From 965f16cc8900f46b5cdb460068c5890f87fa034e Mon Sep 17 00:00:00 2001
From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Tue, 13 Aug 2019 17:06:43 +0200
Subject: [PATCH] - Add RPZ AXFR test - Fix memory leak

---
 services/rpz.c        |  10 +-
 testdata/rpz_axfr.rpl | 362 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 369 insertions(+), 3 deletions(-)
 create mode 100644 testdata/rpz_axfr.rpl

diff --git a/services/rpz.c b/services/rpz.c
index e3a890456..3118479a7 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -444,7 +444,8 @@ strip_dname_origin(uint8_t* dname, size_t dnamelen, size_t originlen,
 static int
 rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl,
-	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len)
+	uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len,
+	int* newzone)
 {
 	struct local_zone* z;
 	enum localzone_type tp = local_zone_always_transparent;
@@ -473,6 +474,7 @@ rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 		tp = rpz_action_to_localzone_type(a);
 		z = local_zones_add_zone(r->local_zones, dname, dnamelen,
 			dnamelabs, rrclass, tp);
+		*newzone = 1;
 	}
 	if(!z) {
 		log_warn("RPZ create failed");
@@ -501,7 +503,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname,
 	struct sockaddr_storage addr;
 	socklen_t addrlen;
 	int net, af;
-	char* rrstr = sldns_wire2str_rr(rr, rr_len);
+	char* rrstr;
 	enum respip_action respa = rpz_action_to_respip_action(a);
 
 	if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION ||
@@ -515,6 +517,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname,
 		return 0;
 
 	lock_rw_wrlock(&r->respip_set->lock);
+	rrstr = sldns_wire2str_rr(rr, rr_len);
 	if(!(node=respip_sockaddr_find_or_create(r->respip_set, &addr, addrlen,
 		net, 1, rrstr))) {
 		lock_rw_unlock(&r->respip_set->lock);
@@ -545,6 +548,7 @@ rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 	uint8_t* policydname = calloc(1, LDNS_MAX_DOMAINLEN + 1);
 	enum rpz_trigger t;
 	enum rpz_action a;
+	int newzone = 0;
 	
 	a = rpz_rr_to_action(rr_type, rdatawl, rdatalen);
 	if(!(policydnamelen = strip_dname_origin(dname, dnamelen, aznamelen,
@@ -556,7 +560,7 @@ rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 	if(t == RPZ_QNAME_TRIGGER) {
 		if(!rpz_insert_qname_trigger(r, policydname, policydnamelen,
 			a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr,
-			rr_len))
+			rr_len, &newzone) || !newzone)
 			free(policydname);
 	}
 	else if(t == RPZ_RESPONSE_IP_TRIGGER) {
diff --git a/testdata/rpz_axfr.rpl b/testdata/rpz_axfr.rpl
new file mode 100644
index 000000000..b5b84bfd3
--- /dev/null
+++ b/testdata/rpz_axfr.rpl
@@ -0,0 +1,362 @@
+; config options
+server:
+	module-config: "respip validator iterator"
+	target-fetch-policy: "0 0 0 0 0"
+	qname-minimisation: no
+
+rpz:
+	name: "rpz.example.com."
+	master: 10.20.30.40
+	zonefile:
+TEMPFILE_NAME rpz.example.com
+TEMPFILE_CONTENTS rpz.example.com
+$ORIGIN rpz.example.com.
+a	IN	CNAME *.
+c	IN	TXT	"hello from initial RPZ"
+c	IN	TXT	"another hello from initial RPZ"
+d	IN	CNAME .
+32.1.123.0.10.rpz-ip	CNAME *.
+32.3.123.0.10.rpz-ip	A 10.66.0.3
+32.3.123.0.10.rpz-ip	A 10.66.0.4
+32.4.123.0.10.rpz-ip	CNAME .
+TEMPFILE_END
+
+stub-zone:
+	name: "."
+	stub-addr: 10.20.30.40
+
+CONFIG_END
+
+SCENARIO_BEGIN Test RPZ QNAME trigger, loaded using AXFR
+
+RANGE_BEGIN 0 100
+	ADDRESS 10.20.30.40
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+.	IN	NS
+SECTION ANSWER
+.	IN	NS	ns.
+SECTION ADDITIONAL
+ns.	IN	NS	10.20.30.40
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	TXT	"hello from upstream"
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+a.rpz-ip.	IN	A	10.0.123.1
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A	10.0.123.3
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR NOERROR AA
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A	10.0.123.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN SOA
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qname qtype
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+rpz.example.com. IN AXFR
+SECTION ANSWER
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+b.rpz.example.com. TXT "hello from RPZ"
+c.rpz.example.com. TXT "hello from RPZ"
+a.rpz.example.com. CNAME .
+32.1.123.0.10.rpz-ip.rpz.example.com.	CNAME .
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.5
+32.3.123.0.10.rpz-ip.rpz.example.com.	A 10.66.0.6
+rpz.example.com. IN SOA ns.rpz.example.com. hostmaster.rpz.example.com. 1 3600 900 86400 3600
+ENTRY_END
+
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 2 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from upstream"
+ENTRY_END
+
+STEP 3 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 4 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 5 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 6 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 7 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 8 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "another hello from initial RPZ"
+c.	IN	TXT "hello from initial RPZ"
+ENTRY_END
+
+STEP 9 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN A
+ENTRY_END
+
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.4
+c.rpz-ip.	IN	A 10.66.0.3
+ENTRY_END
+
+STEP 11 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 12 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 13 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 14 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 30 TIME_PASSES ELAPSE 10
+STEP 40 TRAFFIC
+
+STEP 50 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+b.	IN	TXT
+ENTRY_END
+
+STEP 51 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+b.	IN	TXT
+SECTION ANSWER
+b.	IN	TXT	"hello from RPZ"
+ENTRY_END
+
+STEP 52 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.	IN	TXT
+ENTRY_END
+
+STEP 53 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NXDOMAIN
+SECTION QUESTION
+a.	IN	TXT
+SECTION ANSWER
+ENTRY_END
+
+STEP 54 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+a.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 55 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NXDOMAIN
+SECTION QUESTION
+a.rpz-ip.	IN	A
+SECTION ANSWER
+ENTRY_END
+
+STEP 56 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.	IN	TXT
+ENTRY_END
+
+STEP 57 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA AA NOERROR
+SECTION QUESTION
+c.	IN	TXT
+SECTION ANSWER
+c.	IN	TXT "hello from RPZ"
+ENTRY_END
+
+STEP 58 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+c.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 59 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+c.rpz-ip.	IN	A
+SECTION ANSWER
+c.rpz-ip.	IN	A 10.66.0.6
+c.rpz-ip.	IN	A 10.66.0.5
+ENTRY_END
+
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.	IN	TXT
+ENTRY_END
+
+STEP 61 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.	IN	TXT
+SECTION ANSWER
+d.	IN	TXT "hello from upstream"
+ENTRY_END
+
+STEP 62 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+d.rpz-ip.	IN	A
+ENTRY_END
+
+STEP 63 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+d.rpz-ip.	IN	A
+SECTION ANSWER
+d.rpz-ip.	IN	A 10.0.123.4
+ENTRY_END
+
+SCENARIO_END