From 4444b168dbadc68460d09f69545b5bb7d12b5281 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 16 Feb 2022 15:46:33 -0800 Subject: [PATCH] negative 'blackhole' ACL match could be treated as positive There was a bug in the checking of the "blackhole" ACL in dns_request_create*(), causing an address to be treated as included in the ACL if it was explicitly *excluded*. Thus, leaving "blackhole" unset had no effect, but setting it to "none" would cause any destination addresses to be rejected for dns_request purposes. This would cause zone transfer requests and SOA queries to fail, among other things. The bug has been fixed, and "blackhole { none; };" was added to the xfer system test as a regression test. --- bin/tests/system/xfer/ns4/named.conf.base | 1 + lib/dns/request.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/xfer/ns4/named.conf.base b/bin/tests/system/xfer/ns4/named.conf.base index 395f80c580..8e77d0cd7d 100644 --- a/bin/tests/system/xfer/ns4/named.conf.base +++ b/bin/tests/system/xfer/ns4/named.conf.base @@ -21,6 +21,7 @@ options { listen-on-v6 { none; }; recursion no; notify yes; + blackhole { none; }; }; key rndc_key { diff --git a/lib/dns/request.c b/lib/dns/request.c index b8248eaf25..b4348e469c 100644 --- a/lib/dns/request.c +++ b/lib/dns/request.c @@ -383,7 +383,7 @@ isblackholed(dns_dispatchmgr_t *dispatchmgr, const isc_sockaddr_t *destaddr) { isc_netaddr_fromsockaddr(&netaddr, destaddr); result = dns_acl_match(&netaddr, NULL, blackhole, NULL, &match, NULL); - if (result != ISC_R_SUCCESS || match == 0) { + if (result != ISC_R_SUCCESS || match <= 0) { return (false); }