]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/resolve/resolved-dns-packet.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #18664 from poettering/resolved-defrag
[thirdparty/systemd.git] / src / resolve / resolved-dns-packet.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #if HAVE_GCRYPT
4 #include <gcrypt.h>
5 #endif
6
7 #include "alloc-util.h"
8 #include "dns-domain.h"
9 #include "memory-util.h"
10 #include "resolved-dns-packet.h"
11 #include "set.h"
12 #include "string-table.h"
13 #include "strv.h"
14 #include "unaligned.h"
15 #include "utf8.h"
16 #include "util.h"
17
18 #define EDNS0_OPT_DO (1<<15)
19
20 assert_cc(DNS_PACKET_SIZE_START > DNS_PACKET_HEADER_SIZE);
21
22 typedef struct DnsPacketRewinder {
23 DnsPacket *packet;
24 size_t saved_rindex;
25 } DnsPacketRewinder;
26
27 static void rewind_dns_packet(DnsPacketRewinder *rewinder) {
28 if (rewinder->packet)
29 dns_packet_rewind(rewinder->packet, rewinder->saved_rindex);
30 }
31
32 #define INIT_REWINDER(rewinder, p) do { rewinder.packet = p; rewinder.saved_rindex = p->rindex; } while (0)
33 #define CANCEL_REWINDER(rewinder) do { rewinder.packet = NULL; } while (0)
34
35 int dns_packet_new(
36 DnsPacket **ret,
37 DnsProtocol protocol,
38 size_t min_alloc_dsize,
39 size_t max_size) {
40
41 DnsPacket *p;
42 size_t a;
43
44 assert(ret);
45 assert(max_size >= DNS_PACKET_HEADER_SIZE);
46
47 if (max_size > DNS_PACKET_SIZE_MAX)
48 max_size = DNS_PACKET_SIZE_MAX;
49
50 /* The caller may not check what is going to be truly allocated, so do not allow to
51 * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX.
52 */
53 if (min_alloc_dsize > DNS_PACKET_SIZE_MAX)
54 return log_error_errno(SYNTHETIC_ERRNO(EFBIG),
55 "Requested packet data size too big: %zu",
56 min_alloc_dsize);
57
58 /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the
59 * absolute minimum (which is the dns packet header size), to avoid
60 * resizing immediately again after appending the first data to the packet.
61 */
62 if (min_alloc_dsize < DNS_PACKET_HEADER_SIZE)
63 a = DNS_PACKET_SIZE_START;
64 else
65 a = min_alloc_dsize;
66
67 /* round up to next page size */
68 a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket));
69
70 /* make sure we never allocate more than useful */
71 if (a > max_size)
72 a = max_size;
73
74 p = malloc0(ALIGN(sizeof(DnsPacket)) + a);
75 if (!p)
76 return -ENOMEM;
77
78 *p = (DnsPacket) {
79 .n_ref = 1,
80 .protocol = protocol,
81 .size = DNS_PACKET_HEADER_SIZE,
82 .rindex = DNS_PACKET_HEADER_SIZE,
83 .allocated = a,
84 .max_size = max_size,
85 .opt_start = (size_t) -1,
86 .opt_size = (size_t) -1,
87 };
88
89 *ret = p;
90
91 return 0;
92 }
93
94 void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) {
95
96 DnsPacketHeader *h;
97
98 assert(p);
99
100 h = DNS_PACKET_HEADER(p);
101
102 switch(p->protocol) {
103 case DNS_PROTOCOL_LLMNR:
104 assert(!truncated);
105
106 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
107 0 /* opcode */,
108 0 /* c */,
109 0 /* tc */,
110 0 /* t */,
111 0 /* ra */,
112 0 /* ad */,
113 0 /* cd */,
114 0 /* rcode */));
115 break;
116
117 case DNS_PROTOCOL_MDNS:
118 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
119 0 /* opcode */,
120 0 /* aa */,
121 truncated /* tc */,
122 0 /* rd (ask for recursion) */,
123 0 /* ra */,
124 0 /* ad */,
125 0 /* cd */,
126 0 /* rcode */));
127 break;
128
129 default:
130 assert(!truncated);
131
132 h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
133 0 /* opcode */,
134 0 /* aa */,
135 0 /* tc */,
136 1 /* rd (ask for recursion) */,
137 0 /* ra */,
138 0 /* ad */,
139 dnssec_checking_disabled /* cd */,
140 0 /* rcode */));
141 }
142 }
143
144 int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t min_alloc_dsize, bool dnssec_checking_disabled) {
145 DnsPacket *p;
146 int r;
147
148 assert(ret);
149
150 r = dns_packet_new(&p, protocol, min_alloc_dsize, DNS_PACKET_SIZE_MAX);
151 if (r < 0)
152 return r;
153
154 /* Always set the TC bit to 0 initially.
155 * If there are multiple packets later, we'll update the bit shortly before sending.
156 */
157 dns_packet_set_flags(p, dnssec_checking_disabled, false);
158
159 *ret = p;
160 return 0;
161 }
162
163 int dns_packet_dup(DnsPacket **ret, DnsPacket *p) {
164 DnsPacket *c;
165 int r;
166
167 assert(ret);
168 assert(p);
169
170 r = dns_packet_validate(p);
171 if (r < 0)
172 return r;
173
174 c = malloc(ALIGN(sizeof(DnsPacket)) + p->size);
175 if (!c)
176 return -ENOMEM;
177
178 *c = (DnsPacket) {
179 .n_ref = 1,
180 .protocol = p->protocol,
181 .size = p->size,
182 .rindex = DNS_PACKET_HEADER_SIZE,
183 .allocated = p->size,
184 .max_size = p->max_size,
185 .opt_start = (size_t) -1,
186 .opt_size = (size_t) -1,
187 };
188
189 memcpy(DNS_PACKET_DATA(c), DNS_PACKET_DATA(p), p->size);
190
191 *ret = c;
192 return 0;
193 }
194
195 DnsPacket *dns_packet_ref(DnsPacket *p) {
196
197 if (!p)
198 return NULL;
199
200 assert(!p->on_stack);
201
202 assert(p->n_ref > 0);
203 p->n_ref++;
204 return p;
205 }
206
207 static void dns_packet_free(DnsPacket *p) {
208 char *s;
209
210 assert(p);
211
212 dns_question_unref(p->question);
213 dns_answer_unref(p->answer);
214 dns_resource_record_unref(p->opt);
215
216 while ((s = hashmap_steal_first_key(p->names)))
217 free(s);
218 hashmap_free(p->names);
219
220 free(p->_data);
221
222 if (!p->on_stack)
223 free(p);
224 }
225
226 DnsPacket *dns_packet_unref(DnsPacket *p) {
227 if (!p)
228 return NULL;
229
230 assert(p->n_ref > 0);
231
232 dns_packet_unref(p->more);
233
234 if (p->n_ref == 1)
235 dns_packet_free(p);
236 else
237 p->n_ref--;
238
239 return NULL;
240 }
241
242 int dns_packet_validate(DnsPacket *p) {
243 assert(p);
244
245 if (p->size < DNS_PACKET_HEADER_SIZE)
246 return -EBADMSG;
247
248 if (p->size > DNS_PACKET_SIZE_MAX)
249 return -EBADMSG;
250
251 return 1;
252 }
253
254 int dns_packet_validate_reply(DnsPacket *p) {
255 int r;
256
257 assert(p);
258
259 r = dns_packet_validate(p);
260 if (r < 0)
261 return r;
262
263 if (DNS_PACKET_QR(p) != 1)
264 return 0;
265
266 if (DNS_PACKET_OPCODE(p) != 0)
267 return -EBADMSG;
268
269 switch (p->protocol) {
270
271 case DNS_PROTOCOL_LLMNR:
272 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
273 if (DNS_PACKET_QDCOUNT(p) != 1)
274 return -EBADMSG;
275
276 break;
277
278 case DNS_PROTOCOL_MDNS:
279 /* RFC 6762, Section 18 */
280 if (DNS_PACKET_RCODE(p) != 0)
281 return -EBADMSG;
282
283 break;
284
285 default:
286 break;
287 }
288
289 return 1;
290 }
291
292 int dns_packet_validate_query(DnsPacket *p) {
293 int r;
294
295 assert(p);
296
297 r = dns_packet_validate(p);
298 if (r < 0)
299 return r;
300
301 if (DNS_PACKET_QR(p) != 0)
302 return 0;
303
304 if (DNS_PACKET_OPCODE(p) != 0)
305 return -EBADMSG;
306
307 if (DNS_PACKET_TC(p))
308 return -EBADMSG;
309
310 switch (p->protocol) {
311
312 case DNS_PROTOCOL_LLMNR:
313 case DNS_PROTOCOL_DNS:
314 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
315 if (DNS_PACKET_QDCOUNT(p) != 1)
316 return -EBADMSG;
317
318 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
319 if (DNS_PACKET_ANCOUNT(p) > 0)
320 return -EBADMSG;
321
322 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
323 if (DNS_PACKET_NSCOUNT(p) > 0)
324 return -EBADMSG;
325
326 break;
327
328 case DNS_PROTOCOL_MDNS:
329 /* RFC 6762, Section 18 */
330 if (DNS_PACKET_AA(p) != 0 ||
331 DNS_PACKET_RD(p) != 0 ||
332 DNS_PACKET_RA(p) != 0 ||
333 DNS_PACKET_AD(p) != 0 ||
334 DNS_PACKET_CD(p) != 0 ||
335 DNS_PACKET_RCODE(p) != 0)
336 return -EBADMSG;
337
338 break;
339
340 default:
341 break;
342 }
343
344 return 1;
345 }
346
347 static int dns_packet_extend(DnsPacket *p, size_t add, void **ret, size_t *start) {
348 assert(p);
349
350 if (p->size + add > p->allocated) {
351 size_t a, ms;
352
353 a = PAGE_ALIGN((p->size + add) * 2);
354
355 ms = dns_packet_size_max(p);
356 if (a > ms)
357 a = ms;
358
359 if (p->size + add > a)
360 return -EMSGSIZE;
361
362 if (p->_data) {
363 void *d;
364
365 d = realloc(p->_data, a);
366 if (!d)
367 return -ENOMEM;
368
369 p->_data = d;
370 } else {
371 p->_data = malloc(a);
372 if (!p->_data)
373 return -ENOMEM;
374
375 memcpy(p->_data, (uint8_t*) p + ALIGN(sizeof(DnsPacket)), p->size);
376 memzero((uint8_t*) p->_data + p->size, a - p->size);
377 }
378
379 p->allocated = a;
380 }
381
382 if (start)
383 *start = p->size;
384
385 if (ret)
386 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->size;
387
388 p->size += add;
389 return 0;
390 }
391
392 void dns_packet_truncate(DnsPacket *p, size_t sz) {
393 char *s;
394 void *n;
395
396 assert(p);
397
398 if (p->size <= sz)
399 return;
400
401 HASHMAP_FOREACH_KEY(n, s, p->names) {
402
403 if (PTR_TO_SIZE(n) < sz)
404 continue;
405
406 hashmap_remove(p->names, s);
407 free(s);
408 }
409
410 p->size = sz;
411 }
412
413 int dns_packet_append_blob(DnsPacket *p, const void *d, size_t l, size_t *start) {
414 void *q;
415 int r;
416
417 assert(p);
418
419 r = dns_packet_extend(p, l, &q, start);
420 if (r < 0)
421 return r;
422
423 memcpy_safe(q, d, l);
424 return 0;
425 }
426
427 int dns_packet_append_uint8(DnsPacket *p, uint8_t v, size_t *start) {
428 void *d;
429 int r;
430
431 assert(p);
432
433 r = dns_packet_extend(p, sizeof(uint8_t), &d, start);
434 if (r < 0)
435 return r;
436
437 ((uint8_t*) d)[0] = v;
438
439 return 0;
440 }
441
442 int dns_packet_append_uint16(DnsPacket *p, uint16_t v, size_t *start) {
443 void *d;
444 int r;
445
446 assert(p);
447
448 r = dns_packet_extend(p, sizeof(uint16_t), &d, start);
449 if (r < 0)
450 return r;
451
452 unaligned_write_be16(d, v);
453
454 return 0;
455 }
456
457 int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start) {
458 void *d;
459 int r;
460
461 assert(p);
462
463 r = dns_packet_extend(p, sizeof(uint32_t), &d, start);
464 if (r < 0)
465 return r;
466
467 unaligned_write_be32(d, v);
468
469 return 0;
470 }
471
472 int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start) {
473 assert(p);
474 assert(s);
475
476 return dns_packet_append_raw_string(p, s, strlen(s), start);
477 }
478
479 int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start) {
480 void *d;
481 int r;
482
483 assert(p);
484 assert(s || size == 0);
485
486 if (size > 255)
487 return -E2BIG;
488
489 r = dns_packet_extend(p, 1 + size, &d, start);
490 if (r < 0)
491 return r;
492
493 ((uint8_t*) d)[0] = (uint8_t) size;
494
495 memcpy_safe(((uint8_t*) d) + 1, s, size);
496
497 return 0;
498 }
499
500 int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, bool canonical_candidate, size_t *start) {
501 uint8_t *w;
502 int r;
503
504 /* Append a label to a packet. Optionally, does this in DNSSEC
505 * canonical form, if this label is marked as a candidate for
506 * it, and the canonical form logic is enabled for the
507 * packet */
508
509 assert(p);
510 assert(d);
511
512 if (l > DNS_LABEL_MAX)
513 return -E2BIG;
514
515 r = dns_packet_extend(p, 1 + l, (void**) &w, start);
516 if (r < 0)
517 return r;
518
519 *(w++) = (uint8_t) l;
520
521 if (p->canonical_form && canonical_candidate) {
522 size_t i;
523
524 /* Generate in canonical form, as defined by DNSSEC
525 * RFC 4034, Section 6.2, i.e. all lower-case. */
526
527 for (i = 0; i < l; i++)
528 w[i] = (uint8_t) ascii_tolower(d[i]);
529 } else
530 /* Otherwise, just copy the string unaltered. This is
531 * essential for DNS-SD, where the casing of labels
532 * matters and needs to be retained. */
533 memcpy(w, d, l);
534
535 return 0;
536 }
537
538 int dns_packet_append_name(
539 DnsPacket *p,
540 const char *name,
541 bool allow_compression,
542 bool canonical_candidate,
543 size_t *start) {
544
545 size_t saved_size;
546 int r;
547
548 assert(p);
549 assert(name);
550
551 if (p->refuse_compression)
552 allow_compression = false;
553
554 saved_size = p->size;
555
556 while (!dns_name_is_root(name)) {
557 const char *z = name;
558 char label[DNS_LABEL_MAX];
559 size_t n = 0;
560
561 if (allow_compression)
562 n = PTR_TO_SIZE(hashmap_get(p->names, name));
563 if (n > 0) {
564 assert(n < p->size);
565
566 if (n < 0x4000) {
567 r = dns_packet_append_uint16(p, 0xC000 | n, NULL);
568 if (r < 0)
569 goto fail;
570
571 goto done;
572 }
573 }
574
575 r = dns_label_unescape(&name, label, sizeof label, 0);
576 if (r < 0)
577 goto fail;
578
579 r = dns_packet_append_label(p, label, r, canonical_candidate, &n);
580 if (r < 0)
581 goto fail;
582
583 if (allow_compression) {
584 _cleanup_free_ char *s = NULL;
585
586 s = strdup(z);
587 if (!s) {
588 r = -ENOMEM;
589 goto fail;
590 }
591
592 r = hashmap_ensure_put(&p->names, &dns_name_hash_ops, s, SIZE_TO_PTR(n));
593 if (r < 0)
594 goto fail;
595
596 TAKE_PTR(s);
597 }
598 }
599
600 r = dns_packet_append_uint8(p, 0, NULL);
601 if (r < 0)
602 return r;
603
604 done:
605 if (start)
606 *start = saved_size;
607
608 return 0;
609
610 fail:
611 dns_packet_truncate(p, saved_size);
612 return r;
613 }
614
615 int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *k, const DnsAnswerFlags flags, size_t *start) {
616 size_t saved_size;
617 uint16_t class;
618 int r;
619
620 assert(p);
621 assert(k);
622
623 saved_size = p->size;
624
625 r = dns_packet_append_name(p, dns_resource_key_name(k), true, true, NULL);
626 if (r < 0)
627 goto fail;
628
629 r = dns_packet_append_uint16(p, k->type, NULL);
630 if (r < 0)
631 goto fail;
632
633 class = flags & DNS_ANSWER_CACHE_FLUSH ? k->class | MDNS_RR_CACHE_FLUSH : k->class;
634 r = dns_packet_append_uint16(p, class, NULL);
635 if (r < 0)
636 goto fail;
637
638 if (start)
639 *start = saved_size;
640
641 return 0;
642
643 fail:
644 dns_packet_truncate(p, saved_size);
645 return r;
646 }
647
648 static int dns_packet_append_type_window(DnsPacket *p, uint8_t window, uint8_t length, const uint8_t *types, size_t *start) {
649 size_t saved_size;
650 int r;
651
652 assert(p);
653 assert(types);
654 assert(length > 0);
655
656 saved_size = p->size;
657
658 r = dns_packet_append_uint8(p, window, NULL);
659 if (r < 0)
660 goto fail;
661
662 r = dns_packet_append_uint8(p, length, NULL);
663 if (r < 0)
664 goto fail;
665
666 r = dns_packet_append_blob(p, types, length, NULL);
667 if (r < 0)
668 goto fail;
669
670 if (start)
671 *start = saved_size;
672
673 return 0;
674 fail:
675 dns_packet_truncate(p, saved_size);
676 return r;
677 }
678
679 static int dns_packet_append_types(DnsPacket *p, Bitmap *types, size_t *start) {
680 uint8_t window = 0;
681 uint8_t entry = 0;
682 uint8_t bitmaps[32] = {};
683 unsigned n;
684 size_t saved_size;
685 int r;
686
687 assert(p);
688
689 saved_size = p->size;
690
691 BITMAP_FOREACH(n, types) {
692 assert(n <= 0xffff);
693
694 if ((n >> 8) != window && bitmaps[entry / 8] != 0) {
695 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
696 if (r < 0)
697 goto fail;
698
699 zero(bitmaps);
700 }
701
702 window = n >> 8;
703 entry = n & 255;
704
705 bitmaps[entry / 8] |= 1 << (7 - (entry % 8));
706 }
707
708 if (bitmaps[entry / 8] != 0) {
709 r = dns_packet_append_type_window(p, window, entry / 8 + 1, bitmaps, NULL);
710 if (r < 0)
711 goto fail;
712 }
713
714 if (start)
715 *start = saved_size;
716
717 return 0;
718 fail:
719 dns_packet_truncate(p, saved_size);
720 return r;
721 }
722
723 /* Append the OPT pseudo-RR described in RFC6891 */
724 int dns_packet_append_opt(
725 DnsPacket *p,
726 uint16_t max_udp_size,
727 bool edns0_do,
728 bool include_rfc6975,
729 const char *nsid,
730 int rcode,
731 size_t *ret_start) {
732
733 size_t saved_size;
734 int r;
735
736 assert(p);
737 /* we must never advertise supported packet size smaller than the legacy max */
738 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
739 assert(rcode >= 0);
740 assert(rcode <= _DNS_RCODE_MAX);
741
742 if (p->opt_start != (size_t) -1)
743 return -EBUSY;
744
745 assert(p->opt_size == (size_t) -1);
746
747 saved_size = p->size;
748
749 /* empty name */
750 r = dns_packet_append_uint8(p, 0, NULL);
751 if (r < 0)
752 return r;
753
754 /* type */
755 r = dns_packet_append_uint16(p, DNS_TYPE_OPT, NULL);
756 if (r < 0)
757 goto fail;
758
759 /* class: maximum udp packet that can be received */
760 r = dns_packet_append_uint16(p, max_udp_size, NULL);
761 if (r < 0)
762 goto fail;
763
764 /* extended RCODE and VERSION */
765 r = dns_packet_append_uint16(p, ((uint16_t) rcode & 0x0FF0) << 4, NULL);
766 if (r < 0)
767 goto fail;
768
769 /* flags: DNSSEC OK (DO), see RFC3225 */
770 r = dns_packet_append_uint16(p, edns0_do ? EDNS0_OPT_DO : 0, NULL);
771 if (r < 0)
772 goto fail;
773
774 if (edns0_do && include_rfc6975) {
775 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
776 * be done on queries, not on replies, hencer callers should turn this off when finishing off
777 * replies. */
778
779 static const uint8_t rfc6975[] = {
780
781 0, 5, /* OPTION_CODE: DAU */
782 #if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
783 0, 7, /* LIST_LENGTH */
784 #else
785 0, 6, /* LIST_LENGTH */
786 #endif
787 DNSSEC_ALGORITHM_RSASHA1,
788 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
789 DNSSEC_ALGORITHM_RSASHA256,
790 DNSSEC_ALGORITHM_RSASHA512,
791 DNSSEC_ALGORITHM_ECDSAP256SHA256,
792 DNSSEC_ALGORITHM_ECDSAP384SHA384,
793 #if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
794 DNSSEC_ALGORITHM_ED25519,
795 #endif
796
797 0, 6, /* OPTION_CODE: DHU */
798 0, 3, /* LIST_LENGTH */
799 DNSSEC_DIGEST_SHA1,
800 DNSSEC_DIGEST_SHA256,
801 DNSSEC_DIGEST_SHA384,
802
803 0, 7, /* OPTION_CODE: N3U */
804 0, 1, /* LIST_LENGTH */
805 NSEC3_ALGORITHM_SHA1,
806 };
807
808 r = dns_packet_append_uint16(p, sizeof(rfc6975), NULL); /* RDLENGTH */
809 if (r < 0)
810 goto fail;
811
812 r = dns_packet_append_blob(p, rfc6975, sizeof(rfc6975), NULL); /* the payload, as defined above */
813
814 } else if (nsid) {
815
816 if (strlen(nsid) > UINT16_MAX - 4) {
817 r = -E2BIG;
818 goto fail;
819 }
820
821 r = dns_packet_append_uint16(p, 4 + strlen(nsid), NULL); /* RDLENGTH */
822 if (r < 0)
823 goto fail;
824
825 r = dns_packet_append_uint16(p, 3, NULL); /* OPTION-CODE: NSID */
826 if (r < 0)
827 goto fail;
828
829 r = dns_packet_append_uint16(p, strlen(nsid), NULL); /* OPTION-LENGTH */
830 if (r < 0)
831 goto fail;
832
833 r = dns_packet_append_blob(p, nsid, strlen(nsid), NULL);
834 } else
835 r = dns_packet_append_uint16(p, 0, NULL);
836 if (r < 0)
837 goto fail;
838
839 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) + 1);
840
841 p->opt_start = saved_size;
842 p->opt_size = p->size - saved_size;
843
844 if (ret_start)
845 *ret_start = saved_size;
846
847 return 0;
848
849 fail:
850 dns_packet_truncate(p, saved_size);
851 return r;
852 }
853
854 int dns_packet_truncate_opt(DnsPacket *p) {
855 assert(p);
856
857 if (p->opt_start == (size_t) -1) {
858 assert(p->opt_size == (size_t) -1);
859 return 0;
860 }
861
862 assert(p->opt_size != (size_t) -1);
863 assert(DNS_PACKET_ARCOUNT(p) > 0);
864
865 if (p->opt_start + p->opt_size != p->size)
866 return -EBUSY;
867
868 dns_packet_truncate(p, p->opt_start);
869 DNS_PACKET_HEADER(p)->arcount = htobe16(DNS_PACKET_ARCOUNT(p) - 1);
870 p->opt_start = p->opt_size = (size_t) -1;
871
872 return 1;
873 }
874
875 int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAnswerFlags flags, size_t *start, size_t *rdata_start) {
876
877 size_t saved_size, rdlength_offset, end, rdlength, rds;
878 uint32_t ttl;
879 int r;
880
881 assert(p);
882 assert(rr);
883
884 saved_size = p->size;
885
886 r = dns_packet_append_key(p, rr->key, flags, NULL);
887 if (r < 0)
888 goto fail;
889
890 ttl = flags & DNS_ANSWER_GOODBYE ? 0 : rr->ttl;
891 r = dns_packet_append_uint32(p, ttl, NULL);
892 if (r < 0)
893 goto fail;
894
895 /* Initially we write 0 here */
896 r = dns_packet_append_uint16(p, 0, &rdlength_offset);
897 if (r < 0)
898 goto fail;
899
900 rds = p->size - saved_size;
901
902 switch (rr->unparsable ? _DNS_TYPE_INVALID : rr->key->type) {
903
904 case DNS_TYPE_SRV:
905 r = dns_packet_append_uint16(p, rr->srv.priority, NULL);
906 if (r < 0)
907 goto fail;
908
909 r = dns_packet_append_uint16(p, rr->srv.weight, NULL);
910 if (r < 0)
911 goto fail;
912
913 r = dns_packet_append_uint16(p, rr->srv.port, NULL);
914 if (r < 0)
915 goto fail;
916
917 /* RFC 2782 states "Unless and until permitted by future standards
918 * action, name compression is not to be used for this field." */
919 r = dns_packet_append_name(p, rr->srv.name, false, true, NULL);
920 break;
921
922 case DNS_TYPE_PTR:
923 case DNS_TYPE_NS:
924 case DNS_TYPE_CNAME:
925 case DNS_TYPE_DNAME:
926 r = dns_packet_append_name(p, rr->ptr.name, true, true, NULL);
927 break;
928
929 case DNS_TYPE_HINFO:
930 r = dns_packet_append_string(p, rr->hinfo.cpu, NULL);
931 if (r < 0)
932 goto fail;
933
934 r = dns_packet_append_string(p, rr->hinfo.os, NULL);
935 break;
936
937 case DNS_TYPE_SPF: /* exactly the same as TXT */
938 case DNS_TYPE_TXT:
939
940 if (!rr->txt.items) {
941 /* RFC 6763, section 6.1 suggests to generate
942 * single empty string for an empty array. */
943
944 r = dns_packet_append_raw_string(p, NULL, 0, NULL);
945 if (r < 0)
946 goto fail;
947 } else {
948 DnsTxtItem *i;
949
950 LIST_FOREACH(items, i, rr->txt.items) {
951 r = dns_packet_append_raw_string(p, i->data, i->length, NULL);
952 if (r < 0)
953 goto fail;
954 }
955 }
956
957 r = 0;
958 break;
959
960 case DNS_TYPE_A:
961 r = dns_packet_append_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
962 break;
963
964 case DNS_TYPE_AAAA:
965 r = dns_packet_append_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
966 break;
967
968 case DNS_TYPE_SOA:
969 r = dns_packet_append_name(p, rr->soa.mname, true, true, NULL);
970 if (r < 0)
971 goto fail;
972
973 r = dns_packet_append_name(p, rr->soa.rname, true, true, NULL);
974 if (r < 0)
975 goto fail;
976
977 r = dns_packet_append_uint32(p, rr->soa.serial, NULL);
978 if (r < 0)
979 goto fail;
980
981 r = dns_packet_append_uint32(p, rr->soa.refresh, NULL);
982 if (r < 0)
983 goto fail;
984
985 r = dns_packet_append_uint32(p, rr->soa.retry, NULL);
986 if (r < 0)
987 goto fail;
988
989 r = dns_packet_append_uint32(p, rr->soa.expire, NULL);
990 if (r < 0)
991 goto fail;
992
993 r = dns_packet_append_uint32(p, rr->soa.minimum, NULL);
994 break;
995
996 case DNS_TYPE_MX:
997 r = dns_packet_append_uint16(p, rr->mx.priority, NULL);
998 if (r < 0)
999 goto fail;
1000
1001 r = dns_packet_append_name(p, rr->mx.exchange, true, true, NULL);
1002 break;
1003
1004 case DNS_TYPE_LOC:
1005 r = dns_packet_append_uint8(p, rr->loc.version, NULL);
1006 if (r < 0)
1007 goto fail;
1008
1009 r = dns_packet_append_uint8(p, rr->loc.size, NULL);
1010 if (r < 0)
1011 goto fail;
1012
1013 r = dns_packet_append_uint8(p, rr->loc.horiz_pre, NULL);
1014 if (r < 0)
1015 goto fail;
1016
1017 r = dns_packet_append_uint8(p, rr->loc.vert_pre, NULL);
1018 if (r < 0)
1019 goto fail;
1020
1021 r = dns_packet_append_uint32(p, rr->loc.latitude, NULL);
1022 if (r < 0)
1023 goto fail;
1024
1025 r = dns_packet_append_uint32(p, rr->loc.longitude, NULL);
1026 if (r < 0)
1027 goto fail;
1028
1029 r = dns_packet_append_uint32(p, rr->loc.altitude, NULL);
1030 break;
1031
1032 case DNS_TYPE_DS:
1033 r = dns_packet_append_uint16(p, rr->ds.key_tag, NULL);
1034 if (r < 0)
1035 goto fail;
1036
1037 r = dns_packet_append_uint8(p, rr->ds.algorithm, NULL);
1038 if (r < 0)
1039 goto fail;
1040
1041 r = dns_packet_append_uint8(p, rr->ds.digest_type, NULL);
1042 if (r < 0)
1043 goto fail;
1044
1045 r = dns_packet_append_blob(p, rr->ds.digest, rr->ds.digest_size, NULL);
1046 break;
1047
1048 case DNS_TYPE_SSHFP:
1049 r = dns_packet_append_uint8(p, rr->sshfp.algorithm, NULL);
1050 if (r < 0)
1051 goto fail;
1052
1053 r = dns_packet_append_uint8(p, rr->sshfp.fptype, NULL);
1054 if (r < 0)
1055 goto fail;
1056
1057 r = dns_packet_append_blob(p, rr->sshfp.fingerprint, rr->sshfp.fingerprint_size, NULL);
1058 break;
1059
1060 case DNS_TYPE_DNSKEY:
1061 r = dns_packet_append_uint16(p, rr->dnskey.flags, NULL);
1062 if (r < 0)
1063 goto fail;
1064
1065 r = dns_packet_append_uint8(p, rr->dnskey.protocol, NULL);
1066 if (r < 0)
1067 goto fail;
1068
1069 r = dns_packet_append_uint8(p, rr->dnskey.algorithm, NULL);
1070 if (r < 0)
1071 goto fail;
1072
1073 r = dns_packet_append_blob(p, rr->dnskey.key, rr->dnskey.key_size, NULL);
1074 break;
1075
1076 case DNS_TYPE_RRSIG:
1077 r = dns_packet_append_uint16(p, rr->rrsig.type_covered, NULL);
1078 if (r < 0)
1079 goto fail;
1080
1081 r = dns_packet_append_uint8(p, rr->rrsig.algorithm, NULL);
1082 if (r < 0)
1083 goto fail;
1084
1085 r = dns_packet_append_uint8(p, rr->rrsig.labels, NULL);
1086 if (r < 0)
1087 goto fail;
1088
1089 r = dns_packet_append_uint32(p, rr->rrsig.original_ttl, NULL);
1090 if (r < 0)
1091 goto fail;
1092
1093 r = dns_packet_append_uint32(p, rr->rrsig.expiration, NULL);
1094 if (r < 0)
1095 goto fail;
1096
1097 r = dns_packet_append_uint32(p, rr->rrsig.inception, NULL);
1098 if (r < 0)
1099 goto fail;
1100
1101 r = dns_packet_append_uint16(p, rr->rrsig.key_tag, NULL);
1102 if (r < 0)
1103 goto fail;
1104
1105 r = dns_packet_append_name(p, rr->rrsig.signer, false, true, NULL);
1106 if (r < 0)
1107 goto fail;
1108
1109 r = dns_packet_append_blob(p, rr->rrsig.signature, rr->rrsig.signature_size, NULL);
1110 break;
1111
1112 case DNS_TYPE_NSEC:
1113 r = dns_packet_append_name(p, rr->nsec.next_domain_name, false, false, NULL);
1114 if (r < 0)
1115 goto fail;
1116
1117 r = dns_packet_append_types(p, rr->nsec.types, NULL);
1118 if (r < 0)
1119 goto fail;
1120
1121 break;
1122
1123 case DNS_TYPE_NSEC3:
1124 r = dns_packet_append_uint8(p, rr->nsec3.algorithm, NULL);
1125 if (r < 0)
1126 goto fail;
1127
1128 r = dns_packet_append_uint8(p, rr->nsec3.flags, NULL);
1129 if (r < 0)
1130 goto fail;
1131
1132 r = dns_packet_append_uint16(p, rr->nsec3.iterations, NULL);
1133 if (r < 0)
1134 goto fail;
1135
1136 r = dns_packet_append_uint8(p, rr->nsec3.salt_size, NULL);
1137 if (r < 0)
1138 goto fail;
1139
1140 r = dns_packet_append_blob(p, rr->nsec3.salt, rr->nsec3.salt_size, NULL);
1141 if (r < 0)
1142 goto fail;
1143
1144 r = dns_packet_append_uint8(p, rr->nsec3.next_hashed_name_size, NULL);
1145 if (r < 0)
1146 goto fail;
1147
1148 r = dns_packet_append_blob(p, rr->nsec3.next_hashed_name, rr->nsec3.next_hashed_name_size, NULL);
1149 if (r < 0)
1150 goto fail;
1151
1152 r = dns_packet_append_types(p, rr->nsec3.types, NULL);
1153 if (r < 0)
1154 goto fail;
1155
1156 break;
1157
1158 case DNS_TYPE_TLSA:
1159 r = dns_packet_append_uint8(p, rr->tlsa.cert_usage, NULL);
1160 if (r < 0)
1161 goto fail;
1162
1163 r = dns_packet_append_uint8(p, rr->tlsa.selector, NULL);
1164 if (r < 0)
1165 goto fail;
1166
1167 r = dns_packet_append_uint8(p, rr->tlsa.matching_type, NULL);
1168 if (r < 0)
1169 goto fail;
1170
1171 r = dns_packet_append_blob(p, rr->tlsa.data, rr->tlsa.data_size, NULL);
1172 break;
1173
1174 case DNS_TYPE_CAA:
1175 r = dns_packet_append_uint8(p, rr->caa.flags, NULL);
1176 if (r < 0)
1177 goto fail;
1178
1179 r = dns_packet_append_string(p, rr->caa.tag, NULL);
1180 if (r < 0)
1181 goto fail;
1182
1183 r = dns_packet_append_blob(p, rr->caa.value, rr->caa.value_size, NULL);
1184 break;
1185
1186 case DNS_TYPE_OPT:
1187 case DNS_TYPE_OPENPGPKEY:
1188 case _DNS_TYPE_INVALID: /* unparsable */
1189 default:
1190
1191 r = dns_packet_append_blob(p, rr->generic.data, rr->generic.data_size, NULL);
1192 break;
1193 }
1194 if (r < 0)
1195 goto fail;
1196
1197 /* Let's calculate the actual data size and update the field */
1198 rdlength = p->size - rdlength_offset - sizeof(uint16_t);
1199 if (rdlength > 0xFFFF) {
1200 r = -ENOSPC;
1201 goto fail;
1202 }
1203
1204 end = p->size;
1205 p->size = rdlength_offset;
1206 r = dns_packet_append_uint16(p, rdlength, NULL);
1207 if (r < 0)
1208 goto fail;
1209 p->size = end;
1210
1211 if (start)
1212 *start = saved_size;
1213
1214 if (rdata_start)
1215 *rdata_start = rds;
1216
1217 return 0;
1218
1219 fail:
1220 dns_packet_truncate(p, saved_size);
1221 return r;
1222 }
1223
1224 int dns_packet_append_question(DnsPacket *p, DnsQuestion *q) {
1225 DnsResourceKey *key;
1226 int r;
1227
1228 assert(p);
1229
1230 DNS_QUESTION_FOREACH(key, q) {
1231 r = dns_packet_append_key(p, key, 0, NULL);
1232 if (r < 0)
1233 return r;
1234 }
1235
1236 return 0;
1237 }
1238
1239 int dns_packet_append_answer(DnsPacket *p, DnsAnswer *a, unsigned *completed) {
1240 DnsResourceRecord *rr;
1241 DnsAnswerFlags flags;
1242 int r;
1243
1244 assert(p);
1245
1246 DNS_ANSWER_FOREACH_FLAGS(rr, flags, a) {
1247 r = dns_packet_append_rr(p, rr, flags, NULL, NULL);
1248 if (r < 0)
1249 return r;
1250
1251 if (completed)
1252 (*completed)++;
1253 }
1254
1255 return 0;
1256 }
1257
1258 int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) {
1259 assert(p);
1260
1261 if (p->rindex + sz > p->size)
1262 return -EMSGSIZE;
1263
1264 if (ret)
1265 *ret = (uint8_t*) DNS_PACKET_DATA(p) + p->rindex;
1266
1267 if (start)
1268 *start = p->rindex;
1269
1270 p->rindex += sz;
1271 return 0;
1272 }
1273
1274 void dns_packet_rewind(DnsPacket *p, size_t idx) {
1275 assert(p);
1276 assert(idx <= p->size);
1277 assert(idx >= DNS_PACKET_HEADER_SIZE);
1278
1279 p->rindex = idx;
1280 }
1281
1282 int dns_packet_read_blob(DnsPacket *p, void *d, size_t sz, size_t *start) {
1283 const void *q;
1284 int r;
1285
1286 assert(p);
1287 assert(d);
1288
1289 r = dns_packet_read(p, sz, &q, start);
1290 if (r < 0)
1291 return r;
1292
1293 memcpy(d, q, sz);
1294 return 0;
1295 }
1296
1297 static int dns_packet_read_memdup(
1298 DnsPacket *p, size_t size,
1299 void **ret, size_t *ret_size,
1300 size_t *ret_start) {
1301
1302 const void *src;
1303 size_t start;
1304 int r;
1305
1306 assert(p);
1307 assert(ret);
1308
1309 r = dns_packet_read(p, size, &src, &start);
1310 if (r < 0)
1311 return r;
1312
1313 if (size <= 0)
1314 *ret = NULL;
1315 else {
1316 void *copy;
1317
1318 copy = memdup(src, size);
1319 if (!copy)
1320 return -ENOMEM;
1321
1322 *ret = copy;
1323 }
1324
1325 if (ret_size)
1326 *ret_size = size;
1327 if (ret_start)
1328 *ret_start = start;
1329
1330 return 0;
1331 }
1332
1333 int dns_packet_read_uint8(DnsPacket *p, uint8_t *ret, size_t *start) {
1334 const void *d;
1335 int r;
1336
1337 assert(p);
1338
1339 r = dns_packet_read(p, sizeof(uint8_t), &d, start);
1340 if (r < 0)
1341 return r;
1342
1343 *ret = ((uint8_t*) d)[0];
1344 return 0;
1345 }
1346
1347 int dns_packet_read_uint16(DnsPacket *p, uint16_t *ret, size_t *start) {
1348 const void *d;
1349 int r;
1350
1351 assert(p);
1352
1353 r = dns_packet_read(p, sizeof(uint16_t), &d, start);
1354 if (r < 0)
1355 return r;
1356
1357 if (ret)
1358 *ret = unaligned_read_be16(d);
1359
1360 return 0;
1361 }
1362
1363 int dns_packet_read_uint32(DnsPacket *p, uint32_t *ret, size_t *start) {
1364 const void *d;
1365 int r;
1366
1367 assert(p);
1368
1369 r = dns_packet_read(p, sizeof(uint32_t), &d, start);
1370 if (r < 0)
1371 return r;
1372
1373 *ret = unaligned_read_be32(d);
1374
1375 return 0;
1376 }
1377
1378 int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) {
1379 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1380 const void *d;
1381 char *t;
1382 uint8_t c;
1383 int r;
1384
1385 assert(p);
1386 INIT_REWINDER(rewinder, p);
1387
1388 r = dns_packet_read_uint8(p, &c, NULL);
1389 if (r < 0)
1390 return r;
1391
1392 r = dns_packet_read(p, c, &d, NULL);
1393 if (r < 0)
1394 return r;
1395
1396 if (memchr(d, 0, c))
1397 return -EBADMSG;
1398
1399 t = strndup(d, c);
1400 if (!t)
1401 return -ENOMEM;
1402
1403 if (!utf8_is_valid(t)) {
1404 free(t);
1405 return -EBADMSG;
1406 }
1407
1408 *ret = t;
1409
1410 if (start)
1411 *start = rewinder.saved_rindex;
1412 CANCEL_REWINDER(rewinder);
1413
1414 return 0;
1415 }
1416
1417 int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start) {
1418 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1419 uint8_t c;
1420 int r;
1421
1422 assert(p);
1423 INIT_REWINDER(rewinder, p);
1424
1425 r = dns_packet_read_uint8(p, &c, NULL);
1426 if (r < 0)
1427 return r;
1428
1429 r = dns_packet_read(p, c, ret, NULL);
1430 if (r < 0)
1431 return r;
1432
1433 if (size)
1434 *size = c;
1435 if (start)
1436 *start = rewinder.saved_rindex;
1437 CANCEL_REWINDER(rewinder);
1438
1439 return 0;
1440 }
1441
1442 int dns_packet_read_name(
1443 DnsPacket *p,
1444 char **ret,
1445 bool allow_compression,
1446 size_t *ret_start) {
1447
1448 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1449 size_t after_rindex = 0, jump_barrier;
1450 _cleanup_free_ char *name = NULL;
1451 size_t n = 0, allocated = 0;
1452 bool first = true;
1453 int r;
1454
1455 assert(p);
1456
1457 INIT_REWINDER(rewinder, p);
1458 jump_barrier = p->rindex;
1459
1460 if (p->refuse_compression)
1461 allow_compression = false;
1462
1463 for (;;) {
1464 uint8_t c, d;
1465
1466 r = dns_packet_read_uint8(p, &c, NULL);
1467 if (r < 0)
1468 return r;
1469
1470 if (c == 0)
1471 /* End of name */
1472 break;
1473 else if (c <= 63) {
1474 const char *label;
1475
1476 /* Literal label */
1477 r = dns_packet_read(p, c, (const void**) &label, NULL);
1478 if (r < 0)
1479 return r;
1480
1481 if (!GREEDY_REALLOC(name, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
1482 return -ENOMEM;
1483
1484 if (first)
1485 first = false;
1486 else
1487 name[n++] = '.';
1488
1489 r = dns_label_escape(label, c, name + n, DNS_LABEL_ESCAPED_MAX);
1490 if (r < 0)
1491 return r;
1492
1493 n += r;
1494 continue;
1495 } else if (allow_compression && FLAGS_SET(c, 0xc0)) {
1496 uint16_t ptr;
1497
1498 /* Pointer */
1499 r = dns_packet_read_uint8(p, &d, NULL);
1500 if (r < 0)
1501 return r;
1502
1503 ptr = (uint16_t) (c & ~0xc0) << 8 | (uint16_t) d;
1504 if (ptr < DNS_PACKET_HEADER_SIZE || ptr >= jump_barrier)
1505 return -EBADMSG;
1506
1507 if (after_rindex == 0)
1508 after_rindex = p->rindex;
1509
1510 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
1511 jump_barrier = ptr;
1512 p->rindex = ptr;
1513 } else
1514 return -EBADMSG;
1515 }
1516
1517 if (!GREEDY_REALLOC(name, allocated, n + 1))
1518 return -ENOMEM;
1519
1520 name[n] = 0;
1521
1522 if (after_rindex != 0)
1523 p->rindex= after_rindex;
1524
1525 if (ret)
1526 *ret = TAKE_PTR(name);
1527 if (ret_start)
1528 *ret_start = rewinder.saved_rindex;
1529
1530 CANCEL_REWINDER(rewinder);
1531
1532 return 0;
1533 }
1534
1535 static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *start) {
1536 uint8_t window;
1537 uint8_t length;
1538 const uint8_t *bitmap;
1539 uint8_t bit = 0;
1540 unsigned i;
1541 bool found = false;
1542 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1543 int r;
1544
1545 assert(p);
1546 assert(types);
1547 INIT_REWINDER(rewinder, p);
1548
1549 r = bitmap_ensure_allocated(types);
1550 if (r < 0)
1551 return r;
1552
1553 r = dns_packet_read_uint8(p, &window, NULL);
1554 if (r < 0)
1555 return r;
1556
1557 r = dns_packet_read_uint8(p, &length, NULL);
1558 if (r < 0)
1559 return r;
1560
1561 if (length == 0 || length > 32)
1562 return -EBADMSG;
1563
1564 r = dns_packet_read(p, length, (const void **)&bitmap, NULL);
1565 if (r < 0)
1566 return r;
1567
1568 for (i = 0; i < length; i++) {
1569 uint8_t bitmask = 1 << 7;
1570
1571 if (!bitmap[i]) {
1572 found = false;
1573 bit += 8;
1574 continue;
1575 }
1576
1577 found = true;
1578
1579 for (; bitmask; bit++, bitmask >>= 1)
1580 if (bitmap[i] & bitmask) {
1581 uint16_t n;
1582
1583 n = (uint16_t) window << 8 | (uint16_t) bit;
1584
1585 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1586 if (dns_type_is_pseudo(n))
1587 continue;
1588
1589 r = bitmap_set(*types, n);
1590 if (r < 0)
1591 return r;
1592 }
1593 }
1594
1595 if (!found)
1596 return -EBADMSG;
1597
1598 if (start)
1599 *start = rewinder.saved_rindex;
1600 CANCEL_REWINDER(rewinder);
1601
1602 return 0;
1603 }
1604
1605 static int dns_packet_read_type_windows(DnsPacket *p, Bitmap **types, size_t size, size_t *start) {
1606 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1607 int r;
1608
1609 INIT_REWINDER(rewinder, p);
1610
1611 while (p->rindex < rewinder.saved_rindex + size) {
1612 r = dns_packet_read_type_window(p, types, NULL);
1613 if (r < 0)
1614 return r;
1615
1616 /* don't read past end of current RR */
1617 if (p->rindex > rewinder.saved_rindex + size)
1618 return -EBADMSG;
1619 }
1620
1621 if (p->rindex != rewinder.saved_rindex + size)
1622 return -EBADMSG;
1623
1624 if (start)
1625 *start = rewinder.saved_rindex;
1626 CANCEL_REWINDER(rewinder);
1627
1628 return 0;
1629 }
1630
1631 int dns_packet_read_key(
1632 DnsPacket *p,
1633 DnsResourceKey **ret,
1634 bool *ret_cache_flush,
1635 size_t *ret_start) {
1636
1637 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1638 _cleanup_free_ char *name = NULL;
1639 bool cache_flush = false;
1640 uint16_t class, type;
1641 int r;
1642
1643 assert(p);
1644 INIT_REWINDER(rewinder, p);
1645
1646 r = dns_packet_read_name(p, &name, true, NULL);
1647 if (r < 0)
1648 return r;
1649
1650 r = dns_packet_read_uint16(p, &type, NULL);
1651 if (r < 0)
1652 return r;
1653
1654 r = dns_packet_read_uint16(p, &class, NULL);
1655 if (r < 0)
1656 return r;
1657
1658 if (p->protocol == DNS_PROTOCOL_MDNS) {
1659 /* See RFC6762, Section 10.2 */
1660
1661 if (type != DNS_TYPE_OPT && (class & MDNS_RR_CACHE_FLUSH)) {
1662 class &= ~MDNS_RR_CACHE_FLUSH;
1663 cache_flush = true;
1664 }
1665 }
1666
1667 if (ret) {
1668 DnsResourceKey *key;
1669
1670 key = dns_resource_key_new_consume(class, type, name);
1671 if (!key)
1672 return -ENOMEM;
1673
1674 TAKE_PTR(name);
1675 *ret = key;
1676 }
1677
1678 if (ret_cache_flush)
1679 *ret_cache_flush = cache_flush;
1680 if (ret_start)
1681 *ret_start = rewinder.saved_rindex;
1682
1683 CANCEL_REWINDER(rewinder);
1684 return 0;
1685 }
1686
1687 static bool loc_size_ok(uint8_t size) {
1688 uint8_t m = size >> 4, e = size & 0xF;
1689
1690 return m <= 9 && e <= 9 && (m > 0 || e == 0);
1691 }
1692
1693 int dns_packet_read_rr(
1694 DnsPacket *p,
1695 DnsResourceRecord **ret,
1696 bool *ret_cache_flush,
1697 size_t *ret_start) {
1698
1699 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
1700 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
1701 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
1702 size_t offset;
1703 uint16_t rdlength;
1704 bool cache_flush;
1705 int r;
1706
1707 assert(p);
1708
1709 INIT_REWINDER(rewinder, p);
1710
1711 r = dns_packet_read_key(p, &key, &cache_flush, NULL);
1712 if (r < 0)
1713 return r;
1714
1715 if (!dns_class_is_valid_rr(key->class) || !dns_type_is_valid_rr(key->type))
1716 return -EBADMSG;
1717
1718 rr = dns_resource_record_new(key);
1719 if (!rr)
1720 return -ENOMEM;
1721
1722 r = dns_packet_read_uint32(p, &rr->ttl, NULL);
1723 if (r < 0)
1724 return r;
1725
1726 /* RFC 2181, Section 8, suggests to
1727 * treat a TTL with the MSB set as a zero TTL. */
1728 if (rr->ttl & UINT32_C(0x80000000))
1729 rr->ttl = 0;
1730
1731 r = dns_packet_read_uint16(p, &rdlength, NULL);
1732 if (r < 0)
1733 return r;
1734
1735 if (p->rindex + rdlength > p->size)
1736 return -EBADMSG;
1737
1738 offset = p->rindex;
1739
1740 switch (rr->key->type) {
1741
1742 case DNS_TYPE_SRV:
1743 r = dns_packet_read_uint16(p, &rr->srv.priority, NULL);
1744 if (r < 0)
1745 return r;
1746 r = dns_packet_read_uint16(p, &rr->srv.weight, NULL);
1747 if (r < 0)
1748 return r;
1749 r = dns_packet_read_uint16(p, &rr->srv.port, NULL);
1750 if (r < 0)
1751 return r;
1752 r = dns_packet_read_name(p, &rr->srv.name, true, NULL);
1753 break;
1754
1755 case DNS_TYPE_PTR:
1756 case DNS_TYPE_NS:
1757 case DNS_TYPE_CNAME:
1758 case DNS_TYPE_DNAME:
1759 r = dns_packet_read_name(p, &rr->ptr.name, true, NULL);
1760 break;
1761
1762 case DNS_TYPE_HINFO:
1763 r = dns_packet_read_string(p, &rr->hinfo.cpu, NULL);
1764 if (r < 0)
1765 return r;
1766
1767 r = dns_packet_read_string(p, &rr->hinfo.os, NULL);
1768 break;
1769
1770 case DNS_TYPE_SPF: /* exactly the same as TXT */
1771 case DNS_TYPE_TXT:
1772 if (rdlength <= 0) {
1773 r = dns_txt_item_new_empty(&rr->txt.items);
1774 if (r < 0)
1775 return r;
1776 } else {
1777 DnsTxtItem *last = NULL;
1778
1779 while (p->rindex < offset + rdlength) {
1780 DnsTxtItem *i;
1781 const void *data;
1782 size_t sz;
1783
1784 r = dns_packet_read_raw_string(p, &data, &sz, NULL);
1785 if (r < 0)
1786 return r;
1787
1788 i = malloc0(offsetof(DnsTxtItem, data) + sz + 1); /* extra NUL byte at the end */
1789 if (!i)
1790 return -ENOMEM;
1791
1792 memcpy(i->data, data, sz);
1793 i->length = sz;
1794
1795 LIST_INSERT_AFTER(items, rr->txt.items, last, i);
1796 last = i;
1797 }
1798 }
1799
1800 r = 0;
1801 break;
1802
1803 case DNS_TYPE_A:
1804 r = dns_packet_read_blob(p, &rr->a.in_addr, sizeof(struct in_addr), NULL);
1805 break;
1806
1807 case DNS_TYPE_AAAA:
1808 r = dns_packet_read_blob(p, &rr->aaaa.in6_addr, sizeof(struct in6_addr), NULL);
1809 break;
1810
1811 case DNS_TYPE_SOA:
1812 r = dns_packet_read_name(p, &rr->soa.mname, true, NULL);
1813 if (r < 0)
1814 return r;
1815
1816 r = dns_packet_read_name(p, &rr->soa.rname, true, NULL);
1817 if (r < 0)
1818 return r;
1819
1820 r = dns_packet_read_uint32(p, &rr->soa.serial, NULL);
1821 if (r < 0)
1822 return r;
1823
1824 r = dns_packet_read_uint32(p, &rr->soa.refresh, NULL);
1825 if (r < 0)
1826 return r;
1827
1828 r = dns_packet_read_uint32(p, &rr->soa.retry, NULL);
1829 if (r < 0)
1830 return r;
1831
1832 r = dns_packet_read_uint32(p, &rr->soa.expire, NULL);
1833 if (r < 0)
1834 return r;
1835
1836 r = dns_packet_read_uint32(p, &rr->soa.minimum, NULL);
1837 break;
1838
1839 case DNS_TYPE_MX:
1840 r = dns_packet_read_uint16(p, &rr->mx.priority, NULL);
1841 if (r < 0)
1842 return r;
1843
1844 r = dns_packet_read_name(p, &rr->mx.exchange, true, NULL);
1845 break;
1846
1847 case DNS_TYPE_LOC: {
1848 uint8_t t;
1849 size_t pos;
1850
1851 r = dns_packet_read_uint8(p, &t, &pos);
1852 if (r < 0)
1853 return r;
1854
1855 if (t == 0) {
1856 rr->loc.version = t;
1857
1858 r = dns_packet_read_uint8(p, &rr->loc.size, NULL);
1859 if (r < 0)
1860 return r;
1861
1862 if (!loc_size_ok(rr->loc.size))
1863 return -EBADMSG;
1864
1865 r = dns_packet_read_uint8(p, &rr->loc.horiz_pre, NULL);
1866 if (r < 0)
1867 return r;
1868
1869 if (!loc_size_ok(rr->loc.horiz_pre))
1870 return -EBADMSG;
1871
1872 r = dns_packet_read_uint8(p, &rr->loc.vert_pre, NULL);
1873 if (r < 0)
1874 return r;
1875
1876 if (!loc_size_ok(rr->loc.vert_pre))
1877 return -EBADMSG;
1878
1879 r = dns_packet_read_uint32(p, &rr->loc.latitude, NULL);
1880 if (r < 0)
1881 return r;
1882
1883 r = dns_packet_read_uint32(p, &rr->loc.longitude, NULL);
1884 if (r < 0)
1885 return r;
1886
1887 r = dns_packet_read_uint32(p, &rr->loc.altitude, NULL);
1888 if (r < 0)
1889 return r;
1890
1891 break;
1892 } else {
1893 dns_packet_rewind(p, pos);
1894 rr->unparsable = true;
1895 goto unparsable;
1896 }
1897 }
1898
1899 case DNS_TYPE_DS:
1900 r = dns_packet_read_uint16(p, &rr->ds.key_tag, NULL);
1901 if (r < 0)
1902 return r;
1903
1904 r = dns_packet_read_uint8(p, &rr->ds.algorithm, NULL);
1905 if (r < 0)
1906 return r;
1907
1908 r = dns_packet_read_uint8(p, &rr->ds.digest_type, NULL);
1909 if (r < 0)
1910 return r;
1911
1912 if (rdlength < 4)
1913 return -EBADMSG;
1914
1915 r = dns_packet_read_memdup(p, rdlength - 4,
1916 &rr->ds.digest, &rr->ds.digest_size,
1917 NULL);
1918 if (r < 0)
1919 return r;
1920
1921 if (rr->ds.digest_size <= 0)
1922 /* the accepted size depends on the algorithm, but for now
1923 just ensure that the value is greater than zero */
1924 return -EBADMSG;
1925
1926 break;
1927
1928 case DNS_TYPE_SSHFP:
1929 r = dns_packet_read_uint8(p, &rr->sshfp.algorithm, NULL);
1930 if (r < 0)
1931 return r;
1932
1933 r = dns_packet_read_uint8(p, &rr->sshfp.fptype, NULL);
1934 if (r < 0)
1935 return r;
1936
1937 if (rdlength < 2)
1938 return -EBADMSG;
1939
1940 r = dns_packet_read_memdup(p, rdlength - 2,
1941 &rr->sshfp.fingerprint, &rr->sshfp.fingerprint_size,
1942 NULL);
1943
1944 if (rr->sshfp.fingerprint_size <= 0)
1945 /* the accepted size depends on the algorithm, but for now
1946 just ensure that the value is greater than zero */
1947 return -EBADMSG;
1948
1949 break;
1950
1951 case DNS_TYPE_DNSKEY:
1952 r = dns_packet_read_uint16(p, &rr->dnskey.flags, NULL);
1953 if (r < 0)
1954 return r;
1955
1956 r = dns_packet_read_uint8(p, &rr->dnskey.protocol, NULL);
1957 if (r < 0)
1958 return r;
1959
1960 r = dns_packet_read_uint8(p, &rr->dnskey.algorithm, NULL);
1961 if (r < 0)
1962 return r;
1963
1964 if (rdlength < 4)
1965 return -EBADMSG;
1966
1967 r = dns_packet_read_memdup(p, rdlength - 4,
1968 &rr->dnskey.key, &rr->dnskey.key_size,
1969 NULL);
1970
1971 if (rr->dnskey.key_size <= 0)
1972 /* the accepted size depends on the algorithm, but for now
1973 just ensure that the value is greater than zero */
1974 return -EBADMSG;
1975
1976 break;
1977
1978 case DNS_TYPE_RRSIG:
1979 r = dns_packet_read_uint16(p, &rr->rrsig.type_covered, NULL);
1980 if (r < 0)
1981 return r;
1982
1983 r = dns_packet_read_uint8(p, &rr->rrsig.algorithm, NULL);
1984 if (r < 0)
1985 return r;
1986
1987 r = dns_packet_read_uint8(p, &rr->rrsig.labels, NULL);
1988 if (r < 0)
1989 return r;
1990
1991 r = dns_packet_read_uint32(p, &rr->rrsig.original_ttl, NULL);
1992 if (r < 0)
1993 return r;
1994
1995 r = dns_packet_read_uint32(p, &rr->rrsig.expiration, NULL);
1996 if (r < 0)
1997 return r;
1998
1999 r = dns_packet_read_uint32(p, &rr->rrsig.inception, NULL);
2000 if (r < 0)
2001 return r;
2002
2003 r = dns_packet_read_uint16(p, &rr->rrsig.key_tag, NULL);
2004 if (r < 0)
2005 return r;
2006
2007 r = dns_packet_read_name(p, &rr->rrsig.signer, false, NULL);
2008 if (r < 0)
2009 return r;
2010
2011 if (rdlength + offset < p->rindex)
2012 return -EBADMSG;
2013
2014 r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
2015 &rr->rrsig.signature, &rr->rrsig.signature_size,
2016 NULL);
2017
2018 if (rr->rrsig.signature_size <= 0)
2019 /* the accepted size depends on the algorithm, but for now
2020 just ensure that the value is greater than zero */
2021 return -EBADMSG;
2022
2023 break;
2024
2025 case DNS_TYPE_NSEC: {
2026
2027 /*
2028 * RFC6762, section 18.14 explicitly states mDNS should use name compression.
2029 * This contradicts RFC3845, section 2.1.1
2030 */
2031
2032 bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS;
2033
2034 r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL);
2035 if (r < 0)
2036 return r;
2037
2038 r = dns_packet_read_type_windows(p, &rr->nsec.types, offset + rdlength - p->rindex, NULL);
2039
2040 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
2041 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
2042 * without the NSEC bit set. */
2043
2044 break;
2045 }
2046 case DNS_TYPE_NSEC3: {
2047 uint8_t size;
2048
2049 r = dns_packet_read_uint8(p, &rr->nsec3.algorithm, NULL);
2050 if (r < 0)
2051 return r;
2052
2053 r = dns_packet_read_uint8(p, &rr->nsec3.flags, NULL);
2054 if (r < 0)
2055 return r;
2056
2057 r = dns_packet_read_uint16(p, &rr->nsec3.iterations, NULL);
2058 if (r < 0)
2059 return r;
2060
2061 /* this may be zero */
2062 r = dns_packet_read_uint8(p, &size, NULL);
2063 if (r < 0)
2064 return r;
2065
2066 r = dns_packet_read_memdup(p, size, &rr->nsec3.salt, &rr->nsec3.salt_size, NULL);
2067 if (r < 0)
2068 return r;
2069
2070 r = dns_packet_read_uint8(p, &size, NULL);
2071 if (r < 0)
2072 return r;
2073
2074 if (size <= 0)
2075 return -EBADMSG;
2076
2077 r = dns_packet_read_memdup(p, size,
2078 &rr->nsec3.next_hashed_name, &rr->nsec3.next_hashed_name_size,
2079 NULL);
2080 if (r < 0)
2081 return r;
2082
2083 r = dns_packet_read_type_windows(p, &rr->nsec3.types, offset + rdlength - p->rindex, NULL);
2084
2085 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
2086
2087 break;
2088 }
2089
2090 case DNS_TYPE_TLSA:
2091 r = dns_packet_read_uint8(p, &rr->tlsa.cert_usage, NULL);
2092 if (r < 0)
2093 return r;
2094
2095 r = dns_packet_read_uint8(p, &rr->tlsa.selector, NULL);
2096 if (r < 0)
2097 return r;
2098
2099 r = dns_packet_read_uint8(p, &rr->tlsa.matching_type, NULL);
2100 if (r < 0)
2101 return r;
2102
2103 if (rdlength < 3)
2104 return -EBADMSG;
2105
2106 r = dns_packet_read_memdup(p, rdlength - 3,
2107 &rr->tlsa.data, &rr->tlsa.data_size,
2108 NULL);
2109
2110 if (rr->tlsa.data_size <= 0)
2111 /* the accepted size depends on the algorithm, but for now
2112 just ensure that the value is greater than zero */
2113 return -EBADMSG;
2114
2115 break;
2116
2117 case DNS_TYPE_CAA:
2118 r = dns_packet_read_uint8(p, &rr->caa.flags, NULL);
2119 if (r < 0)
2120 return r;
2121
2122 r = dns_packet_read_string(p, &rr->caa.tag, NULL);
2123 if (r < 0)
2124 return r;
2125
2126 if (rdlength + offset < p->rindex)
2127 return -EBADMSG;
2128
2129 r = dns_packet_read_memdup(p,
2130 rdlength + offset - p->rindex,
2131 &rr->caa.value, &rr->caa.value_size, NULL);
2132
2133 break;
2134
2135 case DNS_TYPE_OPT: /* we only care about the header of OPT for now. */
2136 case DNS_TYPE_OPENPGPKEY:
2137 default:
2138 unparsable:
2139 r = dns_packet_read_memdup(p, rdlength, &rr->generic.data, &rr->generic.data_size, NULL);
2140
2141 break;
2142 }
2143 if (r < 0)
2144 return r;
2145 if (p->rindex != offset + rdlength)
2146 return -EBADMSG;
2147
2148 if (ret)
2149 *ret = TAKE_PTR(rr);
2150 if (ret_cache_flush)
2151 *ret_cache_flush = cache_flush;
2152 if (ret_start)
2153 *ret_start = rewinder.saved_rindex;
2154
2155 CANCEL_REWINDER(rewinder);
2156 return 0;
2157 }
2158
2159 static bool opt_is_good(DnsResourceRecord *rr, bool *rfc6975) {
2160 const uint8_t* p;
2161 bool found_dau_dhu_n3u = false;
2162 size_t l;
2163
2164 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2165 * a reply). */
2166
2167 assert(rr);
2168 assert(rr->key->type == DNS_TYPE_OPT);
2169
2170 /* Check that the version is 0 */
2171 if (((rr->ttl >> 16) & UINT32_C(0xFF)) != 0) {
2172 *rfc6975 = false;
2173 return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
2174 }
2175
2176 p = rr->opt.data;
2177 l = rr->opt.data_size;
2178 while (l > 0) {
2179 uint16_t option_code, option_length;
2180
2181 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2182 if (l < 4U)
2183 return false;
2184
2185 option_code = unaligned_read_be16(p);
2186 option_length = unaligned_read_be16(p + 2);
2187
2188 if (l < option_length + 4U)
2189 return false;
2190
2191 /* RFC 6975 DAU, DHU or N3U fields found. */
2192 if (IN_SET(option_code, 5, 6, 7))
2193 found_dau_dhu_n3u = true;
2194
2195 p += option_length + 4U;
2196 l -= option_length + 4U;
2197 }
2198
2199 *rfc6975 = found_dau_dhu_n3u;
2200 return true;
2201 }
2202
2203 static int dns_packet_extract_question(DnsPacket *p, DnsQuestion **ret_question) {
2204 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
2205 unsigned n, i;
2206 int r;
2207
2208 n = DNS_PACKET_QDCOUNT(p);
2209 if (n > 0) {
2210 question = dns_question_new(n);
2211 if (!question)
2212 return -ENOMEM;
2213
2214 _cleanup_set_free_ Set *keys = NULL; /* references to keys are kept by Question */
2215
2216 keys = set_new(&dns_resource_key_hash_ops);
2217 if (!keys)
2218 return log_oom();
2219
2220 r = set_reserve(keys, n * 2); /* Higher multipliers give slightly higher efficiency through
2221 * hash collisions, but the gains quickly drop off after 2. */
2222 if (r < 0)
2223 return r;
2224
2225 for (i = 0; i < n; i++) {
2226 _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
2227 bool cache_flush;
2228
2229 r = dns_packet_read_key(p, &key, &cache_flush, NULL);
2230 if (r < 0)
2231 return r;
2232
2233 if (cache_flush)
2234 return -EBADMSG;
2235
2236 if (!dns_type_is_valid_query(key->type))
2237 return -EBADMSG;
2238
2239 r = set_put(keys, key);
2240 if (r < 0)
2241 return r;
2242 if (r == 0)
2243 /* Already in the Question, let's skip */
2244 continue;
2245
2246 r = dns_question_add_raw(question, key);
2247 if (r < 0)
2248 return r;
2249 }
2250 }
2251
2252 *ret_question = TAKE_PTR(question);
2253
2254 return 0;
2255 }
2256
2257 static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) {
2258 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
2259 unsigned n, i;
2260 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *previous = NULL;
2261 bool bad_opt = false;
2262 int r;
2263
2264 n = DNS_PACKET_RRCOUNT(p);
2265 if (n == 0)
2266 return 0;
2267
2268 answer = dns_answer_new(n);
2269 if (!answer)
2270 return -ENOMEM;
2271
2272 for (i = 0; i < n; i++) {
2273 _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
2274 bool cache_flush = false;
2275 size_t start;
2276
2277 if (p->rindex == p->size) {
2278 /* If we reached the end of the packet already, but there are still more RRs
2279 * declared, then that's a corrupt packet. Let's accept the packet anyway, since it's
2280 * apparently a common bug in routers. Let's however suppress OPT support in this
2281 * case, so that we force the rest of the logic into lowest DNS baseline support. Or
2282 * to say this differently: if the DNS server doesn't even get the RR counts right,
2283 * it's highly unlikely it gets EDNS right. */
2284 log_debug("More resource records declared in packet than included, suppressing OPT.");
2285 bad_opt = true;
2286 break;
2287 }
2288
2289 r = dns_packet_read_rr(p, &rr, &cache_flush, &start);
2290 if (r < 0)
2291 return r;
2292
2293 /* Try to reduce memory usage a bit */
2294 if (previous)
2295 dns_resource_key_reduce(&rr->key, &previous->key);
2296
2297 if (rr->key->type == DNS_TYPE_OPT) {
2298 bool has_rfc6975;
2299
2300 if (p->opt || bad_opt) {
2301 /* Multiple OPT RRs? if so, let's ignore all, because there's
2302 * something wrong with the server, and if one is valid we wouldn't
2303 * know which one. */
2304 log_debug("Multiple OPT RRs detected, ignoring all.");
2305 bad_opt = true;
2306 continue;
2307 }
2308
2309 if (!dns_name_is_root(dns_resource_key_name(rr->key))) {
2310 /* If the OPT RR is not owned by the root domain, then it is bad,
2311 * let's ignore it. */
2312 log_debug("OPT RR is not owned by root domain, ignoring.");
2313 bad_opt = true;
2314 continue;
2315 }
2316
2317 if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) {
2318 /* OPT RR is in the wrong section? Some Belkin routers do this. This
2319 * is a hint the EDNS implementation is borked, like the Belkin one
2320 * is, hence ignore it. */
2321 log_debug("OPT RR in wrong section, ignoring.");
2322 bad_opt = true;
2323 continue;
2324 }
2325
2326 if (!opt_is_good(rr, &has_rfc6975)) {
2327 log_debug("Malformed OPT RR, ignoring.");
2328 bad_opt = true;
2329 continue;
2330 }
2331
2332 if (DNS_PACKET_QR(p)) {
2333 /* Additional checks for responses */
2334
2335 if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr))
2336 /* If this is a reply and we don't know the EDNS version
2337 * then something is weird... */
2338 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2339 "EDNS version newer that our request, bad server.");
2340
2341 if (has_rfc6975) {
2342 /* If the OPT RR contains RFC6975 algorithm data, then this
2343 * is indication that the server just copied the OPT it got
2344 * from us (which contained that data) back into the reply.
2345 * If so, then it doesn't properly support EDNS, as RFC6975
2346 * makes it very clear that the algorithm data should only
2347 * be contained in questions, never in replies. Crappy
2348 * Belkin routers copy the OPT data for example, hence let's
2349 * detect this so that we downgrade early. */
2350 log_debug("OPT RR contains RFC6975 data, ignoring.");
2351 bad_opt = true;
2352 continue;
2353 }
2354 }
2355
2356 p->opt = dns_resource_record_ref(rr);
2357 p->opt_start = start;
2358 assert(p->rindex >= start);
2359 p->opt_size = p->rindex - start;
2360 } else {
2361 DnsAnswerFlags flags = 0;
2362
2363 if (p->protocol == DNS_PROTOCOL_MDNS && !cache_flush)
2364 flags |= DNS_ANSWER_SHARED_OWNER;
2365
2366 /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
2367 * cached. Hence mark only those RRs as cacheable by default, but not the ones from
2368 * the Additional or Authority sections. */
2369 if (i < DNS_PACKET_ANCOUNT(p))
2370 flags |= DNS_ANSWER_CACHEABLE|DNS_ANSWER_SECTION_ANSWER;
2371 else if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p))
2372 flags |= DNS_ANSWER_SECTION_AUTHORITY;
2373 else
2374 flags |= DNS_ANSWER_SECTION_ADDITIONAL;
2375
2376 r = dns_answer_add(answer, rr, p->ifindex, flags, NULL);
2377 if (r < 0)
2378 return r;
2379 }
2380
2381 /* Remember this RR, so that we potentically can merge it's ->key object with the
2382 * next RR. Note that we only do this if we actually decided to keep the RR around.
2383 */
2384 dns_resource_record_unref(previous);
2385 previous = dns_resource_record_ref(rr);
2386 }
2387
2388 if (bad_opt) {
2389 p->opt = dns_resource_record_unref(p->opt);
2390 p->opt_start = p->opt_size = SIZE_MAX;
2391 }
2392
2393 *ret_answer = TAKE_PTR(answer);
2394
2395 return 0;
2396 }
2397
2398 int dns_packet_extract(DnsPacket *p) {
2399 _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
2400 _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
2401 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = {};
2402 int r;
2403
2404 if (p->extracted)
2405 return 0;
2406
2407 INIT_REWINDER(rewinder, p);
2408 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2409
2410 r = dns_packet_extract_question(p, &question);
2411 if (r < 0)
2412 return r;
2413
2414 r = dns_packet_extract_answer(p, &answer);
2415 if (r < 0)
2416 return r;
2417
2418 if (p->rindex < p->size) {
2419 log_debug("Trailing garbage in packet, suppressing OPT.");
2420 p->opt = dns_resource_record_unref(p->opt);
2421 p->opt_start = p->opt_size = SIZE_MAX;
2422 }
2423
2424 p->question = TAKE_PTR(question);
2425 p->answer = TAKE_PTR(answer);
2426
2427 p->extracted = true;
2428
2429 /* no CANCEL, always rewind */
2430 return 0;
2431 }
2432
2433 int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) {
2434 int r;
2435
2436 assert(p);
2437 assert(key);
2438
2439 /* Checks if the specified packet is a reply for the specified
2440 * key and the specified key is the only one in the question
2441 * section. */
2442
2443 if (DNS_PACKET_QR(p) != 1)
2444 return 0;
2445
2446 /* Let's unpack the packet, if that hasn't happened yet. */
2447 r = dns_packet_extract(p);
2448 if (r < 0)
2449 return r;
2450
2451 if (!p->question)
2452 return 0;
2453
2454 if (p->question->n_keys != 1)
2455 return 0;
2456
2457 return dns_resource_key_equal(p->question->keys[0], key);
2458 }
2459
2460 int dns_packet_patch_max_udp_size(DnsPacket *p, uint16_t max_udp_size) {
2461 assert(p);
2462 assert(max_udp_size >= DNS_PACKET_UNICAST_SIZE_MAX);
2463
2464 if (p->opt_start == (size_t) -1) /* No OPT section, nothing to patch */
2465 return 0;
2466
2467 assert(p->opt_size != (size_t) -1);
2468 assert(p->opt_size >= 5);
2469
2470 unaligned_write_be16(DNS_PACKET_DATA(p) + p->opt_start + 3, max_udp_size);
2471 return 1;
2472 }
2473
2474 static int patch_rr(DnsPacket *p, usec_t age) {
2475 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
2476 size_t ttl_index;
2477 uint32_t ttl;
2478 uint16_t type, rdlength;
2479 int r;
2480
2481 INIT_REWINDER(rewinder, p);
2482
2483 /* Patches the RR at the current rindex, subtracts the specified time from the TTL */
2484
2485 r = dns_packet_read_name(p, NULL, true, NULL);
2486 if (r < 0)
2487 return r;
2488
2489 r = dns_packet_read_uint16(p, &type, NULL);
2490 if (r < 0)
2491 return r;
2492
2493 r = dns_packet_read_uint16(p, NULL, NULL);
2494 if (r < 0)
2495 return r;
2496
2497 r = dns_packet_read_uint32(p, &ttl, &ttl_index);
2498 if (r < 0)
2499 return r;
2500
2501 if (type != DNS_TYPE_OPT) { /* The TTL of the OPT field is not actually a TTL, skip it */
2502 ttl = LESS_BY(ttl * USEC_PER_SEC, age) / USEC_PER_SEC;
2503 unaligned_write_be32(DNS_PACKET_DATA(p) + ttl_index, ttl);
2504 }
2505
2506 r = dns_packet_read_uint16(p, &rdlength, NULL);
2507 if (r < 0)
2508 return r;
2509
2510 r = dns_packet_read(p, rdlength, NULL, NULL);
2511 if (r < 0)
2512 return r;
2513
2514 CANCEL_REWINDER(rewinder);
2515 return 0;
2516 }
2517
2518 int dns_packet_patch_ttls(DnsPacket *p, usec_t timestamp) {
2519 _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = {};
2520 unsigned i, n;
2521 usec_t k;
2522 int r;
2523
2524 assert(p);
2525 assert(timestamp_is_set(timestamp));
2526
2527 /* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */
2528
2529 k = now(clock_boottime_or_monotonic());
2530 assert(k >= timestamp);
2531 k -= timestamp;
2532
2533 INIT_REWINDER(rewinder, p);
2534
2535 dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
2536
2537 n = DNS_PACKET_QDCOUNT(p);
2538 for (i = 0; i < n; i++) {
2539 r = dns_packet_read_key(p, NULL, NULL, NULL);
2540 if (r < 0)
2541 return r;
2542 }
2543
2544 n = DNS_PACKET_RRCOUNT(p);
2545 for (i = 0; i < n; i++) {
2546
2547 /* DNS servers suck, hence the RR count is in many servers off. If we reached the end
2548 * prematurely, accept that, exit early */
2549 if (p->rindex == p->size)
2550 break;
2551
2552 r = patch_rr(p, k);
2553 if (r < 0)
2554 return r;
2555 }
2556
2557 return 0;
2558 }
2559
2560 static void dns_packet_hash_func(const DnsPacket *s, struct siphash *state) {
2561 assert(s);
2562
2563 siphash24_compress(&s->size, sizeof(s->size), state);
2564 siphash24_compress(DNS_PACKET_DATA((DnsPacket*) s), s->size, state);
2565 }
2566
2567 static int dns_packet_compare_func(const DnsPacket *x, const DnsPacket *y) {
2568 int r;
2569
2570 r = CMP(x->size, y->size);
2571 if (r != 0)
2572 return r;
2573
2574 return memcmp(DNS_PACKET_DATA((DnsPacket*) x), DNS_PACKET_DATA((DnsPacket*) y), x->size);
2575 }
2576
2577 DEFINE_HASH_OPS(dns_packet_hash_ops, DnsPacket, dns_packet_hash_func, dns_packet_compare_func);
2578
2579 bool dns_packet_equal(const DnsPacket *a, const DnsPacket *b) {
2580 return dns_packet_compare_func(a, b) == 0;
2581 }
2582
2583 int dns_packet_has_nsid_request(DnsPacket *p) {
2584 bool has_nsid = false;
2585 const uint8_t *d;
2586 size_t l;
2587
2588 assert(p);
2589
2590 if (!p->opt)
2591 return false;
2592
2593 d = p->opt->opt.data;
2594 l = p->opt->opt.data_size;
2595
2596 while (l > 0) {
2597 uint16_t code, length;
2598
2599 if (l < 4U)
2600 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2601 "EDNS0 variable part has invalid size.");
2602
2603 code = unaligned_read_be16(d);
2604 length = unaligned_read_be16(d + 2);
2605
2606 if (l < 4U + length)
2607 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2608 "Truncated option in EDNS0 variable part.");
2609
2610 if (code == 3) {
2611 if (has_nsid)
2612 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2613 "Duplicate NSID option in EDNS0 variable part.");
2614
2615 if (length != 0)
2616 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG),
2617 "Non-empty NSID option in DNS request.");
2618
2619 has_nsid = true;
2620 }
2621
2622 d += 4U + length;
2623 l -= 4U + length;
2624 }
2625
2626 return has_nsid;
2627 }
2628
2629 size_t dns_packet_size_unfragmented(DnsPacket *p) {
2630 assert(p);
2631
2632 if (p->fragsize == 0) /* Wasn't fragmented */
2633 return p->size;
2634
2635 /* The fragment size (p->fragsize) covers the whole (fragmented) IP packet, while the regular packet
2636 * size (p->size) only covers the DNS part. Thus, subtract the UDP header from the largest fragment
2637 * size, in order to determine which size of DNS packet would have gone through without
2638 * fragmenting. */
2639
2640 return LESS_BY(p->fragsize, udp_header_size(p->family));
2641 }
2642
2643 static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {
2644 [DNS_RCODE_SUCCESS] = "SUCCESS",
2645 [DNS_RCODE_FORMERR] = "FORMERR",
2646 [DNS_RCODE_SERVFAIL] = "SERVFAIL",
2647 [DNS_RCODE_NXDOMAIN] = "NXDOMAIN",
2648 [DNS_RCODE_NOTIMP] = "NOTIMP",
2649 [DNS_RCODE_REFUSED] = "REFUSED",
2650 [DNS_RCODE_YXDOMAIN] = "YXDOMAIN",
2651 [DNS_RCODE_YXRRSET] = "YRRSET",
2652 [DNS_RCODE_NXRRSET] = "NXRRSET",
2653 [DNS_RCODE_NOTAUTH] = "NOTAUTH",
2654 [DNS_RCODE_NOTZONE] = "NOTZONE",
2655 [DNS_RCODE_BADVERS] = "BADVERS",
2656 [DNS_RCODE_BADKEY] = "BADKEY",
2657 [DNS_RCODE_BADTIME] = "BADTIME",
2658 [DNS_RCODE_BADMODE] = "BADMODE",
2659 [DNS_RCODE_BADNAME] = "BADNAME",
2660 [DNS_RCODE_BADALG] = "BADALG",
2661 [DNS_RCODE_BADTRUNC] = "BADTRUNC",
2662 [DNS_RCODE_BADCOOKIE] = "BADCOOKIE",
2663 };
2664 DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int);
2665
2666 static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
2667 [DNS_PROTOCOL_DNS] = "dns",
2668 [DNS_PROTOCOL_MDNS] = "mdns",
2669 [DNS_PROTOCOL_LLMNR] = "llmnr",
2670 };
2671 DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol);
Unnamed repository; edit this file 'description' to name the repository.