]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-packet.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #30610 from YHNdnzj/logind-serialize-pidref
[thirdparty/systemd.git] / src / resolve / resolved-dns-packet.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #if HAVE_GCRYPT
4 # include <gcrypt.h>
5 #endif
6
7 #include "alloc-util.h"
8 #include "dns-domain.h"
9 #include "escape.h"
10 #include "memory-util.h"
11 #include "resolved-dns-packet.h"
12 #include "set.h"
13 #include "stdio-util.h"
14 #include "string-table.h"
15 #include "strv.h"
16 #include "unaligned.h"
17 #include "utf8.h"
18
19 #define EDNS0_OPT_DO (1<<15)
20
21 assert_cc(DNS_PACKET_SIZE_START > DNS_PACKET_HEADER_SIZE);
22
23 typedef struct DnsPacketRewinder {
24 DnsPacket *packet;
25 size_t saved_rindex;
26 } DnsPacketRewinder;
27
28 static void rewind_dns_packet(DnsPacketRewinder *rewinder) {
29 if (rewinder->packet)
30 dns_packet_rewind(rewinder->packet, rewinder->saved_rindex);
31 }
32
33 #define REWINDER_INIT(p) { \
34 .packet = (p), \
35 .saved_rindex = (p)->rindex, \
36 }
37 #define CANCEL_REWINDER(rewinder) do { (rewinder).packet = NULL; } while (0)
38
39 int dns_packet_new(
40 DnsPacket **ret,
41 DnsProtocol protocol,
42 size_t min_alloc_dsize,
43 size_t max_size) {
44
45 DnsPacket *p;
46 size_t a;
47
48 assert(ret);
49 assert(max_size >= DNS_PACKET_HEADER_SIZE);
50
51 if (max_size > DNS_PACKET_SIZE_MAX)
52 max_size = DNS_PACKET_SIZE_MAX;
53
54 /* The caller may not check what is going to be truly allocated, so do not allow to
55 * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX.
56 */
57 if (min_alloc_dsize > DNS_PACKET_SIZE_MAX)
58 return log_error_errno(SYNTHETIC_ERRNO(EFBIG),
59 "Requested packet data size too big: %zu",
60 min_alloc_dsize);
61
62 /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the
63 * absolute minimum (which is the dns packet header size), to avoid
64 * resizing immediately again after appending the first data to the packet.
65 */
66 if (min_alloc_dsize < DNS_PACKET_HEADER_SIZE)
67 a = DNS_PACKET_SIZE_START;
68 else
69 a = min_alloc_dsize;
70
71 /* round up to next page size */
72 a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
73
74 /* make sure we never allocate more than useful */
75 if (a > max_size)
76 a = max_size;
77
78 p = malloc0(ALIGN(sizeof(DnsPacket)) + a);
79 if (!p)
80 return -ENOMEM;
81
82 *p = (DnsPacket) {
83 .n_ref = 1,
84 .protocol = protocol,
85 .size = DNS_PACKET_HEADER_SIZE,
86 .rindex = DNS_PACKET_HEADER_SIZE,
87 .allocated = a,
88 .max_size = max_size,
89 .opt_start = SIZE_MAX,
90 .opt_size = SIZE_MAX,
91 };
92
93 *ret = p;
94
95 return 0;
96 }
97
98 void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) {
99
100 DnsPacketHeader *h;
101
102 assert(p);
103
104 h = DNS_PACKET_HEADER(p);
105
106 switch (p->protocol) {
107 case DNS_PROTOCOL_LLMNR:
108 assert(!truncated);
109
110 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
111 0 /* opcode */,
112 0 /* c */,
113 0 /* tc */,
114 0 /* t */,
115 0 /* ra */,
116 0 /* ad */,
117 0 /* cd */,
118 0 /* rcode */));
119 break;
120
121 case DNS_PROTOCOL_MDNS:
122 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
123 0 /* opcode */,
124 0 /* aa */,
125 truncated /* tc */,
126 0 /* rd (ask for recursion) */,
127 0 /* ra */,
128 0 /* ad */,
129 0 /* cd */,
130 0 /* rcode */));
131 break;
132
133 default:
134 assert(!truncated);
135
136 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
137 0 /* opcode */,
138 0 /* aa */,
139 0 /* tc */,
140 1 /* rd (ask for recursion) */,
141 0 /* ra */,
142 0 /* ad */,
143 dnssec_checking_disabled /* cd */,
144 0 /* rcode */));
145 }
146 }
147
148 int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t min_alloc_dsize, bool dnssec_checking_disabled) {
149 DnsPacket *p;
150 int r;
151
152 assert(ret);
153
154 r = dns_packet_new(&p, protocol, min_alloc_dsize, DNS_PACKET_SIZE_MAX);
155 if (r < 0)
156 return r;
157
158 /* Always set the TC bit to 0 initially.
159 * If there are multiple packets later, we'll update the bit shortly before sending.
160 */
161 dns_packet_set_flags(p, dnssec_checking_disabled, false);
162
163 *ret = p;
164 return 0;
165 }
166
167 int dns_packet_dup(DnsPacket **ret, DnsPacket *p) {
168 DnsPacket *c;
169 int r;
170
171 assert(ret);
172 assert(p);
173
174 r = dns_packet_validate(p);
175 if (r < 0)
176 return r;
177
178 c = malloc(ALIGN(sizeof(DnsPacket)) + p->size);
179 if (!c)
180 return -ENOMEM;
181
182 *c = (DnsPacket) {
183 .n_ref = 1,
184 .protocol = p->protocol,
185 .size = p->size,
186 .rindex = DNS_PACKET_HEADER_SIZE,
187 .allocated = p->size,
188 .max_size = p->max_size,
189 .opt_start = SIZE_MAX,
190 .opt_size = SIZE_MAX,
191 };
192
193 memcpy(DNS_PACKET_DATA(c), DNS_PACKET_DATA(p), p->size);
194
195 *ret = c;
196 return 0;
197 }
198
199 DnsPacket *dns_packet_ref(DnsPacket *p) {
200
201 if (!p)
202 return NULL;
203
204 assert(!p->on_stack);
205
206 assert(p->n_ref > 0);
207 p->n_ref++;
208 return p;
209 }
210
211 static void dns_packet_free(DnsPacket *p) {
212 char *s;
213
214 assert(p);
215
216 dns_question_unref(p->question);
217 dns_answer_unref(p->answer);
218 dns_resource_record_unref(p->opt);
219
220 while ((s = hashmap_steal_first_key(p->names)))
221 free(s);
222 hashmap_free(p->names);
223
224 free(p->_data);
225
226 if (!p->on_stack)
227 free(p);
228 }
229
230 DnsPacket *dns_packet_unref(DnsPacket *p) {
231 if (!p)
232 return NULL;
233
234 assert(p->n_ref > 0);
235
236 dns_packet_unref(p->more);
237
238 if (p->n_ref == 1)
239 dns_packet_free(p);
240 else
241 p->n_ref--;
242
243 return NULL;
244 }
245
246 int dns_packet_validate(DnsPacket *p) {
247 assert(p);
248
249 if (p->size < DNS_PACKET_HEADER_SIZE)
250 return -EBADMSG;
251
252 if (p->size > DNS_PACKET_SIZE_MAX)
253 return -EBADMSG;
254
255 return 1;
256 }
257
258 int dns_packet_validate_reply(DnsPacket *p) {
259 int r;
260
261 assert(p);
262
263 r = dns_packet_validate(p);
264 if (r < 0)
265 return r;
266
267 if (DNS_PACKET_QR(p) != 1)
268 return 0;
269
270 if (DNS_PACKET_OPCODE(p) != 0)
271 return -EBADMSG;
272
273 switch (p->protocol) {
274
275 case DNS_PROTOCOL_LLMNR:
276 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
277 if (DNS_PACKET_QDCOUNT(p) != 1)
278 return -EBADMSG;
279
280 break;
281
282 case DNS_PROTOCOL_MDNS:
283 /* RFC 6762, Section 18 */
284 if (DNS_PACKET_RCODE(p) != 0)
285 return -EBADMSG;
286
287 break;
288
289 default:
290 break;
291 }
292
293 return 1;
294 }
295
296 int dns_packet_validate_query(DnsPacket *p) {
297 int r;
298
299 assert(p);
300
301 r = dns_packet_validate(p);
302 if (r < 0)
303 return r;
304
305 if (DNS_PACKET_QR(p) != 0)
306 return 0;
307
308 if (DNS_PACKET_OPCODE(p) != 0)
309 return -EBADMSG;
310
311 switch (p->protocol) {
312
313 case DNS_PROTOCOL_LLMNR:
314 case DNS_PROTOCOL_DNS:
315 if (DNS_PACKET_TC(p)) /* mDNS query may have truncation flag. */
316 return -EBADMSG;
317
318 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
319 if (DNS_PACKET_QDCOUNT(p) != 1)
320 return -EBADMSG;
321
322 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
323 if (DNS_PACKET_ANCOUNT(p) > 0)
324 return -EBADMSG;
325
326 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
327 if (DNS_PACKET_NSCOUNT(p) > 0)
328 return -EBADMSG;
329
330 break;
331
332 case DNS_PROTOCOL_MDNS:
333 /* RFC 6762, Section 18 specifies that messages with non-zero RCODE
334 * must be silently ignored, and that we must ignore the values of
335 * AA, RD, RA, AD, and CD bits. */
336 if (DNS_PACKET_RCODE(p) != 0)
337 return -EBADMSG;
338
339 break;
340
341 default:
342 break;
343 }
344
345 return 1;
346 }
347
348 static int dns_packet_extend(DnsPacket *p, size_t add, void **ret, size_t *start) {
349 assert(p);
350
351 if (p->size + add > p->allocated) {
352 size_t a, ms;
353
354 a = PAGE_ALIGN((p->size + add) * 2);
355
356 ms = dns_packet_size_max(p);
357 if (a > ms)
358 a = ms;
359
360 if (p->size + add > a)
361 return -EMSGSIZE;
362
363 if (p->_data) {
364 void *d;
365
366 d = realloc(p->_data, a);
367 if (!d)
368 return -ENOMEM;
369
370 p->_data = d;
371 } else {
372 p->_data = malloc(a);
373 if (!p->_data)
374 return -ENOMEM;
375
376 memcpy(p->_data, (uint8_t*) p + ALIGN(sizeof(DnsPacket)), p->size);
377 memzero((uint8_t*) p->_data + p->size, a - p->size);
378 }
379
380 p->allocated = a;
381 }
382
383 if (start)
384 *start = p->size;
385
386 if (ret)
387 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->size;
388
389 p->size += add;
390 return 0;
391 }
392
393 void dns_packet_truncate(DnsPacket *p, size_t sz) {
394 char *s;
395 void *n;
396
397 assert(p);
398
399 if (p->size <= sz)
400 return;
401
402 HASHMAP_FOREACH_KEY(n, s, p->names) {
403
404 if (PTR_TO_SIZE(n) < sz)
405 continue;
406
407 hashmap_remove(p->names, s);
408 free(s);
409 }
410
411 p->size = sz;
412 }
413
414 int dns_packet_append_blob(DnsPacket *p, const void *d, size_t l, size_t *start) {
415 void *q;
416 int r;
417
418 assert(p);
419
420 r = dns_packet_extend(p, l, &q, start);
421 if (r < 0)
422 return r;
423
424 memcpy_safe(q, d, l);
425 return 0;
426 }
427
428 int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start) {
429 void *d;
430 int r;
431
432 assert(p);
433
434 r = dns_packet_extend(p, sizeof(uint8_t), &d, start);
435 if (r < 0)
436 return r;
437
438 ((uint8_t*) d)[0] = v;
439
440 return 0;
441 }
442
443 int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start) {
444 void *d;
445 int r;
446
447 assert(p);
448
449 r = dns_packet_extend(p, sizeof(uint16_t), &d, start);
450 if (r < 0)
451 return r;
452
453 unaligned_write_be16(d, v);
454
455 return 0;
456 }
457
458 int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start) {
459 void *d;
460 int r;
461
462 assert(p);
463
464 r = dns_packet_extend(p, sizeof(uint32_t), &d, start);
465 if (r < 0)
466 return r;
467
468 unaligned_write_be32(d, v);
469
470 return 0;
471 }
472
473 int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start) {
474 assert(p);
475 assert(s);
476
477 return dns_packet_append_raw_string(p, s, strlen(s), start);
478 }
479
480 int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start) {
481 void *d;
482 int r;
483
484 assert(p);
485 assert(s || size == 0);
486
487 if (size > 255)
488 return -E2BIG;
489
490 r = dns_packet_extend(p, 1 + size, &d, start);
491 if (r < 0)
492 return r;
493
494 ((uint8_t*) d)[0] = (uint8_t) size;
495
496 memcpy_safe(((uint8_t*) d) + 1, s, size);
497
498 return 0;
499 }
500
501 int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, bool canonical_candidate, size_t *start) {
502 uint8_t *w;
503 int r;
504
505 /* Append a label to a packet. Optionally, does this in DNSSEC
506 * canonical form, if this label is marked as a candidate for
507 * it, and the canonical form logic is enabled for the
508 * packet */
509
510 assert(p);
511 assert(d);
512
513 if (l > DNS_LABEL_MAX)
514 return -E2BIG;
515
516 r = dns_packet_extend(p, 1 + l, (void**) &w, start);
517 if (r < 0)
518 return r;
519
520 *(w++) = (uint8_t) l;
521
522 if (p->canonical_form && canonical_candidate)
523 /* Generate in canonical form, as defined by DNSSEC
524 * RFC 4034, Section 6.2, i.e. all lower-case. */
525 for (size_t i = 0; i < l; i++)
526 w[i] = (uint8_t) ascii_tolower(d[i]);
527 else
528 /* Otherwise, just copy the string unaltered. This is
529 * essential for DNS-SD, where the casing of labels
530 * matters and needs to be retained. */
531 memcpy(w, d, l);
532
533 return 0;
534 }
535
536 int dns_packet_append_name(
537 DnsPacket *p,
538 const char *name,
539 bool allow_compression,
540 bool canonical_candidate,
541 size_t *start) {
542
543 size_t saved_size;
544 int r;
545
546 assert(p);
547 assert(name);
548
549 if (p->refuse_compression)
550 allow_compression = false;
551
552 saved_size = p->size;
553
554 while (!dns_name_is_root(name)) {
555 const char *z = name;
556 char label[DNS_LABEL_MAX+1];
557 size_t n = 0;
558
559 if (allow_compression)
560 n = PTR_TO_SIZE(hashmap_get(p->names, name));
561 if (n > 0) {
562 assert(n < p->size);
563
564 if (n < 0x4000) {
565 r = dns_packet_append_uint16(p, 0xC000 | n, NULL);
566 if (r < 0)
567 goto fail;
568
569 goto done;
570 }
571 }
572
573 r = dns_label_unescape(&name, label, sizeof label, 0);
574 if (r < 0)
575 goto fail;
576
577 r = dns_packet_append_label(p, label, r, canonical_candidate, &n);
578 if (r < 0)
579 goto fail;
580
581 if (allow_compression) {
582 _cleanup_free_ char *s = NULL;
583
584 s = strdup(z);
585 if (!s) {
586 r = -ENOMEM;
587 goto fail;
588 }
589
590 r = hashmap_ensure_put(&p->names, &dns_name_hash_ops, s, SIZE_TO_PTR(n));
591 if (r < 0)
592 goto fail;
593
594 TAKE_PTR(s);
595 }
596 }
597
598 r = dns_packet_append_uint8(p, 0, NULL);
599 if (r < 0)
600 return r;
601
602 done:
603 if (start)
604 *start = saved_size;
605
606 return 0;
607
608 fail:
609 dns_packet_truncate(p, saved_size);
610 return r;
611 }
612
613 int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *k, const DnsAnswerFlags flags, size_t *start) {
614 size_t saved_size;
615 uint16_t class;
616 int r;
617
618 assert(p);
619 assert(k);
620
621 saved_size = p->size;
622
623 r = dns_packet_append_name(p, dns_resource_key_name(k), true, true, NULL);
624 if (r < 0)
625 goto fail;
626
627 r = dns_packet_append_uint16(p, k->type, NULL);
628 if (r < 0)
629 goto fail;
630
631 class = flags & DNS_ANSWER_CACHE_FLUSH ? k->class | MDNS_RR_CACHE_FLUSH_OR_QU : k->class;
632 r = dns_packet_append_uint16(p, class, NULL);
633 if (r < 0)
634 goto fail;
635
636 if (start)
637 *start = saved_size;
638
639 return 0;
640
641 fail:
642 dns_packet_truncate(p, saved_size);
643 return r;
644 }
645
646 static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, const uint8_t *types, size_t *start) {
647 size_t saved_size;
648 int r;
649
650 assert(p);
651 assert(types);
652 assert(length > 0);
653
654 saved_size = p->size;
655
656 r = dns_packet_append_uint8(p, window, NULL);
657 if (r < 0)
658 goto fail;
659
660 r = dns_packet_append_uint8(p, length, NULL);
661 if (r < 0)
662 goto fail;
663
664 r = dns_packet_append_blob(p, types, length, NULL);
665 if (r < 0)
666 goto fail;
667
668 if (start)
669 *start = saved_size;
670
671 return 0;
672 fail:
673 dns_packet_truncate(p, saved_size);
674 return r;
675 }
676
677 static int dns_packet_append_types(DnsPacket *p, Bitmap *types, size_t *start) {
678 uint8_t window = 0;
679 uint8_t entry = 0;
680 uint8_t bitmaps[32] = {};
681 unsigned n;
682 size_t saved_size;
683 int r;
684
685 assert(p);
686
687 saved_size = p->size;
688
689 BITMAP_FOREACH(n, types) {
690 assert(n <= 0xffff);
691
692 if ((n >> 8) != window && bitmaps[entry / 8] != 0) {
693 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
694 if (r < 0)
695 goto fail;
696
697 zero(bitmaps);
698 }
699
700 window = n >> 8;
701 entry = n & 255;
702
703 bitmaps[entry / 8] |= 1 << (7 - (entry % 8));
704 }
705
706 if (bitmaps[entry / 8] != 0) {
707 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
708 if (r < 0)
709 goto fail;
710 }
711
712 if (start)
713 *start = saved_size;
714
715 return 0;
716 fail:
717 dns_packet_truncate(p, saved_size);
718 return r;
719 }
720
721 /* Append the OPT pseudo-RR described in RFC6891 */
722 int dns_packet_append_opt(
723 DnsPacket *p,
724 uint16_t max_udp_size,
725 bool edns0_do,
726 bool include_rfc6975,
727 const char *nsid,
728 int rcode,
729 size_t *ret_start) {
730
731 size_t saved_size;
732 int r;
733
734 assert(p);
735 /* we must never advertise supported packet size smaller than the legacy max */
736 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
737 assert(rcode >= 0);
738 assert(rcode <= _DNS_RCODE_MAX);
739
740 if (p->opt_start != SIZE_MAX)
741 return -EBUSY;
742
743 assert(p->opt_size == SIZE_MAX);
744
745 saved_size = p->size;
746
747 /* empty name */
748 r = dns_packet_append_uint8(p, 0, NULL);
749 if (r < 0)
750 return r;
751
752 /* type */
753 r = dns_packet_append_uint16(p, DNS_TYPE_OPT, NULL);
754 if (r < 0)
755 goto fail;
756
757 /* class: maximum udp packet that can be received */
758 r = dns_packet_append_uint16(p, max_udp_size, NULL);
759 if (r < 0)
760 goto fail;
761
762 /* extended RCODE and VERSION */
763 r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL);
764 if (r < 0)
765 goto fail;
766
767 /* flags: DNSSEC OK (DO), see RFC3225 */
768 r = dns_packet_append_uint16(p, edns0_do ? EDNS0_OPT_DO : 0, NULL);
769 if (r < 0)
770 goto fail;
771
772 if (edns0_do && include_rfc6975) {
773 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
774 * be done on queries, not on replies, hencer callers should turn this off when finishing off
775 * replies. */
776
777 static const uint8_t rfc6975[] = {
778
779 0, DNS_EDNS_OPT_DAU, /* OPTION_CODE */
780 #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
781 0, 7, /* LIST_LENGTH */
782 #else
783 0, 6, /* LIST_LENGTH */
784 #endif
785 DNSSEC_ALGORITHM_RSASHA1,
786 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
787 DNSSEC_ALGORITHM_RSASHA256,
788 DNSSEC_ALGORITHM_RSASHA512,
789 DNSSEC_ALGORITHM_ECDSAP256SHA256,
790 DNSSEC_ALGORITHM_ECDSAP384SHA384,
791 #if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
792 DNSSEC_ALGORITHM_ED25519,
793 #endif
794
795 0, DNS_EDNS_OPT_DHU, /* OPTION_CODE */
796 0, 3, /* LIST_LENGTH */
797 DNSSEC_DIGEST_SHA1,
798 DNSSEC_DIGEST_SHA256,
799 DNSSEC_DIGEST_SHA384,
800
801 0, DNS_EDNS_OPT_N3U, /* OPTION_CODE */
802 0, 1, /* LIST_LENGTH */
803 NSEC3_ALGORITHM_SHA1,
804 };
805
806 r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL); /* RDLENGTH */
807 if (r < 0)
808 goto fail;
809
810 r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); /* the payload, as defined above */
811
812 } else if (nsid) {
813
814 if (strlen(nsid) > UINT16_MAX - 4) {
815 r = -E2BIG;
816 goto fail;
817 }
818
819 r = dns_packet_append_uint16(p, 4 + strlen(nsid), NULL); /* RDLENGTH */
820 if (r < 0)
821 goto fail;
822
823 r = dns_packet_append_uint16(p, 3, NULL); /* OPTION-CODE: NSID */
824 if (r < 0)
825 goto fail;
826
827 r = dns_packet_append_uint16(p, strlen(nsid), NULL); /* OPTION-LENGTH */
828 if (r < 0)
829 goto fail;
830
831 r = dns_packet_append_blob(p, nsid, strlen(nsid), NULL);
832 } else
833 r = dns_packet_append_uint16(p, 0, NULL);
834 if (r < 0)
835 goto fail;
836
837 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) + 1);
838
839 p->opt_start = saved_size;
840 p->opt_size = p->size - saved_size;
841
842 if (ret_start)
843 *ret_start = saved_size;
844
845 return 0;
846
847 fail:
848 dns_packet_truncate(p, saved_size);
849 return r;
850 }
851
852 int dns_packet_truncate_opt(DnsPacket *p) {
853 assert(p);
854
855 if (p->opt_start == SIZE_MAX) {
856 assert(p->opt_size == SIZE_MAX);
857 return 0;
858 }
859
860 assert(p->opt_size != SIZE_MAX);
861 assert(DNS_PACKET_ARCOUNT(p) > 0);
862
863 if (p->opt_start + p->opt_size != p->size)
864 return -EBUSY;
865
866 dns_packet_truncate(p, p->opt_start);
867 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) - 1);
868 p->opt_start = p->opt_size = SIZE_MAX;
869
870 return 1;
871 }
872
873 int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAnswerFlags flags, size_t *start, size_t *rdata_start) {
874
875 size_t saved_size, rdlength_offset, end, rdlength, rds;
876 uint32_t ttl;
877 int r;
878
879 assert(p);
880 assert(rr);
881
882 saved_size = p->size;
883
884 r = dns_packet_append_key(p, rr->key, flags, NULL);
885 if (r < 0)
886 goto fail;
887
888 ttl = flags & DNS_ANSWER_GOODBYE ? 0 : rr->ttl;
889 r = dns_packet_append_uint32(p, ttl, NULL);
890 if (r < 0)
891 goto fail;
892
893 /* Initially we write 0 here */
894 r = dns_packet_append_uint16(p, 0, &rdlength_offset);
895 if (r < 0)
896 goto fail;
897
898 rds = p->size - saved_size;
899
900 switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
901
902 case DNS_TYPE_SRV:
903 r = dns_packet_append_uint16(p, rr->srv.priority, NULL);
904 if (r < 0)
905 goto fail;
906
907 r = dns_packet_append_uint16(p, rr->srv.weight, NULL);
908 if (r < 0)
909 goto fail;
910
911 r = dns_packet_append_uint16(p, rr->srv.port, NULL);
912 if (r < 0)
913 goto fail;
914
915 /* RFC 2782 states "Unless and until permitted by future standards action, name compression
916 * is not to be used for this field." Hence we turn off compression here. */
917 r = dns_packet_append_name(p, rr->srv.name, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL);
918 break;
919
920 case DNS_TYPE_PTR:
921 case DNS_TYPE_NS:
922 case DNS_TYPE_CNAME:
923 case DNS_TYPE_DNAME:
924 r = dns_packet_append_name(p, rr->ptr.name, true, true, NULL);
925 break;
926
927 case DNS_TYPE_HINFO:
928 r = dns_packet_append_string(p, rr->hinfo.cpu, NULL);
929 if (r < 0)
930 goto fail;
931
932 r = dns_packet_append_string(p, rr->hinfo.os, NULL);
933 break;
934
935 case DNS_TYPE_SPF: /* exactly the same as TXT */
936 case DNS_TYPE_TXT:
937
938 if (!rr->txt.items) {
939 /* RFC 6763, section 6.1 suggests to generate
940 * single empty string for an empty array. */
941
942 r = dns_packet_append_raw_string(p, NULL, 0, NULL);
943 if (r < 0)
944 goto fail;
945 } else
946 LIST_FOREACH(items, i, rr->txt.items) {
947 r = dns_packet_append_raw_string(p, i->data, i->length, NULL);
948 if (r < 0)
949 goto fail;
950 }
951
952 r = 0;
953 break;
954
955 case DNS_TYPE_A:
956 r = dns_packet_append_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
957 break;
958
959 case DNS_TYPE_AAAA:
960 r = dns_packet_append_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
961 break;
962
963 case DNS_TYPE_SOA:
964 r = dns_packet_append_name(p, rr->soa.mname, true, true, NULL);
965 if (r < 0)
966 goto fail;
967
968 r = dns_packet_append_name(p, rr->soa.rname, true, true, NULL);
969 if (r < 0)
970 goto fail;
971
972 r = dns_packet_append_uint32(p, rr->soa.serial, NULL);
973 if (r < 0)
974 goto fail;
975
976 r = dns_packet_append_uint32(p, rr->soa.refresh, NULL);
977 if (r < 0)
978 goto fail;
979
980 r = dns_packet_append_uint32(p, rr->soa.retry, NULL);
981 if (r < 0)
982 goto fail;
983
984 r = dns_packet_append_uint32(p, rr->soa.expire, NULL);
985 if (r < 0)
986 goto fail;
987
988 r = dns_packet_append_uint32(p, rr->soa.minimum, NULL);
989 break;
990
991 case DNS_TYPE_MX:
992 r = dns_packet_append_uint16(p, rr->mx.priority, NULL);
993 if (r < 0)
994 goto fail;
995
996 r = dns_packet_append_name(p, rr->mx.exchange, true, true, NULL);
997 break;
998
999 case DNS_TYPE_LOC:
1000 r = dns_packet_append_uint8(p, rr->loc.version, NULL);
1001 if (r < 0)
1002 goto fail;
1003
1004 r = dns_packet_append_uint8(p, rr->loc.size, NULL);
1005 if (r < 0)
1006 goto fail;
1007
1008 r = dns_packet_append_uint8(p, rr->loc.horiz_pre, NULL);
1009 if (r < 0)
1010 goto fail;
1011
1012 r = dns_packet_append_uint8(p, rr->loc.vert_pre, NULL);
1013 if (r < 0)
1014 goto fail;
1015
1016 r = dns_packet_append_uint32(p, rr->loc.latitude, NULL);
1017 if (r < 0)
1018 goto fail;
1019
1020 r = dns_packet_append_uint32(p, rr->loc.longitude, NULL);
1021 if (r < 0)
1022 goto fail;
1023
1024 r = dns_packet_append_uint32(p, rr->loc.altitude, NULL);
1025 break;
1026
1027 case DNS_TYPE_DS:
1028 r = dns_packet_append_uint16(p, rr->ds.key_tag, NULL);
1029 if (r < 0)
1030 goto fail;
1031
1032 r = dns_packet_append_uint8(p, rr->ds.algorithm, NULL);
1033 if (r < 0)
1034 goto fail;
1035
1036 r = dns_packet_append_uint8(p, rr->ds.digest_type, NULL);
1037 if (r < 0)
1038 goto fail;
1039
1040 r = dns_packet_append_blob(p, rr->ds.digest, rr->ds.digest_size, NULL);
1041 break;
1042
1043 case DNS_TYPE_SSHFP:
1044 r = dns_packet_append_uint8(p, rr->sshfp.algorithm, NULL);
1045 if (r < 0)
1046 goto fail;
1047
1048 r = dns_packet_append_uint8(p, rr->sshfp.fptype, NULL);
1049 if (r < 0)
1050 goto fail;
1051
1052 r = dns_packet_append_blob(p, rr->sshfp.fingerprint, rr->sshfp.fingerprint_size, NULL);
1053 break;
1054
1055 case DNS_TYPE_DNSKEY:
1056 r = dns_packet_append_uint16(p, rr->dnskey.flags, NULL);
1057 if (r < 0)
1058 goto fail;
1059
1060 r = dns_packet_append_uint8(p, rr->dnskey.protocol, NULL);
1061 if (r < 0)
1062 goto fail;
1063
1064 r = dns_packet_append_uint8(p, rr->dnskey.algorithm, NULL);
1065 if (r < 0)
1066 goto fail;
1067
1068 r = dns_packet_append_blob(p, rr->dnskey.key, rr->dnskey.key_size, NULL);
1069 break;
1070
1071 case DNS_TYPE_RRSIG:
1072 r = dns_packet_append_uint16(p, rr->rrsig.type_covered, NULL);
1073 if (r < 0)
1074 goto fail;
1075
1076 r = dns_packet_append_uint8(p, rr->rrsig.algorithm, NULL);
1077 if (r < 0)
1078 goto fail;
1079
1080 r = dns_packet_append_uint8(p, rr->rrsig.labels, NULL);
1081 if (r < 0)
1082 goto fail;
1083
1084 r = dns_packet_append_uint32(p, rr->rrsig.original_ttl, NULL);
1085 if (r < 0)
1086 goto fail;
1087
1088 r = dns_packet_append_uint32(p, rr->rrsig.expiration, NULL);
1089 if (r < 0)
1090 goto fail;
1091
1092 r = dns_packet_append_uint32(p, rr->rrsig.inception, NULL);
1093 if (r < 0)
1094 goto fail;
1095
1096 r = dns_packet_append_uint16(p, rr->rrsig.key_tag, NULL);
1097 if (r < 0)
1098 goto fail;
1099
1100 r = dns_packet_append_name(p, rr->rrsig.signer, false, true, NULL);
1101 if (r < 0)
1102 goto fail;
1103
1104 r = dns_packet_append_blob(p, rr->rrsig.signature, rr->rrsig.signature_size, NULL);
1105 break;
1106
1107 case DNS_TYPE_NSEC:
1108 r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, false, NULL);
1109 if (r < 0)
1110 goto fail;
1111
1112 r = dns_packet_append_types(p, rr->nsec.types, NULL);
1113 if (r < 0)
1114 goto fail;
1115
1116 break;
1117
1118 case DNS_TYPE_NSEC3:
1119 r = dns_packet_append_uint8(p, rr->nsec3.algorithm, NULL);
1120 if (r < 0)
1121 goto fail;
1122
1123 r = dns_packet_append_uint8(p, rr->nsec3.flags, NULL);
1124 if (r < 0)
1125 goto fail;
1126
1127 r = dns_packet_append_uint16(p, rr->nsec3.iterations, NULL);
1128 if (r < 0)
1129 goto fail;
1130
1131 r = dns_packet_append_uint8(p, rr->nsec3.salt_size, NULL);
1132 if (r < 0)
1133 goto fail;
1134
1135 r = dns_packet_append_blob(p, rr->nsec3.salt, rr->nsec3.salt_size, NULL);
1136 if (r < 0)
1137 goto fail;
1138
1139 r = dns_packet_append_uint8(p, rr->nsec3.next_hashed_name_size, NULL);
1140 if (r < 0)
1141 goto fail;
1142
1143 r = dns_packet_append_blob(p, rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, NULL);
1144 if (r < 0)
1145 goto fail;
1146
1147 r = dns_packet_append_types(p, rr->nsec3.types, NULL);
1148 if (r < 0)
1149 goto fail;
1150
1151 break;
1152
1153 case DNS_TYPE_TLSA:
1154 r = dns_packet_append_uint8(p, rr->tlsa.cert_usage, NULL);
1155 if (r < 0)
1156 goto fail;
1157
1158 r = dns_packet_append_uint8(p, rr->tlsa.selector, NULL);
1159 if (r < 0)
1160 goto fail;
1161
1162 r = dns_packet_append_uint8(p, rr->tlsa.matching_type, NULL);
1163 if (r < 0)
1164 goto fail;
1165
1166 r = dns_packet_append_blob(p, rr->tlsa.data, rr->tlsa.data_size, NULL);
1167 break;
1168
1169 case DNS_TYPE_CAA:
1170 r = dns_packet_append_uint8(p, rr->caa.flags, NULL);
1171 if (r < 0)
1172 goto fail;
1173
1174 r = dns_packet_append_string(p, rr->caa.tag, NULL);
1175 if (r < 0)
1176 goto fail;
1177
1178 r = dns_packet_append_blob(p, rr->caa.value, rr->caa.value_size, NULL);
1179 break;
1180
1181 case DNS_TYPE_OPT:
1182 case DNS_TYPE_OPENPGPKEY:
1183 case _DNS_TYPE_INVALID: /* unparsable */
1184 default:
1185
1186 r = dns_packet_append_blob(p, rr->generic.data, rr->generic.data_size, NULL);
1187 break;
1188 }
1189 if (r < 0)
1190 goto fail;
1191
1192 /* Let's calculate the actual data size and update the field */
1193 rdlength = p->size - rdlength_offset - sizeof(uint16_t);
1194 if (rdlength > 0xFFFF) {
1195 r = -ENOSPC;
1196 goto fail;
1197 }
1198
1199 end = p->size;
1200 p->size = rdlength_offset;
1201 r = dns_packet_append_uint16(p, rdlength, NULL);
1202 if (r < 0)
1203 goto fail;
1204 p->size = end;
1205
1206 if (start)
1207 *start = saved_size;
1208
1209 if (rdata_start)
1210 *rdata_start = rds;
1211
1212 return 0;
1213
1214 fail:
1215 dns_packet_truncate(p, saved_size);
1216 return r;
1217 }
1218
1219 int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) {
1220 DnsResourceKey *key;
1221 int r;
1222
1223 assert(p);
1224
1225 DNS_QUESTION_FOREACH(key, q) {
1226 r = dns_packet_append_key(p, key, 0, NULL);
1227 if (r < 0)
1228 return r;
1229 }
1230
1231 return 0;
1232 }
1233
1234 int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a, unsigned *completed) {
1235 DnsResourceRecord *rr;
1236 DnsAnswerFlags flags;
1237 int r;
1238
1239 assert(p);
1240
1241 DNS_ANSWER_FOREACH_FLAGS(rr, flags, a) {
1242 r = dns_packet_append_rr(p, rr, flags, NULL, NULL);
1243 if (r < 0)
1244 return r;
1245
1246 if (completed)
1247 (*completed)++;
1248 }
1249
1250 return 0;
1251 }
1252
1253 int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) {
1254 assert(p);
1255 assert(p->rindex <= p->size);
1256
1257 if (sz > p->size - p->rindex)
1258 return -EMSGSIZE;
1259
1260 if (ret)
1261 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->rindex;
1262
1263 if (start)
1264 *start = p->rindex;
1265
1266 p->rindex += sz;
1267 return 0;
1268 }
1269
1270 void dns_packet_rewind(DnsPacket *p, size_t idx) {
1271 assert(p);
1272 assert(idx <= p->size);
1273 assert(idx >= DNS_PACKET_HEADER_SIZE);
1274
1275 p->rindex = idx;
1276 }
1277
1278 int dns_packet_read_blob(DnsPacket *p, void *d, size_t sz, size_t *start) {
1279 const void *q;
1280 int r;
1281
1282 assert(p);
1283 assert(d);
1284
1285 r = dns_packet_read(p, sz, &q, start);
1286 if (r < 0)
1287 return r;
1288
1289 memcpy(d, q, sz);
1290 return 0;
1291 }
1292
1293 static int dns_packet_read_memdup(
1294 DnsPacket *p, size_t size,
1295 void **ret, size_t *ret_size,
1296 size_t *ret_start) {
1297
1298 const void *src;
1299 size_t start;
1300 int r;
1301
1302 assert(p);
1303 assert(ret);
1304
1305 r = dns_packet_read(p, size, &src, &start);
1306 if (r < 0)
1307 return r;
1308
1309 if (size <= 0)
1310 *ret = NULL;
1311 else {
1312 void *copy;
1313
1314 copy = memdup(src, size);
1315 if (!copy)
1316 return -ENOMEM;
1317
1318 *ret = copy;
1319 }
1320
1321 if (ret_size)
1322 *ret_size = size;
1323 if (ret_start)
1324 *ret_start = start;
1325
1326 return 0;
1327 }
1328
1329 int dns_packet_read_uint8(DnsPacket *p, uint8_t *ret, size_t *start) {
1330 const void *d;
1331 int r;
1332
1333 assert(p);
1334
1335 r = dns_packet_read(p, sizeof(uint8_t), &d, start);
1336 if (r < 0)
1337 return r;
1338
1339 *ret = ((uint8_t*) d)[0];
1340 return 0;
1341 }
1342
1343 int dns_packet_read_uint16(DnsPacket *p, uint16_t *ret, size_t *start) {
1344 const void *d;
1345 int r;
1346
1347 assert(p);
1348
1349 r = dns_packet_read(p, sizeof(uint16_t), &d, start);
1350 if (r < 0)
1351 return r;
1352
1353 if (ret)
1354 *ret = unaligned_read_be16(d);
1355
1356 return 0;
1357 }
1358
1359 int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start) {
1360 const void *d;
1361 int r;
1362
1363 assert(p);
1364
1365 r = dns_packet_read(p, sizeof(uint32_t), &d, start);
1366 if (r < 0)
1367 return r;
1368
1369 *ret = unaligned_read_be32(d);
1370
1371 return 0;
1372 }
1373
1374 int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) {
1375 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1376 _cleanup_free_ char *t = NULL;
1377 const void *d;
1378 uint8_t c;
1379 int r;
1380
1381 assert(p);
1382
1383 r = dns_packet_read_uint8(p, &c, NULL);
1384 if (r < 0)
1385 return r;
1386
1387 r = dns_packet_read(p, c, &d, NULL);
1388 if (r < 0)
1389 return r;
1390
1391 r = make_cstring(d, c, MAKE_CSTRING_REFUSE_TRAILING_NUL, &t);
1392 if (r < 0)
1393 return r;
1394
1395 if (!utf8_is_valid(t))
1396 return -EBADMSG;
1397
1398 *ret = TAKE_PTR(t);
1399
1400 if (start)
1401 *start = rewinder.saved_rindex;
1402 CANCEL_REWINDER(rewinder);
1403
1404 return 0;
1405 }
1406
1407 int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start) {
1408 assert(p);
1409
1410 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1411 uint8_t c;
1412 int r;
1413
1414 r = dns_packet_read_uint8(p, &c, NULL);
1415 if (r < 0)
1416 return r;
1417
1418 r = dns_packet_read(p, c, ret, NULL);
1419 if (r < 0)
1420 return r;
1421
1422 if (size)
1423 *size = c;
1424 if (start)
1425 *start = rewinder.saved_rindex;
1426 CANCEL_REWINDER(rewinder);
1427
1428 return 0;
1429 }
1430
1431 int dns_packet_read_name(
1432 DnsPacket *p,
1433 char **ret,
1434 bool allow_compression,
1435 size_t *ret_start) {
1436
1437 assert(p);
1438
1439 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1440 size_t after_rindex = 0, jump_barrier = p->rindex;
1441 _cleanup_free_ char *name = NULL;
1442 bool first = true;
1443 size_t n = 0;
1444 int r;
1445
1446 if (p->refuse_compression)
1447 allow_compression = false;
1448
1449 for (;;) {
1450 uint8_t c, d;
1451
1452 r = dns_packet_read_uint8(p, &c, NULL);
1453 if (r < 0)
1454 return r;
1455
1456 if (c == 0)
1457 /* End of name */
1458 break;
1459 else if (c <= 63) {
1460 const char *label;
1461
1462 /* Literal label */
1463 r = dns_packet_read(p, c, (const void**) &label, NULL);
1464 if (r < 0)
1465 return r;
1466
1467 if (!GREEDY_REALLOC(name, n + !first + DNS_LABEL_ESCAPED_MAX))
1468 return -ENOMEM;
1469
1470 if (first)
1471 first = false;
1472 else
1473 name[n++] = '.';
1474
1475 r = dns_label_escape(label, c, name + n, DNS_LABEL_ESCAPED_MAX);
1476 if (r < 0)
1477 return r;
1478
1479 n += r;
1480 continue;
1481 } else if (allow_compression && FLAGS_SET(c, 0xc0)) {
1482 uint16_t ptr;
1483
1484 /* Pointer */
1485 r = dns_packet_read_uint8(p, &d, NULL);
1486 if (r < 0)
1487 return r;
1488
1489 ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d;
1490 if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= jump_barrier)
1491 return -EBADMSG;
1492
1493 if (after_rindex == 0)
1494 after_rindex = p->rindex;
1495
1496 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
1497 jump_barrier = ptr;
1498 p->rindex = ptr;
1499 } else
1500 return -EBADMSG;
1501 }
1502
1503 if (!GREEDY_REALLOC(name, n + 1))
1504 return -ENOMEM;
1505
1506 name[n] = 0;
1507
1508 if (after_rindex != 0)
1509 p->rindex= after_rindex;
1510
1511 if (ret)
1512 *ret = TAKE_PTR(name);
1513 if (ret_start)
1514 *ret_start = rewinder.saved_rindex;
1515
1516 CANCEL_REWINDER(rewinder);
1517
1518 return 0;
1519 }
1520
1521 static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *start) {
1522 assert(p);
1523 assert(types);
1524
1525 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1526 uint8_t window, length;
1527 const uint8_t *bitmap;
1528 uint8_t bit = 0;
1529 bool found = false;
1530 int r;
1531
1532 r = bitmap_ensure_allocated(types);
1533 if (r < 0)
1534 return r;
1535
1536 r = dns_packet_read_uint8(p, &window, NULL);
1537 if (r < 0)
1538 return r;
1539
1540 r = dns_packet_read_uint8(p, &length, NULL);
1541 if (r < 0)
1542 return r;
1543
1544 if (length == 0 || length > 32)
1545 return -EBADMSG;
1546
1547 r = dns_packet_read(p, length, (const void **)&bitmap, NULL);
1548 if (r < 0)
1549 return r;
1550
1551 for (uint8_t i = 0; i < length; i++) {
1552 uint8_t bitmask = 1 << 7;
1553
1554 if (!bitmap[i]) {
1555 found = false;
1556 bit += 8;
1557 continue;
1558 }
1559
1560 found = true;
1561
1562 for (; bitmask; bit++, bitmask >>= 1)
1563 if (bitmap[i] & bitmask) {
1564 uint16_t n;
1565
1566 n = (uint16_t) window << 8 | (uint16_t) bit;
1567
1568 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1569 if (dns_type_is_pseudo(n))
1570 continue;
1571
1572 r = bitmap_set(*types, n);
1573 if (r < 0)
1574 return r;
1575 }
1576 }
1577
1578 if (!found)
1579 return -EBADMSG;
1580
1581 if (start)
1582 *start = rewinder.saved_rindex;
1583 CANCEL_REWINDER(rewinder);
1584
1585 return 0;
1586 }
1587
1588 static int dns_packet_read_type_windows(DnsPacket *p, Bitmap **types, size_t size, size_t *start) {
1589 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1590 int r;
1591
1592 while (p->rindex - rewinder.saved_rindex < size) {
1593 r = dns_packet_read_type_window(p, types, NULL);
1594 if (r < 0)
1595 return r;
1596
1597 assert(p->rindex >= rewinder.saved_rindex);
1598
1599 /* don't read past end of current RR */
1600 if (p->rindex - rewinder.saved_rindex > size)
1601 return -EBADMSG;
1602 }
1603
1604 if (p->rindex - rewinder.saved_rindex != size)
1605 return -EBADMSG;
1606
1607 if (start)
1608 *start = rewinder.saved_rindex;
1609 CANCEL_REWINDER(rewinder);
1610
1611 return 0;
1612 }
1613
1614 int dns_packet_read_key(
1615 DnsPacket *p,
1616 DnsResourceKey **ret,
1617 bool *ret_cache_flush_or_qu,
1618 size_t *ret_start) {
1619
1620 assert(p);
1621
1622 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1623 _cleanup_free_ char *name = NULL;
1624 bool cache_flush_or_qu = false;
1625 uint16_t class, type;
1626 int r;
1627
1628 r = dns_packet_read_name(p, &name, true, NULL);
1629 if (r < 0)
1630 return r;
1631
1632 r = dns_packet_read_uint16(p, &type, NULL);
1633 if (r < 0)
1634 return r;
1635
1636 r = dns_packet_read_uint16(p, &class, NULL);
1637 if (r < 0)
1638 return r;
1639
1640 if (p->protocol == DNS_PROTOCOL_MDNS) {
1641 /* See RFC6762, sections 5.4 and 10.2 */
1642
1643 if (type != DNS_TYPE_OPT && (class & MDNS_RR_CACHE_FLUSH_OR_QU)) {
1644 class &= ~MDNS_RR_CACHE_FLUSH_OR_QU;
1645 cache_flush_or_qu = true;
1646 }
1647 }
1648
1649 if (ret) {
1650 DnsResourceKey *key;
1651
1652 key = dns_resource_key_new_consume(class, type, name);
1653 if (!key)
1654 return -ENOMEM;
1655
1656 TAKE_PTR(name);
1657 *ret = key;
1658 }
1659
1660 if (ret_cache_flush_or_qu)
1661 *ret_cache_flush_or_qu = cache_flush_or_qu;
1662 if (ret_start)
1663 *ret_start = rewinder.saved_rindex;
1664
1665 CANCEL_REWINDER(rewinder);
1666 return 0;
1667 }
1668
1669 static bool loc_size_ok(uint8_t size) {
1670 uint8_t m = size >> 4, e = size & 0xF;
1671
1672 return m <= 9 && e <= 9 && (m > 0 || e == 0);
1673 }
1674
1675 int dns_packet_read_rr(
1676 DnsPacket *p,
1677 DnsResourceRecord **ret,
1678 bool *ret_cache_flush,
1679 size_t *ret_start) {
1680
1681 assert(p);
1682
1683 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
1684 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
1685 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
1686 size_t offset;
1687 uint16_t rdlength;
1688 bool cache_flush;
1689 int r;
1690
1691 r = dns_packet_read_key(p, &key, &cache_flush, NULL);
1692 if (r < 0)
1693 return r;
1694
1695 if (!dns_class_is_valid_rr(key->class) || !dns_type_is_valid_rr(key->type))
1696 return -EBADMSG;
1697
1698 rr = dns_resource_record_new(key);
1699 if (!rr)
1700 return -ENOMEM;
1701
1702 r = dns_packet_read_uint32(p, &rr->ttl, NULL);
1703 if (r < 0)
1704 return r;
1705
1706 /* RFC 2181, Section 8, suggests to
1707 * treat a TTL with the MSB set as a zero TTL. */
1708 if (rr->ttl & UINT32_C(0x80000000))
1709 rr->ttl = 0;
1710
1711 r = dns_packet_read_uint16(p, &rdlength, NULL);
1712 if (r < 0)
1713 return r;
1714
1715 if (rdlength > p->size - p->rindex)
1716 return -EBADMSG;
1717
1718 offset = p->rindex;
1719
1720 switch (rr->key->type) {
1721
1722 case DNS_TYPE_SRV:
1723 r = dns_packet_read_uint16(p, &rr->srv.priority, NULL);
1724 if (r < 0)
1725 return r;
1726 r = dns_packet_read_uint16(p, &rr->srv.weight, NULL);
1727 if (r < 0)
1728 return r;
1729 r = dns_packet_read_uint16(p, &rr->srv.port, NULL);
1730 if (r < 0)
1731 return r;
1732
1733 /* RFC 2782 states "Unless and until permitted by future standards action, name compression
1734 * is not to be used for this field." Nonetheless, we support it here, in the interest of
1735 * increasing compatibility with implementations that do not implement this correctly. After
1736 * all we didn't do this right once upon a time ourselves (see
1737 * https://github.com/systemd/systemd/issues/9793). */
1738 r = dns_packet_read_name(p, &rr->srv.name, /* allow_compression= */ true, NULL);
1739 break;
1740
1741 case DNS_TYPE_PTR:
1742 case DNS_TYPE_NS:
1743 case DNS_TYPE_CNAME:
1744 case DNS_TYPE_DNAME:
1745 r = dns_packet_read_name(p, &rr->ptr.name, true, NULL);
1746 break;
1747
1748 case DNS_TYPE_HINFO:
1749 r = dns_packet_read_string(p, &rr->hinfo.cpu, NULL);
1750 if (r < 0)
1751 return r;
1752
1753 r = dns_packet_read_string(p, &rr->hinfo.os, NULL);
1754 break;
1755
1756 case DNS_TYPE_SPF: /* exactly the same as TXT */
1757 case DNS_TYPE_TXT:
1758 if (rdlength <= 0) {
1759 r = dns_txt_item_new_empty(&rr->txt.items);
1760 if (r < 0)
1761 return r;
1762 } else {
1763 DnsTxtItem *last = NULL;
1764
1765 while (p->rindex - offset < rdlength) {
1766 DnsTxtItem *i;
1767 const void *data;
1768 size_t sz;
1769
1770 r = dns_packet_read_raw_string(p, &data, &sz, NULL);
1771 if (r < 0)
1772 return r;
1773
1774 i = malloc0(offsetof(DnsTxtItem, data) + sz + 1); /* extra NUL byte at the end */
1775 if (!i)
1776 return -ENOMEM;
1777
1778 memcpy(i->data, data, sz);
1779 i->length = sz;
1780
1781 LIST_INSERT_AFTER(items, rr->txt.items, last, i);
1782 last = i;
1783 }
1784 }
1785
1786 r = 0;
1787 break;
1788
1789 case DNS_TYPE_A:
1790 r = dns_packet_read_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
1791 break;
1792
1793 case DNS_TYPE_AAAA:
1794 r = dns_packet_read_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
1795 break;
1796
1797 case DNS_TYPE_SOA:
1798 r = dns_packet_read_name(p, &rr->soa.mname, true, NULL);
1799 if (r < 0)
1800 return r;
1801
1802 r = dns_packet_read_name(p, &rr->soa.rname, true, NULL);
1803 if (r < 0)
1804 return r;
1805
1806 r = dns_packet_read_uint32(p, &rr->soa.serial, NULL);
1807 if (r < 0)
1808 return r;
1809
1810 r = dns_packet_read_uint32(p, &rr->soa.refresh, NULL);
1811 if (r < 0)
1812 return r;
1813
1814 r = dns_packet_read_uint32(p, &rr->soa.retry, NULL);
1815 if (r < 0)
1816 return r;
1817
1818 r = dns_packet_read_uint32(p, &rr->soa.expire, NULL);
1819 if (r < 0)
1820 return r;
1821
1822 r = dns_packet_read_uint32(p, &rr->soa.minimum, NULL);
1823 break;
1824
1825 case DNS_TYPE_MX:
1826 r = dns_packet_read_uint16(p, &rr->mx.priority, NULL);
1827 if (r < 0)
1828 return r;
1829
1830 r = dns_packet_read_name(p, &rr->mx.exchange, true, NULL);
1831 break;
1832
1833 case DNS_TYPE_LOC: {
1834 uint8_t t;
1835 size_t pos;
1836
1837 r = dns_packet_read_uint8(p, &t, &pos);
1838 if (r < 0)
1839 return r;
1840
1841 if (t == 0) {
1842 rr->loc.version = t;
1843
1844 r = dns_packet_read_uint8(p, &rr->loc.size, NULL);
1845 if (r < 0)
1846 return r;
1847
1848 if (!loc_size_ok(rr->loc.size))
1849 return -EBADMSG;
1850
1851 r = dns_packet_read_uint8(p, &rr->loc.horiz_pre, NULL);
1852 if (r < 0)
1853 return r;
1854
1855 if (!loc_size_ok(rr->loc.horiz_pre))
1856 return -EBADMSG;
1857
1858 r = dns_packet_read_uint8(p, &rr->loc.vert_pre, NULL);
1859 if (r < 0)
1860 return r;
1861
1862 if (!loc_size_ok(rr->loc.vert_pre))
1863 return -EBADMSG;
1864
1865 r = dns_packet_read_uint32(p, &rr->loc.latitude, NULL);
1866 if (r < 0)
1867 return r;
1868
1869 r = dns_packet_read_uint32(p, &rr->loc.longitude, NULL);
1870 if (r < 0)
1871 return r;
1872
1873 r = dns_packet_read_uint32(p, &rr->loc.altitude, NULL);
1874 if (r < 0)
1875 return r;
1876
1877 break;
1878 } else {
1879 dns_packet_rewind(p, pos);
1880 rr->unparsable = true;
1881 goto unparsable;
1882 }
1883 }
1884
1885 case DNS_TYPE_DS:
1886 r = dns_packet_read_uint16(p, &rr->ds.key_tag, NULL);
1887 if (r < 0)
1888 return r;
1889
1890 r = dns_packet_read_uint8(p, &rr->ds.algorithm, NULL);
1891 if (r < 0)
1892 return r;
1893
1894 r = dns_packet_read_uint8(p, &rr->ds.digest_type, NULL);
1895 if (r < 0)
1896 return r;
1897
1898 if (rdlength < 4)
1899 return -EBADMSG;
1900
1901 r = dns_packet_read_memdup(p, rdlength - 4,
1902 &rr->ds.digest, &rr->ds.digest_size,
1903 NULL);
1904 if (r < 0)
1905 return r;
1906
1907 if (rr->ds.digest_size <= 0)
1908 /* the accepted size depends on the algorithm, but for now
1909 just ensure that the value is greater than zero */
1910 return -EBADMSG;
1911
1912 break;
1913
1914 case DNS_TYPE_SSHFP:
1915 r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL);
1916 if (r < 0)
1917 return r;
1918
1919 r = dns_packet_read_uint8(p, &rr->sshfp.fptype, NULL);
1920 if (r < 0)
1921 return r;
1922
1923 if (rdlength < 2)
1924 return -EBADMSG;
1925
1926 r = dns_packet_read_memdup(p, rdlength - 2,
1927 &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
1928 NULL);
1929
1930 if (rr->sshfp.fingerprint_size <= 0)
1931 /* the accepted size depends on the algorithm, but for now
1932 just ensure that the value is greater than zero */
1933 return -EBADMSG;
1934
1935 break;
1936
1937 case DNS_TYPE_DNSKEY:
1938 r = dns_packet_read_uint16(p, &rr->dnskey.flags, NULL);
1939 if (r < 0)
1940 return r;
1941
1942 r = dns_packet_read_uint8(p, &rr->dnskey.protocol, NULL);
1943 if (r < 0)
1944 return r;
1945
1946 r = dns_packet_read_uint8(p, &rr->dnskey.algorithm, NULL);
1947 if (r < 0)
1948 return r;
1949
1950 if (rdlength < 4)
1951 return -EBADMSG;
1952
1953 r = dns_packet_read_memdup(p, rdlength - 4,
1954 &rr->dnskey.key, &rr->dnskey.key_size,
1955 NULL);
1956
1957 if (rr->dnskey.key_size <= 0)
1958 /* the accepted size depends on the algorithm, but for now
1959 just ensure that the value is greater than zero */
1960 return -EBADMSG;
1961
1962 break;
1963
1964 case DNS_TYPE_RRSIG:
1965 r = dns_packet_read_uint16(p, &rr->rrsig.type_covered, NULL);
1966 if (r < 0)
1967 return r;
1968
1969 r = dns_packet_read_uint8(p, &rr->rrsig.algorithm, NULL);
1970 if (r < 0)
1971 return r;
1972
1973 r = dns_packet_read_uint8(p, &rr->rrsig.labels, NULL);
1974 if (r < 0)
1975 return r;
1976
1977 r = dns_packet_read_uint32(p, &rr->rrsig.original_ttl, NULL);
1978 if (r < 0)
1979 return r;
1980
1981 r = dns_packet_read_uint32(p, &rr->rrsig.expiration, NULL);
1982 if (r < 0)
1983 return r;
1984
1985 r = dns_packet_read_uint32(p, &rr->rrsig.inception, NULL);
1986 if (r < 0)
1987 return r;
1988
1989 r = dns_packet_read_uint16(p, &rr->rrsig.key_tag, NULL);
1990 if (r < 0)
1991 return r;
1992
1993 r = dns_packet_read_name(p, &rr->rrsig.signer, false, NULL);
1994 if (r < 0)
1995 return r;
1996
1997 if (rdlength < p->rindex - offset)
1998 return -EBADMSG;
1999
2000 r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
2001 &rr->rrsig.signature, &rr->rrsig.signature_size,
2002 NULL);
2003
2004 if (rr->rrsig.signature_size <= 0)
2005 /* the accepted size depends on the algorithm, but for now
2006 just ensure that the value is greater than zero */
2007 return -EBADMSG;
2008
2009 break;
2010
2011 case DNS_TYPE_NSEC: {
2012
2013 /*
2014 * RFC6762, section 18.14 explicitly states mDNS should use name compression.
2015 * This contradicts RFC3845, section 2.1.1
2016 */
2017
2018 bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS;
2019
2020 r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL);
2021 if (r < 0)
2022 return r;
2023
2024 if (rdlength < p->rindex - offset)
2025 return -EBADMSG;
2026
2027 r = dns_packet_read_type_windows(p, &rr->nsec.types, offset + rdlength - p->rindex, NULL);
2028
2029 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
2030 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
2031 * without the NSEC bit set. */
2032
2033 break;
2034 }
2035 case DNS_TYPE_NSEC3: {
2036 uint8_t size;
2037
2038 r = dns_packet_read_uint8(p, &rr->nsec3.algorithm, NULL);
2039 if (r < 0)
2040 return r;
2041
2042 r = dns_packet_read_uint8(p, &rr->nsec3.flags, NULL);
2043 if (r < 0)
2044 return r;
2045
2046 r = dns_packet_read_uint16(p, &rr->nsec3.iterations, NULL);
2047 if (r < 0)
2048 return r;
2049
2050 /* this may be zero */
2051 r = dns_packet_read_uint8(p, &size, NULL);
2052 if (r < 0)
2053 return r;
2054
2055 r = dns_packet_read_memdup(p, size, &rr->nsec3.salt, &rr->nsec3.salt_size, NULL);
2056 if (r < 0)
2057 return r;
2058
2059 r = dns_packet_read_uint8(p, &size, NULL);
2060 if (r < 0)
2061 return r;
2062
2063 if (size <= 0)
2064 return -EBADMSG;
2065
2066 r = dns_packet_read_memdup(p, size,
2067 &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size,
2068 NULL);
2069 if (r < 0)
2070 return r;
2071
2072 if (rdlength < p->rindex - offset)
2073 return -EBADMSG;
2074
2075 r = dns_packet_read_type_windows(p, &rr->nsec3.types, offset + rdlength - p->rindex, NULL);
2076
2077 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
2078
2079 break;
2080 }
2081
2082 case DNS_TYPE_TLSA:
2083 r = dns_packet_read_uint8(p, &rr->tlsa.cert_usage, NULL);
2084 if (r < 0)
2085 return r;
2086
2087 r = dns_packet_read_uint8(p, &rr->tlsa.selector, NULL);
2088 if (r < 0)
2089 return r;
2090
2091 r = dns_packet_read_uint8(p, &rr->tlsa.matching_type, NULL);
2092 if (r < 0)
2093 return r;
2094
2095 if (rdlength < 3)
2096 return -EBADMSG;
2097
2098 r = dns_packet_read_memdup(p, rdlength - 3,
2099 &rr->tlsa.data, &rr->tlsa.data_size,
2100 NULL);
2101
2102 if (rr->tlsa.data_size <= 0)
2103 /* the accepted size depends on the algorithm, but for now
2104 just ensure that the value is greater than zero */
2105 return -EBADMSG;
2106
2107 break;
2108
2109 case DNS_TYPE_CAA:
2110 r = dns_packet_read_uint8(p, &rr->caa.flags, NULL);
2111 if (r < 0)
2112 return r;
2113
2114 r = dns_packet_read_string(p, &rr->caa.tag, NULL);
2115 if (r < 0)
2116 return r;
2117
2118 if (rdlength < p->rindex - offset)
2119 return -EBADMSG;
2120
2121 r = dns_packet_read_memdup(p,
2122 rdlength + offset - p->rindex,
2123 &rr->caa.value, &rr->caa.value_size, NULL);
2124
2125 break;
2126
2127 case DNS_TYPE_OPT: /* we only care about the header of OPT for now. */
2128 case DNS_TYPE_OPENPGPKEY:
2129 default:
2130 unparsable:
2131 r = dns_packet_read_memdup(p, rdlength, &rr->generic.data, &rr->generic.data_size, NULL);
2132
2133 break;
2134 }
2135 if (r < 0)
2136 return r;
2137 if (p->rindex - offset != rdlength)
2138 return -EBADMSG;
2139
2140 if (ret)
2141 *ret = TAKE_PTR(rr);
2142 if (ret_cache_flush)
2143 *ret_cache_flush = cache_flush;
2144 if (ret_start)
2145 *ret_start = rewinder.saved_rindex;
2146
2147 CANCEL_REWINDER(rewinder);
2148 return 0;
2149 }
2150
2151 static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) {
2152 const uint8_t* p;
2153 bool found_dau_dhu_n3u = false;
2154 size_t l;
2155
2156 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2157 * a reply). */
2158
2159 assert(rr);
2160 assert(rr->key->type == DNS_TYPE_OPT);
2161
2162 /* Check that the version is 0 */
2163 if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) {
2164 *rfc6975 = false;
2165 return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
2166 }
2167
2168 p = rr->opt.data;
2169 l = rr->opt.data_size;
2170 while (l > 0) {
2171 uint16_t option_code, option_length;
2172
2173 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2174 if (l < 4U)
2175 return false;
2176
2177 option_code = unaligned_read_be16(p);
2178 option_length = unaligned_read_be16(p + 2);
2179
2180 if (l < option_length + 4U)
2181 return false;
2182
2183 /* RFC 6975 DAU, DHU or N3U fields found. */
2184 if (IN_SET(option_code, DNS_EDNS_OPT_DAU, DNS_EDNS_OPT_DHU, DNS_EDNS_OPT_N3U))
2185 found_dau_dhu_n3u = true;
2186
2187 p += option_length + 4U;
2188 l -= option_length + 4U;
2189 }
2190
2191 *rfc6975 = found_dau_dhu_n3u;
2192 return true;
2193 }
2194
2195 static int dns_packet_extract_question(DnsPacket *p, DnsQuestion **ret_question) {
2196 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
2197 unsigned n;
2198 int r;
2199
2200 n = DNS_PACKET_QDCOUNT(p);
2201 if (n > 0) {
2202 question = dns_question_new(n);
2203 if (!question)
2204 return -ENOMEM;
2205
2206 _cleanup_set_free_ Set *keys = NULL; /* references to keys are kept by Question */
2207
2208 keys = set_new(&dns_resource_key_hash_ops);
2209 if (!keys)
2210 return log_oom();
2211
2212 r = set_reserve(keys, n * 2); /* Higher multipliers give slightly higher efficiency through
2213 * hash collisions, but the gains quickly drop off after 2. */
2214 if (r < 0)
2215 return r;
2216
2217 for (unsigned i = 0; i < n; i++) {
2218 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
2219 bool qu;
2220
2221 r = dns_packet_read_key(p, &key, &qu, NULL);
2222 if (r < 0)
2223 return r;
2224
2225 if (!dns_type_is_valid_query(key->type))
2226 return -EBADMSG;
2227
2228 r = set_put(keys, key);
2229 if (r < 0)
2230 return r;
2231 if (r == 0)
2232 /* Already in the Question, let's skip */
2233 continue;
2234
2235 r = dns_question_add_raw(question, key, qu ? DNS_QUESTION_WANTS_UNICAST_REPLY : 0);
2236 if (r < 0)
2237 return r;
2238 }
2239 }
2240
2241 *ret_question = TAKE_PTR(question);
2242
2243 return 0;
2244 }
2245
2246 static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) {
2247 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
2248 unsigned n;
2249 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *previous = NULL;
2250 bool bad_opt = false;
2251 int r;
2252
2253 n = DNS_PACKET_RRCOUNT(p);
2254 if (n == 0)
2255 return 0;
2256
2257 answer = dns_answer_new(n);
2258 if (!answer)
2259 return -ENOMEM;
2260
2261 for (unsigned i = 0; i < n; i++) {
2262 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
2263 bool cache_flush = false;
2264 size_t start;
2265
2266 if (p->rindex == p->size && p->opt) {
2267 /* If we reached the end of the packet already, but there are still more RRs
2268 * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's
2269 * apparently a common bug in routers. Let's however suppress OPT support in this
2270 * case, so that we force the rest of the logic into lowest DNS baseline support. Or
2271 * to say this differently: if the DNS server doesn't even get the RR counts right,
2272 * it's highly unlikely it gets EDNS right. */
2273 log_debug("More resource records declared in packet than included, suppressing OPT.");
2274 bad_opt = true;
2275 break;
2276 }
2277
2278 r = dns_packet_read_rr(p, &rr, &cache_flush, &start);
2279 if (r < 0)
2280 return r;
2281
2282 /* Try to reduce memory usage a bit */
2283 if (previous)
2284 dns_resource_key_reduce(&rr->key, &previous->key);
2285
2286 if (rr->key->type == DNS_TYPE_OPT) {
2287 bool has_rfc6975;
2288
2289 if (p->opt || bad_opt) {
2290 /* Multiple OPT RRs? if so, let's ignore all, because there's
2291 * something wrong with the server, and if one is valid we wouldn't
2292 * know which one. */
2293 log_debug("Multiple OPT RRs detected, ignoring all.");
2294 bad_opt = true;
2295 continue;
2296 }
2297
2298 if (!dns_name_is_root(dns_resource_key_name(rr->key))) {
2299 /* If the OPT RR is not owned by the root domain, then it is bad,
2300 * let's ignore it. */
2301 log_debug("OPT RR is not owned by root domain, ignoring.");
2302 bad_opt = true;
2303 continue;
2304 }
2305
2306 if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) {
2307 /* OPT RR is in the wrong section? Some Belkin routers do this. This
2308 * is a hint the EDNS implementation is borked, like the Belkin one
2309 * is, hence ignore it. */
2310 log_debug("OPT RR in wrong section, ignoring.");
2311 bad_opt = true;
2312 continue;
2313 }
2314
2315 if (!opt_is_good(rr, &has_rfc6975)) {
2316 log_debug("Malformed OPT RR, ignoring.");
2317 bad_opt = true;
2318 continue;
2319 }
2320
2321 if (DNS_PACKET_QR(p)) {
2322 /* Additional checks for responses */
2323
2324 if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr))
2325 /* If this is a reply and we don't know the EDNS version
2326 * then something is weird... */
2327 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2328 "EDNS version newer that our request, bad server.");
2329
2330 if (has_rfc6975) {
2331 /* If the OPT RR contains RFC6975 algorithm data, then this
2332 * is indication that the server just copied the OPT it got
2333 * from us (which contained that data) back into the reply.
2334 * If so, then it doesn't properly support EDNS, as RFC6975
2335 * makes it very clear that the algorithm data should only
2336 * be contained in questions, never in replies. Crappy
2337 * Belkin routers copy the OPT data for example, hence let's
2338 * detect this so that we downgrade early. */
2339 log_debug("OPT RR contains RFC6975 data, ignoring.");
2340 bad_opt = true;
2341 continue;
2342 }
2343 }
2344
2345 p->opt = dns_resource_record_ref(rr);
2346 p->opt_start = start;
2347 assert(p->rindex >= start);
2348 p->opt_size = p->rindex - start;
2349 } else {
2350 DnsAnswerFlags flags = 0;
2351
2352 if (p->protocol == DNS_PROTOCOL_MDNS) {
2353 flags |= DNS_ANSWER_REFUSE_TTL_NO_MATCH;
2354 if (!cache_flush)
2355 flags |= DNS_ANSWER_SHARED_OWNER;
2356 }
2357
2358 /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
2359 * cached. Hence mark only those RRs as cacheable by default, but not the ones from
2360 * the Additional or Authority sections.
2361 * This restriction does not apply to mDNS records (RFC 6762). */
2362 if (i < DNS_PACKET_ANCOUNT(p))
2363 flags |= DNS_ANSWER_CACHEABLE|DNS_ANSWER_SECTION_ANSWER;
2364 else if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p))
2365 flags |= DNS_ANSWER_SECTION_AUTHORITY;
2366 else {
2367 flags |= DNS_ANSWER_SECTION_ADDITIONAL;
2368 if (p->protocol == DNS_PROTOCOL_MDNS)
2369 flags |= DNS_ANSWER_CACHEABLE;
2370 }
2371
2372 r = dns_answer_add(answer, rr, p->ifindex, flags, NULL);
2373 if (r < 0)
2374 return r;
2375 }
2376
2377 /* Remember this RR, so that we can potentially merge its ->key object with the
2378 * next RR. Note that we only do this if we actually decided to keep the RR around.
2379 */
2380 DNS_RR_REPLACE(previous, dns_resource_record_ref(rr));
2381 }
2382
2383 if (bad_opt) {
2384 p->opt = dns_resource_record_unref(p->opt);
2385 p->opt_start = p->opt_size = SIZE_MAX;
2386 }
2387
2388 *ret_answer = TAKE_PTR(answer);
2389
2390 return 0;
2391 }
2392
2393 int dns_packet_extract(DnsPacket *p) {
2394 assert(p);
2395
2396 if (p->extracted)
2397 return 0;
2398
2399 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
2400 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
2401 _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
2402 int r;
2403
2404 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2405
2406 r = dns_packet_extract_question(p, &question);
2407 if (r < 0)
2408 return r;
2409
2410 r = dns_packet_extract_answer(p, &answer);
2411 if (r < 0)
2412 return r;
2413
2414 if (p->rindex < p->size) {
2415 log_debug("Trailing garbage in packet, suppressing OPT.");
2416 p->opt = dns_resource_record_unref(p->opt);
2417 p->opt_start = p->opt_size = SIZE_MAX;
2418 }
2419
2420 p->question = TAKE_PTR(question);
2421 p->answer = TAKE_PTR(answer);
2422 p->extracted = true;
2423
2424 /* no CANCEL, always rewind */
2425 return 0;
2426 }
2427
2428 int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
2429 int r;
2430
2431 assert(p);
2432 assert(key);
2433
2434 /* Checks if the specified packet is a reply for the specified
2435 * key and the specified key is the only one in the question
2436 * section. */
2437
2438 if (DNS_PACKET_QR(p) != 1)
2439 return 0;
2440
2441 /* Let's unpack the packet, if that hasn't happened yet. */
2442 r = dns_packet_extract(p);
2443 if (r < 0)
2444 return r;
2445
2446 if (!p->question)
2447 return 0;
2448
2449 if (p->question->n_keys != 1)
2450 return 0;
2451
2452 return dns_resource_key_equal(dns_question_first_key(p->question), key);
2453 }
2454
2455 int dns_packet_patch_max_udp_size(DnsPacket *p, uint16_t max_udp_size) {
2456 assert(p);
2457 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
2458
2459 if (p->opt_start == SIZE_MAX) /* No OPT section, nothing to patch */
2460 return 0;
2461
2462 assert(p->opt_size != SIZE_MAX);
2463 assert(p->opt_size >= 5);
2464
2465 unaligned_write_be16(DNS_PACKET_DATA(p) + p->opt_start + 3, max_udp_size);
2466 return 1;
2467 }
2468
2469 static int patch_rr(DnsPacket *p, usec_t age) {
2470 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
2471 size_t ttl_index;
2472 uint32_t ttl;
2473 uint16_t type, rdlength;
2474 int r;
2475
2476 /* Patches the RR at the current rindex, subtracts the specified time from the TTL */
2477
2478 r = dns_packet_read_name(p, NULL, true, NULL);
2479 if (r < 0)
2480 return r;
2481
2482 r = dns_packet_read_uint16(p, &type, NULL);
2483 if (r < 0)
2484 return r;
2485
2486 r = dns_packet_read_uint16(p, NULL, NULL);
2487 if (r < 0)
2488 return r;
2489
2490 r = dns_packet_read_uint32(p, &ttl, &ttl_index);
2491 if (r < 0)
2492 return r;
2493
2494 if (type != DNS_TYPE_OPT) { /* The TTL of the OPT field is not actually a TTL, skip it */
2495 ttl = LESS_BY(ttl * USEC_PER_SEC, age) / USEC_PER_SEC;
2496 unaligned_write_be32(DNS_PACKET_DATA(p) + ttl_index, ttl);
2497 }
2498
2499 r = dns_packet_read_uint16(p, &rdlength, NULL);
2500 if (r < 0)
2501 return r;
2502
2503 r = dns_packet_read(p, rdlength, NULL, NULL);
2504 if (r < 0)
2505 return r;
2506
2507 CANCEL_REWINDER(rewinder);
2508 return 0;
2509 }
2510
2511 int dns_packet_patch_ttls(DnsPacket *p, usec_t timestamp) {
2512 assert(p);
2513 assert(timestamp_is_set(timestamp));
2514
2515 /* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */
2516
2517 _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
2518 unsigned n;
2519 usec_t k;
2520 int r;
2521
2522 k = now(CLOCK_BOOTTIME);
2523 assert(k >= timestamp);
2524 k -= timestamp;
2525
2526 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2527
2528 n = DNS_PACKET_QDCOUNT(p);
2529 for (unsigned i = 0; i < n; i++) {
2530 r = dns_packet_read_key(p, NULL, NULL, NULL);
2531 if (r < 0)
2532 return r;
2533 }
2534
2535 n = DNS_PACKET_RRCOUNT(p);
2536 for (unsigned i = 0; i < n; i++) {
2537
2538 /* DNS servers suck, hence the RR count is in many servers off. If we reached the end
2539 * prematurely, accept that, exit early */
2540 if (p->rindex == p->size)
2541 break;
2542
2543 r = patch_rr(p, k);
2544 if (r < 0)
2545 return r;
2546 }
2547
2548 return 0;
2549 }
2550
2551 static void dns_packet_hash_func(const DnsPacket *s, struct siphash *state) {
2552 assert(s);
2553
2554 siphash24_compress_typesafe(s->size, state);
2555 siphash24_compress(DNS_PACKET_DATA((DnsPacket*) s), s->size, state);
2556 }
2557
2558 static int dns_packet_compare_func(const DnsPacket *x, const DnsPacket *y) {
2559 int r;
2560
2561 r = CMP(x->size, y->size);
2562 if (r != 0)
2563 return r;
2564
2565 return memcmp(DNS_PACKET_DATA((DnsPacket*) x), DNS_PACKET_DATA((DnsPacket*) y), x->size);
2566 }
2567
2568 DEFINE_HASH_OPS(dns_packet_hash_ops, DnsPacket, dns_packet_hash_func, dns_packet_compare_func);
2569
2570 bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b) {
2571 return dns_packet_compare_func(a, b) == 0;
2572 }
2573
2574 int dns_packet_ede_rcode(DnsPacket *p, char **ret_ede_msg) {
2575 assert(p);
2576
2577 _cleanup_free_ char *msg = NULL, *msg_escaped = NULL;
2578 int ede_rcode = _DNS_EDNS_OPT_MAX_DEFINED;
2579 int r;
2580 const uint8_t *d;
2581 size_t l;
2582
2583 if (!p->opt)
2584 return _DNS_EDE_RCODE_INVALID;
2585
2586 d = p->opt->opt.data;
2587 l = p->opt->opt.data_size;
2588
2589 while (l > 0) {
2590 uint16_t code, length;
2591
2592 if (l < 4U)
2593 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2594 "EDNS0 variable part has invalid size.");
2595
2596 code = unaligned_read_be16(d);
2597 length = unaligned_read_be16(d + 2);
2598
2599 if (l < 4U + length)
2600 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2601 "Truncated option in EDNS0 variable part.");
2602
2603 if (code == DNS_EDNS_OPT_EXT_ERROR) {
2604 if (length < 2U)
2605 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2606 "EDNS0 truncated EDE info code.");
2607 ede_rcode = unaligned_read_be16(d + 4);
2608 r = make_cstring((char *)d + 6, length - 2U, MAKE_CSTRING_ALLOW_TRAILING_NUL, &msg);
2609 if (r < 0)
2610 return log_debug_errno(r, "Invalid EDE text in opt");
2611 else if (!utf8_is_valid(msg))
2612 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG), "Invalid EDE text in opt");
2613 else if (ede_rcode < _DNS_EDNS_OPT_MAX_DEFINED) {
2614 msg_escaped = cescape(msg);
2615 if (!msg_escaped)
2616 return -ENOMEM;
2617 }
2618 break;
2619 }
2620
2621 d += 4U + length;
2622 l -= 4U + length;
2623 }
2624
2625 if (ret_ede_msg)
2626 *ret_ede_msg = TAKE_PTR(msg_escaped);
2627
2628 return ede_rcode;
2629 }
2630
2631 bool dns_ede_rcode_is_dnssec(int ede_rcode) {
2632 return IN_SET(ede_rcode,
2633 DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG,
2634 DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST,
2635 DNS_EDE_RCODE_DNSSEC_INDETERMINATE,
2636 DNS_EDE_RCODE_DNSSEC_BOGUS,
2637 DNS_EDE_RCODE_SIG_EXPIRED,
2638 DNS_EDE_RCODE_SIG_NOT_YET_VALID,
2639 DNS_EDE_RCODE_DNSKEY_MISSING,
2640 DNS_EDE_RCODE_RRSIG_MISSING,
2641 DNS_EDE_RCODE_NO_ZONE_KEY_BIT,
2642 DNS_EDE_RCODE_NSEC_MISSING
2643 );
2644 }
2645
2646 int dns_packet_has_nsid_request(DnsPacket *p) {
2647 bool has_nsid = false;
2648 const uint8_t *d;
2649 size_t l;
2650
2651 assert(p);
2652
2653 if (!p->opt)
2654 return false;
2655
2656 d = p->opt->opt.data;
2657 l = p->opt->opt.data_size;
2658
2659 while (l > 0) {
2660 uint16_t code, length;
2661
2662 if (l < 4U)
2663 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2664 "EDNS0 variable part has invalid size.");
2665
2666 code = unaligned_read_be16(d);
2667 length = unaligned_read_be16(d + 2);
2668
2669 if (l < 4U + length)
2670 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2671 "Truncated option in EDNS0 variable part.");
2672
2673 if (code == DNS_EDNS_OPT_NSID) {
2674 if (has_nsid)
2675 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2676 "Duplicate NSID option in EDNS0 variable part.");
2677
2678 if (length != 0)
2679 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2680 "Non-empty NSID option in DNS request.");
2681
2682 has_nsid = true;
2683 }
2684
2685 d += 4U + length;
2686 l -= 4U + length;
2687 }
2688
2689 return has_nsid;
2690 }
2691
2692 size_t dns_packet_size_unfragmented(DnsPacket *p) {
2693 assert(p);
2694
2695 if (p->fragsize == 0) /* Wasn't fragmented */
2696 return p->size;
2697
2698 /* The fragment size (p->fragsize) covers the whole (fragmented) IP packet, while the regular packet
2699 * size (p->size) only covers the DNS part. Thus, subtract the UDP header from the largest fragment
2700 * size, in order to determine which size of DNS packet would have gone through without
2701 * fragmenting. */
2702
2703 return LESS_BY(p->fragsize, udp_header_size(p->family));
2704 }
2705
2706 static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {
2707 [DNS_RCODE_SUCCESS] = "SUCCESS",
2708 [DNS_RCODE_FORMERR] = "FORMERR",
2709 [DNS_RCODE_SERVFAIL] = "SERVFAIL",
2710 [DNS_RCODE_NXDOMAIN] = "NXDOMAIN",
2711 [DNS_RCODE_NOTIMP] = "NOTIMP",
2712 [DNS_RCODE_REFUSED] = "REFUSED",
2713 [DNS_RCODE_YXDOMAIN] = "YXDOMAIN",
2714 [DNS_RCODE_YXRRSET] = "YRRSET",
2715 [DNS_RCODE_NXRRSET] = "NXRRSET",
2716 [DNS_RCODE_NOTAUTH] = "NOTAUTH",
2717 [DNS_RCODE_NOTZONE] = "NOTZONE",
2718 [DNS_RCODE_BADVERS] = "BADVERS",
2719 [DNS_RCODE_BADKEY] = "BADKEY",
2720 [DNS_RCODE_BADTIME] = "BADTIME",
2721 [DNS_RCODE_BADMODE] = "BADMODE",
2722 [DNS_RCODE_BADNAME] = "BADNAME",
2723 [DNS_RCODE_BADALG] = "BADALG",
2724 [DNS_RCODE_BADTRUNC] = "BADTRUNC",
2725 [DNS_RCODE_BADCOOKIE] = "BADCOOKIE",
2726 };
2727 DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int);
2728
2729 const char *format_dns_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) {
2730 const char *p = dns_rcode_to_string(i);
2731 if (p)
2732 return p;
2733
2734 return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i);
2735 }
2736
2737 static const char* const dns_ede_rcode_table[_DNS_EDE_RCODE_MAX_DEFINED] = {
2738 [DNS_EDE_RCODE_OTHER] = "Other",
2739 [DNS_EDE_RCODE_UNSUPPORTED_DNSKEY_ALG] = "Unsupported DNSKEY Algorithm",
2740 [DNS_EDE_RCODE_UNSUPPORTED_DS_DIGEST] = "Unsupported DS Digest Type",
2741 [DNS_EDE_RCODE_STALE_ANSWER] = "Stale Answer",
2742 [DNS_EDE_RCODE_FORGED_ANSWER] = "Forged Answer",
2743 [DNS_EDE_RCODE_DNSSEC_INDETERMINATE] = "DNSSEC Indeterminate",
2744 [DNS_EDE_RCODE_DNSSEC_BOGUS] = "DNSSEC Bogus",
2745 [DNS_EDE_RCODE_SIG_EXPIRED] = "Signature Expired",
2746 [DNS_EDE_RCODE_SIG_NOT_YET_VALID] = "Signature Not Yet Valid",
2747 [DNS_EDE_RCODE_DNSKEY_MISSING] = "DNSKEY Missing",
2748 [DNS_EDE_RCODE_RRSIG_MISSING] = "RRSIG Missing",
2749 [DNS_EDE_RCODE_NO_ZONE_KEY_BIT] = "No Zone Key Bit Set",
2750 [DNS_EDE_RCODE_NSEC_MISSING] = "NSEC Missing",
2751 [DNS_EDE_RCODE_CACHED_ERROR] = "Cached Error",
2752 [DNS_EDE_RCODE_NOT_READY] = "Not Ready",
2753 [DNS_EDE_RCODE_BLOCKED] = "Blocked",
2754 [DNS_EDE_RCODE_CENSORED] = "Censored",
2755 [DNS_EDE_RCODE_FILTERED] = "Filtered",
2756 [DNS_EDE_RCODE_PROHIBITIED] = "Prohibited",
2757 [DNS_EDE_RCODE_STALE_NXDOMAIN_ANSWER] = "Stale NXDOMAIN Answer",
2758 [DNS_EDE_RCODE_NOT_AUTHORITATIVE] = "Not Authoritative",
2759 [DNS_EDE_RCODE_NOT_SUPPORTED] = "Not Supported",
2760 [DNS_EDE_RCODE_UNREACH_AUTHORITY] = "No Reachable Authority",
2761 [DNS_EDE_RCODE_NET_ERROR] = "Network Error",
2762 [DNS_EDE_RCODE_INVALID_DATA] = "Invalid Data",
2763 [DNS_EDE_RCODE_SIG_NEVER] = "Signature Never Valid",
2764 [DNS_EDE_RCODE_TOO_EARLY] = "Too Early",
2765 [DNS_EDE_RCODE_UNSUPPORTED_NSEC3_ITER] = "Unsupported NSEC3 Iterations",
2766 [DNS_EDE_RCODE_TRANSPORT_POLICY] = "Impossible Transport Policy",
2767 [DNS_EDE_RCODE_SYNTHESIZED] = "Synthesized",
2768 };
2769 DEFINE_STRING_TABLE_LOOKUP_TO_STRING(dns_ede_rcode, int);
2770
2771 const char *format_dns_ede_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) {
2772 const char *p = dns_ede_rcode_to_string(i);
2773 if (p)
2774 return p;
2775
2776 return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i);
2777 }
2778
2779 static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
2780 [DNS_PROTOCOL_DNS] = "dns",
2781 [DNS_PROTOCOL_MDNS] = "mdns",
2782 [DNS_PROTOCOL_LLMNR] = "llmnr",
2783 };
2784 DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol);
Unnamed repository; edit this file 'description' to name the repository.