upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

fixup insecure glue on referrals.

Browse source 
git-svn-id: file:///svn/unbound/trunk@688 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2007-10-17 15:48:54 +00:00
parent be0bdf0260
commit 75792c34dc
5 changed files with 29 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
daemon/worker.c
View file

@ -359,6 +359,7 @@ deleg_remove_nonsecure_additional(struct reply_info* rep)
(rep->rrset_count - i - 1)); (rep->rrset_count - i - 1));
rep->ar_numrrsets--; rep->ar_numrrsets--;
rep->rrset_count--; rep->rrset_count--;
i--;
} }
} }
} }

2
doc/Changelog
View file

@ -13,6 +13,8 @@
- removed some debug prints, only verb_algo (4) enables them. - removed some debug prints, only verb_algo (4) enables them.
- fixup test; new random generator took new paths; such as one - fixup test; new random generator took new paths; such as one
where no scripted answer was available. where no scripted answer was available.
- mark insecure RRs as insecure.
- fixup removal of nonsecure items from the additional.
16 October 2007: Wouter 16 October 2007: Wouter
- no malloc in log_hex. - no malloc in log_hex.

28
validator/val_utils.c
View file

@ -550,11 +550,8 @@ rrset_has_signer(struct ub_packed_rrset_key* rrset, uint8_t* name, size_t len)
void void
val_fill_reply(struct reply_info* chase, struct reply_info* orig, val_fill_reply(struct reply_info* chase, struct reply_info* orig,
size_t skip, uint8_t* name, size_t len) size_t skip, uint8_t* name, size_t len, uint8_t* signer)
{ {
/* unsigned RRsets are never copied, but should not happen in
* secure answers anyway. Except for the synthesized CNAME after
* a DNAME. */
size_t i; size_t i;
int seen_dname = 0; int seen_dname = 0;
chase->rrset_count = 0; chase->rrset_count = 0;
@ -563,7 +560,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
chase->ar_numrrsets = 0; chase->ar_numrrsets = 0;
/* ANSWER section */ /* ANSWER section */
for(i=skip; i<orig->an_numrrsets; i++) { for(i=skip; i<orig->an_numrrsets; i++) {
if(seen_dname && ntohs(orig->rrsets[i]->rk.type) == if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets++] =
orig->rrsets[i];
} else if(seen_dname && ntohs(orig->rrsets[i]->rk.type) ==
LDNS_RR_TYPE_CNAME) { LDNS_RR_TYPE_CNAME) {
chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i]; chase->rrsets[chase->an_numrrsets++] = orig->rrsets[i];
seen_dname = 0; seen_dname = 0;
@ -579,7 +581,12 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets; for(i = (skip > orig->an_numrrsets)?skip:orig->an_numrrsets;
i<orig->an_numrrsets+orig->ns_numrrsets; i<orig->an_numrrsets+orig->ns_numrrsets;
i++) { i++) {
if(rrset_has_signer(orig->rrsets[i], name, len)) { if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets+
chase->ns_numrrsets++] = orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets+ chase->rrsets[chase->an_numrrsets+
chase->ns_numrrsets++] = orig->rrsets[i]; chase->ns_numrrsets++] = orig->rrsets[i];
} }
@ -588,7 +595,13 @@ val_fill_reply(struct reply_info* chase, struct reply_info* orig,
for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)? for(i= (skip>orig->an_numrrsets+orig->ns_numrrsets)?
skip:orig->an_numrrsets+orig->ns_numrrsets; skip:orig->an_numrrsets+orig->ns_numrrsets;
i<orig->rrset_count; i++) { i<orig->rrset_count; i++) {
if(rrset_has_signer(orig->rrsets[i], name, len)) { if(!signer) {
if(query_dname_compare(name,
orig->rrsets[i]->rk.dname) == 0)
chase->rrsets[chase->an_numrrsets
+orig->ns_numrrsets+chase->ar_numrrsets++]
= orig->rrsets[i];
} else if(rrset_has_signer(orig->rrsets[i], name, len)) {
chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+ chase->rrsets[chase->an_numrrsets+orig->ns_numrrsets+
chase->ar_numrrsets++] = orig->rrsets[i]; chase->ar_numrrsets++] = orig->rrsets[i];
} }
@ -643,6 +656,7 @@ val_check_nonsecure(struct val_env* ve, struct reply_info* rep)
(rep->rrset_count - i - 1)); (rep->rrset_count - i - 1));
rep->ar_numrrsets--; rep->ar_numrrsets--;
rep->rrset_count--; rep->rrset_count--;
i--;
} }
} }
} }

4
validator/val_utils.h
View file

@ -206,9 +206,11 @@ int val_chase_cname(struct query_info* qchase, struct reply_info* rep,
* The skipped part contains CNAME(and DNAME)s that have been chased. * The skipped part contains CNAME(and DNAME)s that have been chased.
* @param name: the signer name to look for. * @param name: the signer name to look for.
* @param len: length of name. * @param len: length of name.
* @param signer: signer name or NULL if an unsigned RRset is considered.
* If NULL, rrsets with the lookup name are copied over.
*/ */
void val_fill_reply(struct reply_info* chase, struct reply_info* orig, void val_fill_reply(struct reply_info* chase, struct reply_info* orig,
size_t cname_skip, uint8_t* name, size_t len); size_t cname_skip, uint8_t* name, size_t len, uint8_t* signer);
/** /**
* Remove all unsigned or non-secure status rrsets from NS and AR sections. * Remove all unsigned or non-secure status rrsets from NS and AR sections.

3
validator/validator.c
View file

@ -1164,7 +1164,8 @@ processInit(struct module_qstate* qstate, struct val_qstate* vq,
/* extract this part of orig_msg into chase_reply for /* extract this part of orig_msg into chase_reply for
* the eventual VALIDATE stage */ * the eventual VALIDATE stage */
val_fill_reply(vq->chase_reply, vq->orig_msg->rep, val_fill_reply(vq->chase_reply, vq->orig_msg->rep,
vq->rrset_skip, lookup_name, lookup_len); vq->rrset_skip, lookup_name, lookup_len,
vq->signer_name);
if(verbosity >= VERB_ALGO) if(verbosity >= VERB_ALGO)
log_dns_msg("chased extract", &vq->qchase, log_dns_msg("chased extract", &vq->qchase,
vq->chase_reply); vq->chase_reply);