upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-11 23:05:46 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

rpz: fix forged response

Browse source
This commit is contained in:
mb 2020-11-24 16:29:15 +01:00
parent afc73e28d8
commit 7acf1a5088
2 changed files with 27 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
iterator/iterator.c
View file

@ -2475,7 +2475,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
struct dns_msg* forged_response = rpz_iterator_module_callback(qstate, iq);
if(forged_response != NULL) {
qstate->ext_state[id] = module_finished;
qstate->return_rcode = forged_response->rep->flags;
qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags);
qstate->return_msg = forged_response;
next_state(iq, FINISHED_STATE);
return 0;

40
services/rpz.c
View file

@ -1440,7 +1440,7 @@ rpz_patch_nodata(struct rpz* r, struct module_qstate* ms)
if(msg == NULL) { return msg; }
msg->qinfo = ms->qinfo;
msg->rep = construct_reply_info_base(ms->region,
BIT_RD|BIT_QR|BIT_AA|BIT_RA,
BIT_RD | BIT_QR | BIT_AA | BIT_RA,
1, //qd
0, //ttl
0, //prettl
@ -1461,7 +1461,7 @@ rpz_patch_nxdomain(struct rpz* r, struct module_qstate* ms)
if(msg == NULL) { return msg; }
msg->qinfo = ms->qinfo;
msg->rep = construct_reply_info_base(ms->region,
BIT_RD|BIT_QR|BIT_AA|BIT_RA,
BIT_RD | BIT_QR | BIT_AA | BIT_RA,
1, //qd
0, //ttl
0, //prettl
@ -1481,22 +1481,32 @@ rpz_patch_localdata(struct rpz* r,
struct clientip_synthesized_rr* data)
{
struct dns_msg* msg = NULL;
struct query_info* qi = &msg->qinfo;
struct query_info* qi = &ms->qinfo;
struct ub_packed_rrset_key* rp;
struct local_rrset* rrset;
struct reply_info* new_reply_info;
struct reply_info* ri = msg->rep;
rrset = rpz_find_synthesized_rrset(qi->qtype, data);
if(rrset == NULL) {
verbose(VERB_ALGO, "rpz: nsip: no matching synthesized data found; resorting to nodata");
return rpz_patch_nodata(r, ms);
}
msg = rpz_dns_msg_new(ms->region);
if(msg == NULL) { return NULL; }
// XXX: use ttl etc from rpz zone?
new_reply_info = make_new_reply_info(ri, ms->region, 0, 0);
new_reply_info = construct_reply_info_base(ms->region,
LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA,
1, //qd
0, //ttl
0, //prettl
0, //expttl
1, //an
0, //ns
0, //ar
1, //total
sec_status_secure);
if(new_reply_info == NULL) {
log_err("out of memory");
return NULL;
@ -1506,15 +1516,13 @@ rpz_patch_localdata(struct rpz* r,
log_err("out of memory");
return NULL;
}
new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets));
if(new_reply_info->rrsets == NULL) {
log_err("out of memory");
return NULL;
}
//new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets));
//if(new_reply_info->rrsets == NULL) {
// log_err("out of memory");
// return NULL;
//}
rp->rk.dname = qi->qname;
rp->rk.dname_len = qi->qname_len;
new_reply_info->rrset_count = 1;
new_reply_info->an_numrrsets = 1;
new_reply_info->rrsets[0] = rp;
msg->rep = new_reply_info;
return msg;
@ -1590,12 +1598,16 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is)
verbose(VERB_ALGO, "rpz: nsip: tcp-only trigger ignored");
ret = NULL;
break;
case RPZ_PASSTHRU_ACTION:
ret = NULL;
case RPZ_DROP_ACTION:
ret = rpz_patch_nodata(r, ms);
ms->is_drop = 1;
break;
case RPZ_LOCAL_DATA_ACTION:
ret = rpz_patch_localdata(r, ms, raddr);
break;
case RPZ_PASSTHRU_ACTION:
ret = NULL;
break;
default:
verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'",
rpz_action_to_string(action));