diff --git a/CHANGES b/CHANGES index 2b2845b0d8..57a8875ba0 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4249. [func] Improve error reporting of TSIG / SIG(0) records in + the wrong location. [RT #40953] + 4248. [func] Add an isc_atomic_storeq() function, use it in stats counters to improve performance. [RT #39972] [RT #39979] diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h index 1a8966dae9..9d8f5d6305 100644 --- a/lib/dns/include/dns/result.h +++ b/lib/dns/include/dns/result.h @@ -156,8 +156,10 @@ #define DNS_R_BADCDNSKEY (ISC_RESULTCLASS_DNS + 112) #define DNS_R_OPTERR (ISC_RESULTCLASS_DNS + 113) #define DNS_R_BADDNSTAP (ISC_RESULTCLASS_DNS + 114) +#define DNS_R_BADTSIG (ISC_RESULTCLASS_DNS + 115) +#define DNS_R_BADSIG0 (ISC_RESULTCLASS_DNS + 116) -#define DNS_R_NRESULTS 115 /*%< Number of results */ +#define DNS_R_NRESULTS 117 /*%< Number of results */ /* * DNS wire format rcodes. diff --git a/lib/dns/message.c b/lib/dns/message.c index 37477c532b..a6de041a5a 100644 --- a/lib/dns/message.c +++ b/lib/dns/message.c @@ -993,12 +993,12 @@ getrdata(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, } } -#define DO_FORMERR \ +#define DO_ERROR(r) \ do { \ if (best_effort) \ seen_problem = ISC_TRUE; \ else { \ - result = DNS_R_FORMERR; \ + result = r; \ goto cleanup; \ } \ } while (0) @@ -1073,7 +1073,7 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, */ if (result != ISC_R_SUCCESS) { if (!ISC_LIST_EMPTY(*section)) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); ISC_LIST_APPEND(*section, name, link); free_name = ISC_FALSE; } else { @@ -1102,14 +1102,14 @@ getquestions(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, msg->state = DNS_SECTION_QUESTION; msg->rdclass = rdclass; } else if (msg->rdclass != rdclass) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); /* * Can't ask the same question twice. */ result = dns_message_find(name, rdclass, rdtype, 0, NULL); if (result == ISC_R_SUCCESS) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); /* * Allocate a new rdatalist. @@ -1265,7 +1265,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, && rdtype != dns_rdatatype_tkey /* Win2000 TKEY */ && msg->rdclass != dns_rdataclass_any && msg->rdclass != rdclass) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); /* * Special type handling for TSIG, OPT, and TKEY. @@ -1278,7 +1278,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, if (sectionid != DNS_SECTION_ADDITIONAL || rdclass != dns_rdataclass_any || count != msg->counts[sectionid] - 1) - DO_FORMERR; + DO_ERROR(DNS_R_BADTSIG); msg->sigstart = recstart; skip_name_search = ISC_TRUE; skip_type_search = ISC_TRUE; @@ -1291,7 +1291,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, if (!dns_name_equal(dns_rootname, name) || sectionid != DNS_SECTION_ADDITIONAL || msg->opt != NULL) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); skip_name_search = ISC_TRUE; skip_type_search = ISC_TRUE; } else if (rdtype == dns_rdatatype_tkey) { @@ -1310,7 +1310,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, tkeysection = DNS_SECTION_ANSWER; if (sectionid != tkeysection && sectionid != DNS_SECTION_ANSWER) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); } /* @@ -1370,14 +1370,14 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, rdata->flags == 0) { covers = dns_rdata_covers(rdata); if (covers == 0) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); } else if (rdtype == dns_rdatatype_sig /* SIG(0) */ && rdata->flags == 0) { covers = dns_rdata_covers(rdata); if (covers == 0) { if (sectionid != DNS_SECTION_ADDITIONAL || count != msg->counts[sectionid] - 1) - DO_FORMERR; + DO_ERROR(DNS_R_BADSIG0); msg->sigstart = recstart; skip_name_search = ISC_TRUE; skip_type_search = ISC_TRUE; @@ -1444,7 +1444,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, * the question section, fail. */ if (dns_rdatatype_questiononly(rdtype)) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); rdataset = NULL; result = dns_message_find(name, rdclass, rdtype, @@ -1470,7 +1470,7 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, first = ISC_LIST_HEAD(rdatalist->rdata); INSIST(first != NULL); if (dns_rdata_compare(rdata, first) != 0) - DO_FORMERR; + DO_ERROR(DNS_R_FORMERR); } } diff --git a/lib/dns/result.c b/lib/dns/result.c index 204d2eeac9..a187e68d7e 100644 --- a/lib/dns/result.c +++ b/lib/dns/result.c @@ -166,7 +166,10 @@ static const char *text[DNS_R_NRESULTS] = { "bad CDS", /*%< 111 DNS_R_BADCSD */ "bad CDNSKEY", /*%< 112 DNS_R_BADCDNSKEY */ "malformed OPT option", /*%< 113 DNS_R_OPTERR */ - "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP*/ + "malformed DNSTAP data", /*%< 114 DNS_R_BADDNSTAP */ + + "TSIG in wrong location", /*%< 115 DNS_R_BADTSIG */ + "SIG(0) in wrong location", /*%< 116 DNS_R_BADSIG0 */ }; static const char *ids[DNS_R_NRESULTS] = { @@ -289,6 +292,8 @@ static const char *ids[DNS_R_NRESULTS] = { "DNS_R_BADCDNSKEY", "DNS_R_OPTERR", "DNS_R_BADDNSTAP", + "DNS_R_BADTSIG", + "DNS_R_BADSIG0", }; static const char *rcode_text[DNS_R_NRCODERESULTS] = {