- Fix stub zone queries leaking to the internet for

harden-referral-path ns checks. git-svn-id: file:///svn/unbound/trunk@4226 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-23 16:20:26 -05:00 · 2017-06-15 07:59:05 +00:00 · 2017-06-15 07:59:05 +00:00 · 39b5f5bbc6
commit 39b5f5bbc6
parent 7ebe1fe115
2 changed files with 34 additions and 27 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
 15 June 2017: Wouter
 	- Fix stub zone queries leaking to the internet for
 	  harden-referral-path ns checks.
 13 June 2017: Wouter
 	- Fix #1279: Memory leak on reload when python module is enabled.
 	- Fix #1280: Unbound fails assert when response from authoritative
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@ -525,6 +525,33 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 /** see if last resort is possible - does config allow queries to parent */
 static int
 can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
 	uint16_t qclass)
 {
 	struct delegpt* fwddp;
 	struct iter_hints_stub* stub;
 	int labs = dname_count_labels(nm);
 	/* do not process a last resort (the parent side) if a stub
 	 * or forward is configured, because we do not want to go 'above'
 	 * the configured servers */
 	if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
 		name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
 		/* has_parent side is turned off for stub_first, where we
 		 * are allowed to go to the parent */
 		stub->dp->has_parent_side_NS) {
 		return 0;
 	}
 	if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
 		/* has_parent_side is turned off for forward_first, where
 		 * we are allowed to go to the parent */
 		fwddp->has_parent_side_NS) {
 		return 0;
 	}
 	return 1;
 }
 /** see if target name is caps-for-id whitelisted */
 static int
 is_caps_whitelisted(struct iter_env* ie, struct iter_qstate* iq)
@ -869,6 +896,9 @@ generate_ns_check(struct module_qstate* qstate, struct iter_qstate* iq, int id)
 	if(iq->depth == ie->max_dependency_depth)
 		return;
 	if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen,
 		iq->qchase.qclass))
 		return;
 	/* is this query the same as the nscheck? */
 	if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS &&
 		query_dname_compare(iq->dp->name, qstate->qinfo.qname)==0 &&
@ -1574,33 +1604,6 @@ query_for_targets(struct module_qstate* qstate, struct iter_qstate* iq,
 	return 1;
 }
 /** see if last resort is possible - does config allow queries to parent */
 static int
 can_have_last_resort(struct module_env* env, uint8_t* nm, size_t nmlen,
 	uint16_t qclass)
 {
 	struct delegpt* fwddp;
 	struct iter_hints_stub* stub;
 	int labs = dname_count_labels(nm);
 	/* do not process a last resort (the parent side) if a stub
 	 * or forward is configured, because we do not want to go 'above'
 	 * the configured servers */
 	if(!dname_is_root(nm) && (stub = (struct iter_hints_stub*)
 		name_tree_find(&env->hints->tree, nm, nmlen, labs, qclass)) &&
 		/* has_parent side is turned off for stub_first, where we
 		 * are allowed to go to the parent */
 		stub->dp->has_parent_side_NS) {
 		return 0;
 	}
 	if((fwddp = forwards_find(env->fwds, nm, qclass)) &&
 		/* has_parent_side is turned off for forward_first, where
 		 * we are allowed to go to the parent */
 		fwddp->has_parent_side_NS) {
 		return 0;
 	}
 	return 1;
 }
 /**
 * Called by processQueryTargets when it would like extra targets to query
 * but it seems to be out of options.  At last resort some less appealing