- Add check to make sure RPZ records are subdomain of configured zone origin.

2026-02-03 20:29:28 -05:00 · 2020-03-11 17:37:50 +01:00 · 2020-03-11 17:37:50 +01:00 · 28e6c86e61
commit 28e6c86e61
parent 67b4ab2c90
4 changed files with 20 additions and 7 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
+11 March 2020: Ralph
+	- Add check to make sure RPZ records are subdomains of configured
+	  zone origin.
+
 11 March 2020: George
 	- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
 	  type, by noloader.
--- a/services/authzone.c
+++ b/services/authzone.c
@ -1178,9 +1178,9 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
 		return 0;
 	}
 	if(z->rpz) {
-		if(!(rpz_insert_rr(z->rpz, z->namelen, dname, dname_len, 
-			rr_type, rr_class, rr_ttl, rdata, rdatalen, rr,
-			rr_len)))
+		if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname,
+			dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen,
+			rr, rr_len)))
 			return 0;
 	}
 	return 1;
--- a/services/rpz.c
+++ b/services/rpz.c
@ -586,7 +586,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 }

 int
-rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
+rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl,
 	uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len)
 {
@ -596,9 +596,17 @@ rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 	enum rpz_action a;
 	uint8_t* policydname;

-	log_assert(dnamelen >= aznamelen);
-	if(!(policydname = calloc(1, (dnamelen-aznamelen)+1)))
+	if(!dname_subdomain_c(dname, azname)) {
+		log_err("RPZ: name of record to insert into RPZ is not a "
+			"subdomain of the configured name of the RPZ zone");
 		return 0;
+	}
+
+	log_assert(dnamelen >= aznamelen);
+	if(!(policydname = calloc(1, (dnamelen-aznamelen)+1))) {
+		log_err("malloc error while inserting RPZ RR");
+		return 0;
+	}

 	a = rpz_rr_to_action(rr_type, rdatawl, rdatalen);
 	if(!(policydnamelen = strip_dname_origin(dname, dnamelen, aznamelen,
--- a/services/rpz.h
+++ b/services/rpz.h
@ -105,6 +105,7 @@ struct rpz {
 /**
 * Create policy from RR and add to this RPZ.
 * @param r: the rpz to add the policy to.
+ * @param azname: dname of the auth-zone
 * @param aznamelen: the length of the auth-zone name
 * @param dname: dname of the RR
 * @param dnamelen: length of the dname
@ -117,7 +118,7 @@ struct rpz {
 * @param rr_len: the length of the complete RR
 * @return: 0 on error
 */
-int rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
+int rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl,
 	uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len);