From 823e39a9322da9d23334f42323ae86d91b86a487 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 25 Aug 2025 10:32:36 +1000 Subject: [PATCH 1/2] RPZ canonical warning displays zone entry incorrectly Do not insert a NUL into ip_str too early as the full value is needed later. Only insert the NUL immediately before displaying just the prefix string. (cherry picked from commit 283da99f02d8b58c56efee988f39db3dc18426f1) --- lib/dns/rpz.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c index be2285763b..596482bf48 100644 --- a/lib/dns/rpz.c +++ b/lib/dns/rpz.c @@ -802,7 +802,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, dns_fixedname_t ip_name2f; dns_name_t ip_name; const char *prefix_str = NULL, *cp = NULL, *end = NULL; - char *cp2; + char *prefix_end, *cp2; int ip_labels; dns_rpz_prefix_t prefix; unsigned long prefix_num, l; @@ -840,12 +840,9 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, ""); return ISC_R_FAILURE; } - /* - * Patch in trailing nul character to print just the length - * label (for various cases below). - */ - *cp2 = '\0'; + prefix_end = cp2; if (prefix_num < 1U || prefix_num > 128U) { + *prefix_end = '\0'; badname(log_level, src_name, "; invalid prefix length of ", prefix_str); return ISC_R_FAILURE; @@ -858,6 +855,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, * from the form "prefix.z.y.x.w" */ if (prefix_num > 32U) { + *prefix_end = '\0'; badname(log_level, src_name, "; invalid IPv4 prefix length of ", prefix_str); return ISC_R_FAILURE; @@ -936,6 +934,7 @@ name2ipkey(int log_level, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, i = prefix % DNS_RPZ_CIDR_WORD_BITS; aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS]; if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) { + *prefix_end = '\0'; badname(log_level, src_name, "; too small prefix length of ", prefix_str); return ISC_R_FAILURE; From 85840b98b532b21a7aeb8d2f2e8150bd7dd37edb Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 25 Aug 2025 11:19:37 +1000 Subject: [PATCH 2/2] Add non canonical form entry to trigger log message (cherry picked from commit 76db9e276f5180c41dd8492a08b1396377903973) --- bin/tests/system/rpz/test2 | 4 ++++ bin/tests/system/rpz/tests.sh | 2 ++ 2 files changed, 6 insertions(+) diff --git a/bin/tests/system/rpz/test2 b/bin/tests/system/rpz/test2 index ad71e3ae56..8ef4296c96 100644 --- a/bin/tests/system/rpz/test2 +++ b/bin/tests/system/rpz/test2 @@ -51,7 +51,11 @@ update add 32.2.5.168.192.rpz-ip.bl 300 A 127.0.0.2 ; prefer first conflicting IP zone for a5-3.tld2 ; 12 update add 32.3.5.168.192.rpz-ip.bl 300 A 127.0.0.1 +; non canonical form entry to trigger log message +update add 128.2.0.0.0.0.3.2.2001.rpz-ip.bl 300 CNAME . send + +; update add 32.3.5.168.192.rpz-ip.bl-2 300 A 127.0.0.2 send diff --git a/bin/tests/system/rpz/tests.sh b/bin/tests/system/rpz/tests.sh index 2404c9f4ba..917887ebca 100644 --- a/bin/tests/system/rpz/tests.sh +++ b/bin/tests/system/rpz/tests.sh @@ -549,6 +549,8 @@ ckstats $ns5 test1 ns5 0 ckstats $ns6 test1 ns6 0 start_group "IP rewrites" test2 +msg='rpz IP address "128.2.0.0.0.0.3.2.2001" is not the canonical "128.2.zz.3.2.2001"' +grep "$msg" ns3/named.run >/dev/null || setret "expected 'is not the canonical' message not logged" nodata a3-1.tld2 # 1 NODATA nochange a3-2.tld2 # 2 no policy record so no change nochange a4-1.tld2 # 3 obsolete PASSTHRU record style