[9.18] fix: usr: RPZ canonical warning displays zone entry incorrectly

When an IPv6 rpz prefix entry is entered incorrectly the log message was just displaying the prefix rather than the full entry. This has been corrected. Closes #5491 Backport of MR !10890 Merge branch 'backport-5491-rpz-canonical-warning-displays-zone-entry-incorrectly-9.18' into 'bind-9.18' See merge request isc-projects/bind9!10931
2026-05-27 20:25:55 -04:00 · 2025-09-03 10:21:09 +10:00 · 2025-09-03 10:21:09 +10:00 · 3e787e9893
commit 3e787e9893
parent e28c95c116 85840b98b5
3 changed files with 11 additions and 6 deletions
--- a/bin/tests/system/rpz/test2
+++ b/bin/tests/system/rpz/test2
@ -51,7 +51,11 @@ update add  32.2.5.168.192.rpz-ip.bl	300 A	127.0.0.2
 ; prefer first conflicting IP zone for a5-3.tld2
 ;	12
 update add 32.3.5.168.192.rpz-ip.bl	300 A	127.0.0.1
+; non canonical form entry to trigger log message
+update add  128.2.0.0.0.0.3.2.2001.rpz-ip.bl	300 CNAME .
 send
+
+;
 update add 32.3.5.168.192.rpz-ip.bl-2	300 A	127.0.0.2
 send

--- a/bin/tests/system/rpz/tests.sh
+++ b/bin/tests/system/rpz/tests.sh
@ -549,6 +549,8 @@ ckstats $ns5 test1 ns5 0
 ckstats $ns6 test1 ns6 0

 start_group "IP rewrites" test2
+msg='rpz IP address "128.2.0.0.0.0.3.2.2001" is not the canonical "128.2.zz.3.2.2001"'
+grep "$msg" ns3/named.run >/dev/null || setret "expected 'is not the canonical' message not logged"
 nodata a3-1.tld2                    # 1 NODATA
 nochange a3-2.tld2                  # 2 no policy record so no change
 nochange a4-1.tld2                  # 3 obsolete PASSTHRU record style
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@ -802,7 +802,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
 	dns_fixedname_t ip_name2f;
 	dns_name_t ip_name;
 	const char *prefix_str = NULL, *cp = NULL, *end = NULL;
-	char *cp2;
+	char *prefix_end, *cp2;
 	int ip_labels;
 	dns_rpz_prefix_t prefix;
 	unsigned long prefix_num, l;
@ -840,12 +840,9 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
 			"");
 		return ISC_R_FAILURE;
 	}
-	/*
-	 * Patch in trailing nul character to print just the length
-	 * label (for various cases below).
-	 */
-	*cp2 = '\0';
+	prefix_end = cp2;
 	if (prefix_num < 1U || prefix_num > 128U) {
+		*prefix_end = '\0';
 		badname(log_level, src_name, "; invalid prefix length of ",
 			prefix_str);
 		return ISC_R_FAILURE;
@ -858,6 +855,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
 		 * from the form "prefix.z.y.x.w"
 		 */
 		if (prefix_num > 32U) {
+			*prefix_end = '\0';
 			badname(log_level, src_name,
 				"; invalid IPv4 prefix length of ", prefix_str);
 			return ISC_R_FAILURE;
@ -936,6 +934,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type,
 		i = prefix % DNS_RPZ_CIDR_WORD_BITS;
 		aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS];
 		if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
+			*prefix_end = '\0';
 			badname(log_level, src_name,
 				"; too small prefix length of ", prefix_str);
 			return ISC_R_FAILURE;