletions(-)
 create mode 100644 bin/tests/system/rpzrecurse/ns2/db.clientip21
 create mode 100644 bin/tests/system/rpzrecurse/ns2/named.clientip2.conf

diff --git a/CHANGES b/CHANGES
index 33a599032b..628e5738f6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,8 @@
+4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
+			tree data structure with overlapping networks
+			(longest prefix match was ineffective).
+			[RT #43035]
+
 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 
 4440.	[func]		Enable TCP fast open support when available on the
diff --git a/bin/tests/system/rpzrecurse/ns2/db.clientip21 b/bin/tests/system/rpzrecurse/ns2/db.clientip21
new file mode 100644
index 0000000000..748c6e6547
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/db.clientip21
@@ -0,0 +1,12 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.3.0.53.10.rpz-client-ip A 10.53.0.1
+31.2.0.53.10.rpz-client-ip CNAME .
diff --git a/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf
new file mode 100644
index 0000000000..e6054f8de8
--- /dev/null
+++ b/bin/tests/system/rpzrecurse/ns2/named.clientip2.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    servfail-ttl 0;
+
+    # policy configuration to be tested
+    response-policy {
+	zone "clientip21";
+    } qname-wait-recurse no;
+
+    # policy zones to be tested
+    zone "clientip21" { type master; file "db.clientip21"; };
+};
diff --git a/bin/tests/system/rpzrecurse/tests.sh b/bin/tests/system/rpzrecurse/tests.sh
index 91d18f1b01..9738c4175d 100644
--- a/bin/tests/system/rpzrecurse/tests.sh
+++ b/bin/tests/system/rpzrecurse/tests.sh
@@ -237,6 +237,35 @@ grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.2" dig.out.${t} > /dev/null
     status=1
 }
 
+# Check CLIENT-IP behavior #2
+t=`expr $t + 1`
+echo "I:testing CLIENT-IP behavior #2 (${t})"
+run_server clientip2
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.1 > dig.out.${t}.1
+grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.2 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.3 > dig.out.${t}.3
+grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo "I:test $t failed: didn't get expected answer"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.4 > dig.out.${t}.4
+grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+
 # Check RPZ log clause
 t=`expr $t + 1`
 echo "I:testing RPZ log clause (${t})"
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 33e4033b8e..d188bda46a 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -2994,7 +2994,7 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 			isc_sockaddr_format(localaddr, addrbuf,
 					    ISC_SOCKADDR_FORMATSIZE);
 			mgr_log(mgr, LVL(90), "dns_dispatch_createudp: Created"
-				" UDP dispatch for %s with socket fd %d\n",
+				" UDP dispatch for %s with socket fd %d",
 				addrbuf, isc_socket_getfd(sock));
 		}
 
diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index ddd6eb2e1a..3ead261395 100644
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -1176,7 +1176,7 @@ search(dns_rpz_zones_t *rpzs,
 				rpzs->cidr = new_parent;
 			else
 				parent->child[cur_num] = new_parent;
-			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
+			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix);
 			new_parent->child[child_num] = cur;
 			cur->parent = new_parent;
 			new_parent->set = *tgt_set;