1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
7 #include "alloc-util.h"
8 #include "dns-domain.h"
9 #include "memory-util.h"
10 #include "resolved-dns-packet.h"
12 #include "string-table.h"
14 #include "unaligned.h"
18 #define EDNS0_OPT_DO (1<<15)
20 assert_cc(DNS_PACKET_SIZE_START
> DNS_PACKET_HEADER_SIZE
);
22 typedef struct DnsPacketRewinder
{
27 static void rewind_dns_packet(DnsPacketRewinder
*rewinder
) {
29 dns_packet_rewind(rewinder
->packet
, rewinder
->saved_rindex
);
32 #define INIT_REWINDER(rewinder, p) do { rewinder.packet = p; rewinder.saved_rindex = p->rindex; } while (0)
33 #define CANCEL_REWINDER(rewinder) do { rewinder.packet = NULL; } while (0)
38 size_t min_alloc_dsize
,
45 assert(max_size
>= DNS_PACKET_HEADER_SIZE
);
47 if (max_size
> DNS_PACKET_SIZE_MAX
)
48 max_size
= DNS_PACKET_SIZE_MAX
;
50 /* The caller may not check what is going to be truly allocated, so do not allow to
51 * allocate a DNS packet bigger than DNS_PACKET_SIZE_MAX.
53 if (min_alloc_dsize
> DNS_PACKET_SIZE_MAX
)
54 return log_error_errno(SYNTHETIC_ERRNO(EFBIG
),
55 "Requested packet data size too big: %zu",
58 /* When dns_packet_new() is called with min_alloc_dsize == 0, allocate more than the
59 * absolute minimum (which is the dns packet header size), to avoid
60 * resizing immediately again after appending the first data to the packet.
62 if (min_alloc_dsize
< DNS_PACKET_HEADER_SIZE
)
63 a
= DNS_PACKET_SIZE_START
;
67 /* round up to next page size */
68 a
= PAGE_ALIGN(ALIGN(sizeof(DnsPacket
)) + a
) - ALIGN(sizeof(DnsPacket
));
70 /* make sure we never allocate more than useful */
74 p
= malloc0(ALIGN(sizeof(DnsPacket
)) + a
);
81 .size
= DNS_PACKET_HEADER_SIZE
,
82 .rindex
= DNS_PACKET_HEADER_SIZE
,
85 .opt_start
= (size_t) -1,
86 .opt_size
= (size_t) -1,
94 void dns_packet_set_flags(DnsPacket
*p
, bool dnssec_checking_disabled
, bool truncated
) {
100 h
= DNS_PACKET_HEADER(p
);
102 switch(p
->protocol
) {
103 case DNS_PROTOCOL_LLMNR
:
106 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
117 case DNS_PROTOCOL_MDNS
:
118 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
122 0 /* rd (ask for recursion) */,
132 h
->flags
= htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
136 1 /* rd (ask for recursion) */,
139 dnssec_checking_disabled
/* cd */,
144 int dns_packet_new_query(DnsPacket
**ret
, DnsProtocol protocol
, size_t min_alloc_dsize
, bool dnssec_checking_disabled
) {
150 r
= dns_packet_new(&p
, protocol
, min_alloc_dsize
, DNS_PACKET_SIZE_MAX
);
154 /* Always set the TC bit to 0 initially.
155 * If there are multiple packets later, we'll update the bit shortly before sending.
157 dns_packet_set_flags(p
, dnssec_checking_disabled
, false);
163 DnsPacket
*dns_packet_ref(DnsPacket
*p
) {
168 assert(!p
->on_stack
);
170 assert(p
->n_ref
> 0);
175 static void dns_packet_free(DnsPacket
*p
) {
180 dns_question_unref(p
->question
);
181 dns_answer_unref(p
->answer
);
182 dns_resource_record_unref(p
->opt
);
184 while ((s
= hashmap_steal_first_key(p
->names
)))
186 hashmap_free(p
->names
);
194 DnsPacket
*dns_packet_unref(DnsPacket
*p
) {
198 assert(p
->n_ref
> 0);
200 dns_packet_unref(p
->more
);
210 int dns_packet_validate(DnsPacket
*p
) {
213 if (p
->size
< DNS_PACKET_HEADER_SIZE
)
216 if (p
->size
> DNS_PACKET_SIZE_MAX
)
222 int dns_packet_validate_reply(DnsPacket
*p
) {
227 r
= dns_packet_validate(p
);
231 if (DNS_PACKET_QR(p
) != 1)
234 if (DNS_PACKET_OPCODE(p
) != 0)
237 switch (p
->protocol
) {
239 case DNS_PROTOCOL_LLMNR
:
240 /* RFC 4795, Section 2.1.1. says to discard all replies with QDCOUNT != 1 */
241 if (DNS_PACKET_QDCOUNT(p
) != 1)
246 case DNS_PROTOCOL_MDNS
:
247 /* RFC 6762, Section 18 */
248 if (DNS_PACKET_RCODE(p
) != 0)
260 int dns_packet_validate_query(DnsPacket
*p
) {
265 r
= dns_packet_validate(p
);
269 if (DNS_PACKET_QR(p
) != 0)
272 if (DNS_PACKET_OPCODE(p
) != 0)
275 if (DNS_PACKET_TC(p
))
278 switch (p
->protocol
) {
280 case DNS_PROTOCOL_LLMNR
:
281 case DNS_PROTOCOL_DNS
:
282 /* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
283 if (DNS_PACKET_QDCOUNT(p
) != 1)
286 /* RFC 4795, Section 2.1.1. says to discard all queries with ANCOUNT != 0 */
287 if (DNS_PACKET_ANCOUNT(p
) > 0)
290 /* RFC 4795, Section 2.1.1. says to discard all queries with NSCOUNT != 0 */
291 if (DNS_PACKET_NSCOUNT(p
) > 0)
296 case DNS_PROTOCOL_MDNS
:
297 /* RFC 6762, Section 18 */
298 if (DNS_PACKET_AA(p
) != 0 ||
299 DNS_PACKET_RD(p
) != 0 ||
300 DNS_PACKET_RA(p
) != 0 ||
301 DNS_PACKET_AD(p
) != 0 ||
302 DNS_PACKET_CD(p
) != 0 ||
303 DNS_PACKET_RCODE(p
) != 0)
315 static int dns_packet_extend(DnsPacket
*p
, size_t add
, void **ret
, size_t *start
) {
318 if (p
->size
+ add
> p
->allocated
) {
321 a
= PAGE_ALIGN((p
->size
+ add
) * 2);
323 ms
= dns_packet_size_max(p
);
327 if (p
->size
+ add
> a
)
333 d
= realloc(p
->_data
, a
);
339 p
->_data
= malloc(a
);
343 memcpy(p
->_data
, (uint8_t*) p
+ ALIGN(sizeof(DnsPacket
)), p
->size
);
344 memzero((uint8_t*) p
->_data
+ p
->size
, a
- p
->size
);
354 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->size
;
360 void dns_packet_truncate(DnsPacket
*p
, size_t sz
) {
369 HASHMAP_FOREACH_KEY(n
, s
, p
->names
) {
371 if (PTR_TO_SIZE(n
) < sz
)
374 hashmap_remove(p
->names
, s
);
381 int dns_packet_append_blob(DnsPacket
*p
, const void *d
, size_t l
, size_t *start
) {
387 r
= dns_packet_extend(p
, l
, &q
, start
);
391 memcpy_safe(q
, d
, l
);
395 int dns_packet_append_uint8(DnsPacket
*p
, uint8_t v
, size_t *start
) {
401 r
= dns_packet_extend(p
, sizeof(uint8_t), &d
, start
);
405 ((uint8_t*) d
)[0] = v
;
410 int dns_packet_append_uint16(DnsPacket
*p
, uint16_t v
, size_t *start
) {
416 r
= dns_packet_extend(p
, sizeof(uint16_t), &d
, start
);
420 unaligned_write_be16(d
, v
);
425 int dns_packet_append_uint32(DnsPacket
*p
, uint32_t v
, size_t *start
) {
431 r
= dns_packet_extend(p
, sizeof(uint32_t), &d
, start
);
435 unaligned_write_be32(d
, v
);
440 int dns_packet_append_string(DnsPacket
*p
, const char *s
, size_t *start
) {
444 return dns_packet_append_raw_string(p
, s
, strlen(s
), start
);
447 int dns_packet_append_raw_string(DnsPacket
*p
, const void *s
, size_t size
, size_t *start
) {
452 assert(s
|| size
== 0);
457 r
= dns_packet_extend(p
, 1 + size
, &d
, start
);
461 ((uint8_t*) d
)[0] = (uint8_t) size
;
463 memcpy_safe(((uint8_t*) d
) + 1, s
, size
);
468 int dns_packet_append_label(DnsPacket
*p
, const char *d
, size_t l
, bool canonical_candidate
, size_t *start
) {
472 /* Append a label to a packet. Optionally, does this in DNSSEC
473 * canonical form, if this label is marked as a candidate for
474 * it, and the canonical form logic is enabled for the
480 if (l
> DNS_LABEL_MAX
)
483 r
= dns_packet_extend(p
, 1 + l
, (void**) &w
, start
);
487 *(w
++) = (uint8_t) l
;
489 if (p
->canonical_form
&& canonical_candidate
) {
492 /* Generate in canonical form, as defined by DNSSEC
493 * RFC 4034, Section 6.2, i.e. all lower-case. */
495 for (i
= 0; i
< l
; i
++)
496 w
[i
] = (uint8_t) ascii_tolower(d
[i
]);
498 /* Otherwise, just copy the string unaltered. This is
499 * essential for DNS-SD, where the casing of labels
500 * matters and needs to be retained. */
506 int dns_packet_append_name(
509 bool allow_compression
,
510 bool canonical_candidate
,
519 if (p
->refuse_compression
)
520 allow_compression
= false;
522 saved_size
= p
->size
;
524 while (!dns_name_is_root(name
)) {
525 const char *z
= name
;
526 char label
[DNS_LABEL_MAX
];
529 if (allow_compression
)
530 n
= PTR_TO_SIZE(hashmap_get(p
->names
, name
));
535 r
= dns_packet_append_uint16(p
, 0xC000 | n
, NULL
);
543 r
= dns_label_unescape(&name
, label
, sizeof label
, 0);
547 r
= dns_packet_append_label(p
, label
, r
, canonical_candidate
, &n
);
551 if (allow_compression
) {
552 _cleanup_free_
char *s
= NULL
;
560 r
= hashmap_ensure_allocated(&p
->names
, &dns_name_hash_ops
);
564 r
= hashmap_put(p
->names
, s
, SIZE_TO_PTR(n
));
572 r
= dns_packet_append_uint8(p
, 0, NULL
);
583 dns_packet_truncate(p
, saved_size
);
587 int dns_packet_append_key(DnsPacket
*p
, const DnsResourceKey
*k
, const DnsAnswerFlags flags
, size_t *start
) {
595 saved_size
= p
->size
;
597 r
= dns_packet_append_name(p
, dns_resource_key_name(k
), true, true, NULL
);
601 r
= dns_packet_append_uint16(p
, k
->type
, NULL
);
605 class = flags
& DNS_ANSWER_CACHE_FLUSH
? k
->class | MDNS_RR_CACHE_FLUSH
: k
->class;
606 r
= dns_packet_append_uint16(p
, class, NULL
);
616 dns_packet_truncate(p
, saved_size
);
620 static int dns_packet_append_type_window(DnsPacket
*p
, uint8_t window
, uint8_t length
, const uint8_t *types
, size_t *start
) {
628 saved_size
= p
->size
;
630 r
= dns_packet_append_uint8(p
, window
, NULL
);
634 r
= dns_packet_append_uint8(p
, length
, NULL
);
638 r
= dns_packet_append_blob(p
, types
, length
, NULL
);
647 dns_packet_truncate(p
, saved_size
);
651 static int dns_packet_append_types(DnsPacket
*p
, Bitmap
*types
, size_t *start
) {
654 uint8_t bitmaps
[32] = {};
661 saved_size
= p
->size
;
663 BITMAP_FOREACH(n
, types
) {
666 if ((n
>> 8) != window
&& bitmaps
[entry
/ 8] != 0) {
667 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
677 bitmaps
[entry
/ 8] |= 1 << (7 - (entry
% 8));
680 if (bitmaps
[entry
/ 8] != 0) {
681 r
= dns_packet_append_type_window(p
, window
, entry
/ 8 + 1, bitmaps
, NULL
);
691 dns_packet_truncate(p
, saved_size
);
695 /* Append the OPT pseudo-RR described in RFC6891 */
696 int dns_packet_append_opt(
698 uint16_t max_udp_size
,
700 bool include_rfc6975
,
708 /* we must never advertise supported packet size smaller than the legacy max */
709 assert(max_udp_size
>= DNS_PACKET_UNICAST_SIZE_MAX
);
711 assert(rcode
<= _DNS_RCODE_MAX
);
713 if (p
->opt_start
!= (size_t) -1)
716 assert(p
->opt_size
== (size_t) -1);
718 saved_size
= p
->size
;
721 r
= dns_packet_append_uint8(p
, 0, NULL
);
726 r
= dns_packet_append_uint16(p
, DNS_TYPE_OPT
, NULL
);
730 /* class: maximum udp packet that can be received */
731 r
= dns_packet_append_uint16(p
, max_udp_size
, NULL
);
735 /* extended RCODE and VERSION */
736 r
= dns_packet_append_uint16(p
, ((uint16_t) rcode
& 0x0FF0) << 4, NULL
);
740 /* flags: DNSSEC OK (DO), see RFC3225 */
741 r
= dns_packet_append_uint16(p
, edns0_do
? EDNS0_OPT_DO
: 0, NULL
);
746 if (edns0_do
&& include_rfc6975
) {
747 /* If DO is on and this is requested, also append RFC6975 Algorithm data. This is supposed to
748 * be done on queries, not on replies, hencer callers should turn this off when finishing off
751 static const uint8_t rfc6975
[] = {
753 0, 5, /* OPTION_CODE: DAU */
754 #if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
755 0, 7, /* LIST_LENGTH */
757 0, 6, /* LIST_LENGTH */
759 DNSSEC_ALGORITHM_RSASHA1
,
760 DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1
,
761 DNSSEC_ALGORITHM_RSASHA256
,
762 DNSSEC_ALGORITHM_RSASHA512
,
763 DNSSEC_ALGORITHM_ECDSAP256SHA256
,
764 DNSSEC_ALGORITHM_ECDSAP384SHA384
,
765 #if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
766 DNSSEC_ALGORITHM_ED25519
,
769 0, 6, /* OPTION_CODE: DHU */
770 0, 3, /* LIST_LENGTH */
772 DNSSEC_DIGEST_SHA256
,
773 DNSSEC_DIGEST_SHA384
,
775 0, 7, /* OPTION_CODE: N3U */
776 0, 1, /* LIST_LENGTH */
777 NSEC3_ALGORITHM_SHA1
,
780 r
= dns_packet_append_uint16(p
, sizeof(rfc6975
), NULL
);
784 r
= dns_packet_append_blob(p
, rfc6975
, sizeof(rfc6975
), NULL
);
786 r
= dns_packet_append_uint16(p
, 0, NULL
);
790 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) + 1);
792 p
->opt_start
= saved_size
;
793 p
->opt_size
= p
->size
- saved_size
;
801 dns_packet_truncate(p
, saved_size
);
805 int dns_packet_truncate_opt(DnsPacket
*p
) {
808 if (p
->opt_start
== (size_t) -1) {
809 assert(p
->opt_size
== (size_t) -1);
813 assert(p
->opt_size
!= (size_t) -1);
814 assert(DNS_PACKET_ARCOUNT(p
) > 0);
816 if (p
->opt_start
+ p
->opt_size
!= p
->size
)
819 dns_packet_truncate(p
, p
->opt_start
);
820 DNS_PACKET_HEADER(p
)->arcount
= htobe16(DNS_PACKET_ARCOUNT(p
) - 1);
821 p
->opt_start
= p
->opt_size
= (size_t) -1;
826 int dns_packet_append_rr(DnsPacket
*p
, const DnsResourceRecord
*rr
, const DnsAnswerFlags flags
, size_t *start
, size_t *rdata_start
) {
828 size_t saved_size
, rdlength_offset
, end
, rdlength
, rds
;
835 saved_size
= p
->size
;
837 r
= dns_packet_append_key(p
, rr
->key
, flags
, NULL
);
841 ttl
= flags
& DNS_ANSWER_GOODBYE
? 0 : rr
->ttl
;
842 r
= dns_packet_append_uint32(p
, ttl
, NULL
);
846 /* Initially we write 0 here */
847 r
= dns_packet_append_uint16(p
, 0, &rdlength_offset
);
851 rds
= p
->size
- saved_size
;
853 switch (rr
->unparsable
? _DNS_TYPE_INVALID
: rr
->key
->type
) {
856 r
= dns_packet_append_uint16(p
, rr
->srv
.priority
, NULL
);
860 r
= dns_packet_append_uint16(p
, rr
->srv
.weight
, NULL
);
864 r
= dns_packet_append_uint16(p
, rr
->srv
.port
, NULL
);
868 /* RFC 2782 states "Unless and until permitted by future standards
869 * action, name compression is not to be used for this field." */
870 r
= dns_packet_append_name(p
, rr
->srv
.name
, false, true, NULL
);
877 r
= dns_packet_append_name(p
, rr
->ptr
.name
, true, true, NULL
);
881 r
= dns_packet_append_string(p
, rr
->hinfo
.cpu
, NULL
);
885 r
= dns_packet_append_string(p
, rr
->hinfo
.os
, NULL
);
888 case DNS_TYPE_SPF
: /* exactly the same as TXT */
891 if (!rr
->txt
.items
) {
892 /* RFC 6763, section 6.1 suggests to generate
893 * single empty string for an empty array. */
895 r
= dns_packet_append_raw_string(p
, NULL
, 0, NULL
);
901 LIST_FOREACH(items
, i
, rr
->txt
.items
) {
902 r
= dns_packet_append_raw_string(p
, i
->data
, i
->length
, NULL
);
912 r
= dns_packet_append_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
916 r
= dns_packet_append_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
920 r
= dns_packet_append_name(p
, rr
->soa
.mname
, true, true, NULL
);
924 r
= dns_packet_append_name(p
, rr
->soa
.rname
, true, true, NULL
);
928 r
= dns_packet_append_uint32(p
, rr
->soa
.serial
, NULL
);
932 r
= dns_packet_append_uint32(p
, rr
->soa
.refresh
, NULL
);
936 r
= dns_packet_append_uint32(p
, rr
->soa
.retry
, NULL
);
940 r
= dns_packet_append_uint32(p
, rr
->soa
.expire
, NULL
);
944 r
= dns_packet_append_uint32(p
, rr
->soa
.minimum
, NULL
);
948 r
= dns_packet_append_uint16(p
, rr
->mx
.priority
, NULL
);
952 r
= dns_packet_append_name(p
, rr
->mx
.exchange
, true, true, NULL
);
956 r
= dns_packet_append_uint8(p
, rr
->loc
.version
, NULL
);
960 r
= dns_packet_append_uint8(p
, rr
->loc
.size
, NULL
);
964 r
= dns_packet_append_uint8(p
, rr
->loc
.horiz_pre
, NULL
);
968 r
= dns_packet_append_uint8(p
, rr
->loc
.vert_pre
, NULL
);
972 r
= dns_packet_append_uint32(p
, rr
->loc
.latitude
, NULL
);
976 r
= dns_packet_append_uint32(p
, rr
->loc
.longitude
, NULL
);
980 r
= dns_packet_append_uint32(p
, rr
->loc
.altitude
, NULL
);
984 r
= dns_packet_append_uint16(p
, rr
->ds
.key_tag
, NULL
);
988 r
= dns_packet_append_uint8(p
, rr
->ds
.algorithm
, NULL
);
992 r
= dns_packet_append_uint8(p
, rr
->ds
.digest_type
, NULL
);
996 r
= dns_packet_append_blob(p
, rr
->ds
.digest
, rr
->ds
.digest_size
, NULL
);
1000 r
= dns_packet_append_uint8(p
, rr
->sshfp
.algorithm
, NULL
);
1004 r
= dns_packet_append_uint8(p
, rr
->sshfp
.fptype
, NULL
);
1008 r
= dns_packet_append_blob(p
, rr
->sshfp
.fingerprint
, rr
->sshfp
.fingerprint_size
, NULL
);
1011 case DNS_TYPE_DNSKEY
:
1012 r
= dns_packet_append_uint16(p
, rr
->dnskey
.flags
, NULL
);
1016 r
= dns_packet_append_uint8(p
, rr
->dnskey
.protocol
, NULL
);
1020 r
= dns_packet_append_uint8(p
, rr
->dnskey
.algorithm
, NULL
);
1024 r
= dns_packet_append_blob(p
, rr
->dnskey
.key
, rr
->dnskey
.key_size
, NULL
);
1027 case DNS_TYPE_RRSIG
:
1028 r
= dns_packet_append_uint16(p
, rr
->rrsig
.type_covered
, NULL
);
1032 r
= dns_packet_append_uint8(p
, rr
->rrsig
.algorithm
, NULL
);
1036 r
= dns_packet_append_uint8(p
, rr
->rrsig
.labels
, NULL
);
1040 r
= dns_packet_append_uint32(p
, rr
->rrsig
.original_ttl
, NULL
);
1044 r
= dns_packet_append_uint32(p
, rr
->rrsig
.expiration
, NULL
);
1048 r
= dns_packet_append_uint32(p
, rr
->rrsig
.inception
, NULL
);
1052 r
= dns_packet_append_uint16(p
, rr
->rrsig
.key_tag
, NULL
);
1056 r
= dns_packet_append_name(p
, rr
->rrsig
.signer
, false, true, NULL
);
1060 r
= dns_packet_append_blob(p
, rr
->rrsig
.signature
, rr
->rrsig
.signature_size
, NULL
);
1064 r
= dns_packet_append_name(p
, rr
->nsec
.next_domain_name
, false, false, NULL
);
1068 r
= dns_packet_append_types(p
, rr
->nsec
.types
, NULL
);
1074 case DNS_TYPE_NSEC3
:
1075 r
= dns_packet_append_uint8(p
, rr
->nsec3
.algorithm
, NULL
);
1079 r
= dns_packet_append_uint8(p
, rr
->nsec3
.flags
, NULL
);
1083 r
= dns_packet_append_uint16(p
, rr
->nsec3
.iterations
, NULL
);
1087 r
= dns_packet_append_uint8(p
, rr
->nsec3
.salt_size
, NULL
);
1091 r
= dns_packet_append_blob(p
, rr
->nsec3
.salt
, rr
->nsec3
.salt_size
, NULL
);
1095 r
= dns_packet_append_uint8(p
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1099 r
= dns_packet_append_blob(p
, rr
->nsec3
.next_hashed_name
, rr
->nsec3
.next_hashed_name_size
, NULL
);
1103 r
= dns_packet_append_types(p
, rr
->nsec3
.types
, NULL
);
1110 r
= dns_packet_append_uint8(p
, rr
->tlsa
.cert_usage
, NULL
);
1114 r
= dns_packet_append_uint8(p
, rr
->tlsa
.selector
, NULL
);
1118 r
= dns_packet_append_uint8(p
, rr
->tlsa
.matching_type
, NULL
);
1122 r
= dns_packet_append_blob(p
, rr
->tlsa
.data
, rr
->tlsa
.data_size
, NULL
);
1126 r
= dns_packet_append_uint8(p
, rr
->caa
.flags
, NULL
);
1130 r
= dns_packet_append_string(p
, rr
->caa
.tag
, NULL
);
1134 r
= dns_packet_append_blob(p
, rr
->caa
.value
, rr
->caa
.value_size
, NULL
);
1138 case DNS_TYPE_OPENPGPKEY
:
1139 case _DNS_TYPE_INVALID
: /* unparsable */
1142 r
= dns_packet_append_blob(p
, rr
->generic
.data
, rr
->generic
.data_size
, NULL
);
1148 /* Let's calculate the actual data size and update the field */
1149 rdlength
= p
->size
- rdlength_offset
- sizeof(uint16_t);
1150 if (rdlength
> 0xFFFF) {
1156 p
->size
= rdlength_offset
;
1157 r
= dns_packet_append_uint16(p
, rdlength
, NULL
);
1163 *start
= saved_size
;
1171 dns_packet_truncate(p
, saved_size
);
1175 int dns_packet_append_question(DnsPacket
*p
, DnsQuestion
*q
) {
1176 DnsResourceKey
*key
;
1181 DNS_QUESTION_FOREACH(key
, q
) {
1182 r
= dns_packet_append_key(p
, key
, 0, NULL
);
1190 int dns_packet_append_answer(DnsPacket
*p
, DnsAnswer
*a
) {
1191 DnsResourceRecord
*rr
;
1192 DnsAnswerFlags flags
;
1197 DNS_ANSWER_FOREACH_FLAGS(rr
, flags
, a
) {
1198 r
= dns_packet_append_rr(p
, rr
, flags
, NULL
, NULL
);
1206 int dns_packet_read(DnsPacket
*p
, size_t sz
, const void **ret
, size_t *start
) {
1209 if (p
->rindex
+ sz
> p
->size
)
1213 *ret
= (uint8_t*) DNS_PACKET_DATA(p
) + p
->rindex
;
1222 void dns_packet_rewind(DnsPacket
*p
, size_t idx
) {
1224 assert(idx
<= p
->size
);
1225 assert(idx
>= DNS_PACKET_HEADER_SIZE
);
1230 int dns_packet_read_blob(DnsPacket
*p
, void *d
, size_t sz
, size_t *start
) {
1237 r
= dns_packet_read(p
, sz
, &q
, start
);
1245 static int dns_packet_read_memdup(
1246 DnsPacket
*p
, size_t size
,
1247 void **ret
, size_t *ret_size
,
1248 size_t *ret_start
) {
1257 r
= dns_packet_read(p
, size
, &src
, &start
);
1266 copy
= memdup(src
, size
);
1281 int dns_packet_read_uint8(DnsPacket
*p
, uint8_t *ret
, size_t *start
) {
1287 r
= dns_packet_read(p
, sizeof(uint8_t), &d
, start
);
1291 *ret
= ((uint8_t*) d
)[0];
1295 int dns_packet_read_uint16(DnsPacket
*p
, uint16_t *ret
, size_t *start
) {
1301 r
= dns_packet_read(p
, sizeof(uint16_t), &d
, start
);
1305 *ret
= unaligned_read_be16(d
);
1310 int dns_packet_read_uint32(DnsPacket
*p
, uint32_t *ret
, size_t *start
) {
1316 r
= dns_packet_read(p
, sizeof(uint32_t), &d
, start
);
1320 *ret
= unaligned_read_be32(d
);
1325 int dns_packet_read_string(DnsPacket
*p
, char **ret
, size_t *start
) {
1326 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1333 INIT_REWINDER(rewinder
, p
);
1335 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1339 r
= dns_packet_read(p
, c
, &d
, NULL
);
1343 if (memchr(d
, 0, c
))
1350 if (!utf8_is_valid(t
)) {
1358 *start
= rewinder
.saved_rindex
;
1359 CANCEL_REWINDER(rewinder
);
1364 int dns_packet_read_raw_string(DnsPacket
*p
, const void **ret
, size_t *size
, size_t *start
) {
1365 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1370 INIT_REWINDER(rewinder
, p
);
1372 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1376 r
= dns_packet_read(p
, c
, ret
, NULL
);
1383 *start
= rewinder
.saved_rindex
;
1384 CANCEL_REWINDER(rewinder
);
1389 int dns_packet_read_name(
1392 bool allow_compression
,
1395 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1396 size_t after_rindex
= 0, jump_barrier
;
1397 _cleanup_free_
char *ret
= NULL
;
1398 size_t n
= 0, allocated
= 0;
1404 INIT_REWINDER(rewinder
, p
);
1405 jump_barrier
= p
->rindex
;
1407 if (p
->refuse_compression
)
1408 allow_compression
= false;
1413 r
= dns_packet_read_uint8(p
, &c
, NULL
);
1424 r
= dns_packet_read(p
, c
, (const void**) &label
, NULL
);
1428 if (!GREEDY_REALLOC(ret
, allocated
, n
+ !first
+ DNS_LABEL_ESCAPED_MAX
))
1436 r
= dns_label_escape(label
, c
, ret
+ n
, DNS_LABEL_ESCAPED_MAX
);
1442 } else if (allow_compression
&& FLAGS_SET(c
, 0xc0)) {
1446 r
= dns_packet_read_uint8(p
, &d
, NULL
);
1450 ptr
= (uint16_t) (c
& ~0xc0) << 8 | (uint16_t) d
;
1451 if (ptr
< DNS_PACKET_HEADER_SIZE
|| ptr
>= jump_barrier
)
1454 if (after_rindex
== 0)
1455 after_rindex
= p
->rindex
;
1457 /* Jumps are limited to a "prior occurrence" (RFC-1035 4.1.4) */
1464 if (!GREEDY_REALLOC(ret
, allocated
, n
+ 1))
1469 if (after_rindex
!= 0)
1470 p
->rindex
= after_rindex
;
1472 *_ret
= TAKE_PTR(ret
);
1475 *start
= rewinder
.saved_rindex
;
1476 CANCEL_REWINDER(rewinder
);
1481 static int dns_packet_read_type_window(DnsPacket
*p
, Bitmap
**types
, size_t *start
) {
1484 const uint8_t *bitmap
;
1488 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1493 INIT_REWINDER(rewinder
, p
);
1495 r
= bitmap_ensure_allocated(types
);
1499 r
= dns_packet_read_uint8(p
, &window
, NULL
);
1503 r
= dns_packet_read_uint8(p
, &length
, NULL
);
1507 if (length
== 0 || length
> 32)
1510 r
= dns_packet_read(p
, length
, (const void **)&bitmap
, NULL
);
1514 for (i
= 0; i
< length
; i
++) {
1515 uint8_t bitmask
= 1 << 7;
1525 for (; bitmask
; bit
++, bitmask
>>= 1)
1526 if (bitmap
[i
] & bitmask
) {
1529 n
= (uint16_t) window
<< 8 | (uint16_t) bit
;
1531 /* Ignore pseudo-types. see RFC4034 section 4.1.2 */
1532 if (dns_type_is_pseudo(n
))
1535 r
= bitmap_set(*types
, n
);
1545 *start
= rewinder
.saved_rindex
;
1546 CANCEL_REWINDER(rewinder
);
1551 static int dns_packet_read_type_windows(DnsPacket
*p
, Bitmap
**types
, size_t size
, size_t *start
) {
1552 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1555 INIT_REWINDER(rewinder
, p
);
1557 while (p
->rindex
< rewinder
.saved_rindex
+ size
) {
1558 r
= dns_packet_read_type_window(p
, types
, NULL
);
1562 /* don't read past end of current RR */
1563 if (p
->rindex
> rewinder
.saved_rindex
+ size
)
1567 if (p
->rindex
!= rewinder
.saved_rindex
+ size
)
1571 *start
= rewinder
.saved_rindex
;
1572 CANCEL_REWINDER(rewinder
);
1577 int dns_packet_read_key(DnsPacket
*p
, DnsResourceKey
**ret
, bool *ret_cache_flush
, size_t *start
) {
1578 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1579 _cleanup_free_
char *name
= NULL
;
1580 bool cache_flush
= false;
1581 uint16_t class, type
;
1582 DnsResourceKey
*key
;
1587 INIT_REWINDER(rewinder
, p
);
1589 r
= dns_packet_read_name(p
, &name
, true, NULL
);
1593 r
= dns_packet_read_uint16(p
, &type
, NULL
);
1597 r
= dns_packet_read_uint16(p
, &class, NULL
);
1601 if (p
->protocol
== DNS_PROTOCOL_MDNS
) {
1602 /* See RFC6762, Section 10.2 */
1604 if (type
!= DNS_TYPE_OPT
&& (class & MDNS_RR_CACHE_FLUSH
)) {
1605 class &= ~MDNS_RR_CACHE_FLUSH
;
1610 key
= dns_resource_key_new_consume(class, type
, name
);
1617 if (ret_cache_flush
)
1618 *ret_cache_flush
= cache_flush
;
1620 *start
= rewinder
.saved_rindex
;
1621 CANCEL_REWINDER(rewinder
);
1626 static bool loc_size_ok(uint8_t size
) {
1627 uint8_t m
= size
>> 4, e
= size
& 0xF;
1629 return m
<= 9 && e
<= 9 && (m
> 0 || e
== 0);
1632 int dns_packet_read_rr(DnsPacket
*p
, DnsResourceRecord
**ret
, bool *ret_cache_flush
, size_t *start
) {
1633 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
1634 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
1635 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
;
1644 INIT_REWINDER(rewinder
, p
);
1646 r
= dns_packet_read_key(p
, &key
, &cache_flush
, NULL
);
1650 if (!dns_class_is_valid_rr(key
->class) || !dns_type_is_valid_rr(key
->type
))
1653 rr
= dns_resource_record_new(key
);
1657 r
= dns_packet_read_uint32(p
, &rr
->ttl
, NULL
);
1661 /* RFC 2181, Section 8, suggests to
1662 * treat a TTL with the MSB set as a zero TTL. */
1663 if (rr
->ttl
& UINT32_C(0x80000000))
1666 r
= dns_packet_read_uint16(p
, &rdlength
, NULL
);
1670 if (p
->rindex
+ rdlength
> p
->size
)
1675 switch (rr
->key
->type
) {
1678 r
= dns_packet_read_uint16(p
, &rr
->srv
.priority
, NULL
);
1681 r
= dns_packet_read_uint16(p
, &rr
->srv
.weight
, NULL
);
1684 r
= dns_packet_read_uint16(p
, &rr
->srv
.port
, NULL
);
1687 r
= dns_packet_read_name(p
, &rr
->srv
.name
, true, NULL
);
1692 case DNS_TYPE_CNAME
:
1693 case DNS_TYPE_DNAME
:
1694 r
= dns_packet_read_name(p
, &rr
->ptr
.name
, true, NULL
);
1697 case DNS_TYPE_HINFO
:
1698 r
= dns_packet_read_string(p
, &rr
->hinfo
.cpu
, NULL
);
1702 r
= dns_packet_read_string(p
, &rr
->hinfo
.os
, NULL
);
1705 case DNS_TYPE_SPF
: /* exactly the same as TXT */
1707 if (rdlength
<= 0) {
1708 r
= dns_txt_item_new_empty(&rr
->txt
.items
);
1712 DnsTxtItem
*last
= NULL
;
1714 while (p
->rindex
< offset
+ rdlength
) {
1719 r
= dns_packet_read_raw_string(p
, &data
, &sz
, NULL
);
1723 i
= malloc0(offsetof(DnsTxtItem
, data
) + sz
+ 1); /* extra NUL byte at the end */
1727 memcpy(i
->data
, data
, sz
);
1730 LIST_INSERT_AFTER(items
, rr
->txt
.items
, last
, i
);
1739 r
= dns_packet_read_blob(p
, &rr
->a
.in_addr
, sizeof(struct in_addr
), NULL
);
1743 r
= dns_packet_read_blob(p
, &rr
->aaaa
.in6_addr
, sizeof(struct in6_addr
), NULL
);
1747 r
= dns_packet_read_name(p
, &rr
->soa
.mname
, true, NULL
);
1751 r
= dns_packet_read_name(p
, &rr
->soa
.rname
, true, NULL
);
1755 r
= dns_packet_read_uint32(p
, &rr
->soa
.serial
, NULL
);
1759 r
= dns_packet_read_uint32(p
, &rr
->soa
.refresh
, NULL
);
1763 r
= dns_packet_read_uint32(p
, &rr
->soa
.retry
, NULL
);
1767 r
= dns_packet_read_uint32(p
, &rr
->soa
.expire
, NULL
);
1771 r
= dns_packet_read_uint32(p
, &rr
->soa
.minimum
, NULL
);
1775 r
= dns_packet_read_uint16(p
, &rr
->mx
.priority
, NULL
);
1779 r
= dns_packet_read_name(p
, &rr
->mx
.exchange
, true, NULL
);
1782 case DNS_TYPE_LOC
: {
1786 r
= dns_packet_read_uint8(p
, &t
, &pos
);
1791 rr
->loc
.version
= t
;
1793 r
= dns_packet_read_uint8(p
, &rr
->loc
.size
, NULL
);
1797 if (!loc_size_ok(rr
->loc
.size
))
1800 r
= dns_packet_read_uint8(p
, &rr
->loc
.horiz_pre
, NULL
);
1804 if (!loc_size_ok(rr
->loc
.horiz_pre
))
1807 r
= dns_packet_read_uint8(p
, &rr
->loc
.vert_pre
, NULL
);
1811 if (!loc_size_ok(rr
->loc
.vert_pre
))
1814 r
= dns_packet_read_uint32(p
, &rr
->loc
.latitude
, NULL
);
1818 r
= dns_packet_read_uint32(p
, &rr
->loc
.longitude
, NULL
);
1822 r
= dns_packet_read_uint32(p
, &rr
->loc
.altitude
, NULL
);
1828 dns_packet_rewind(p
, pos
);
1829 rr
->unparsable
= true;
1835 r
= dns_packet_read_uint16(p
, &rr
->ds
.key_tag
, NULL
);
1839 r
= dns_packet_read_uint8(p
, &rr
->ds
.algorithm
, NULL
);
1843 r
= dns_packet_read_uint8(p
, &rr
->ds
.digest_type
, NULL
);
1850 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1851 &rr
->ds
.digest
, &rr
->ds
.digest_size
,
1856 if (rr
->ds
.digest_size
<= 0)
1857 /* the accepted size depends on the algorithm, but for now
1858 just ensure that the value is greater than zero */
1863 case DNS_TYPE_SSHFP
:
1864 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.algorithm
, NULL
);
1868 r
= dns_packet_read_uint8(p
, &rr
->sshfp
.fptype
, NULL
);
1875 r
= dns_packet_read_memdup(p
, rdlength
- 2,
1876 &rr
->sshfp
.fingerprint
, &rr
->sshfp
.fingerprint_size
,
1879 if (rr
->sshfp
.fingerprint_size
<= 0)
1880 /* the accepted size depends on the algorithm, but for now
1881 just ensure that the value is greater than zero */
1886 case DNS_TYPE_DNSKEY
:
1887 r
= dns_packet_read_uint16(p
, &rr
->dnskey
.flags
, NULL
);
1891 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.protocol
, NULL
);
1895 r
= dns_packet_read_uint8(p
, &rr
->dnskey
.algorithm
, NULL
);
1902 r
= dns_packet_read_memdup(p
, rdlength
- 4,
1903 &rr
->dnskey
.key
, &rr
->dnskey
.key_size
,
1906 if (rr
->dnskey
.key_size
<= 0)
1907 /* the accepted size depends on the algorithm, but for now
1908 just ensure that the value is greater than zero */
1913 case DNS_TYPE_RRSIG
:
1914 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.type_covered
, NULL
);
1918 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.algorithm
, NULL
);
1922 r
= dns_packet_read_uint8(p
, &rr
->rrsig
.labels
, NULL
);
1926 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.original_ttl
, NULL
);
1930 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.expiration
, NULL
);
1934 r
= dns_packet_read_uint32(p
, &rr
->rrsig
.inception
, NULL
);
1938 r
= dns_packet_read_uint16(p
, &rr
->rrsig
.key_tag
, NULL
);
1942 r
= dns_packet_read_name(p
, &rr
->rrsig
.signer
, false, NULL
);
1946 if (rdlength
+ offset
< p
->rindex
)
1949 r
= dns_packet_read_memdup(p
, offset
+ rdlength
- p
->rindex
,
1950 &rr
->rrsig
.signature
, &rr
->rrsig
.signature_size
,
1953 if (rr
->rrsig
.signature_size
<= 0)
1954 /* the accepted size depends on the algorithm, but for now
1955 just ensure that the value is greater than zero */
1960 case DNS_TYPE_NSEC
: {
1963 * RFC6762, section 18.14 explicitly states mDNS should use name compression.
1964 * This contradicts RFC3845, section 2.1.1
1967 bool allow_compressed
= p
->protocol
== DNS_PROTOCOL_MDNS
;
1969 r
= dns_packet_read_name(p
, &rr
->nsec
.next_domain_name
, allow_compressed
, NULL
);
1973 r
= dns_packet_read_type_windows(p
, &rr
->nsec
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
1975 /* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
1976 * is redundant and in e.g., RFC4956 this fact is used to define a use for NSEC records
1977 * without the NSEC bit set. */
1981 case DNS_TYPE_NSEC3
: {
1984 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.algorithm
, NULL
);
1988 r
= dns_packet_read_uint8(p
, &rr
->nsec3
.flags
, NULL
);
1992 r
= dns_packet_read_uint16(p
, &rr
->nsec3
.iterations
, NULL
);
1996 /* this may be zero */
1997 r
= dns_packet_read_uint8(p
, &size
, NULL
);
2001 r
= dns_packet_read_memdup(p
, size
, &rr
->nsec3
.salt
, &rr
->nsec3
.salt_size
, NULL
);
2005 r
= dns_packet_read_uint8(p
, &size
, NULL
);
2012 r
= dns_packet_read_memdup(p
, size
,
2013 &rr
->nsec3
.next_hashed_name
, &rr
->nsec3
.next_hashed_name_size
,
2018 r
= dns_packet_read_type_windows(p
, &rr
->nsec3
.types
, offset
+ rdlength
- p
->rindex
, NULL
);
2020 /* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
2026 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.cert_usage
, NULL
);
2030 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.selector
, NULL
);
2034 r
= dns_packet_read_uint8(p
, &rr
->tlsa
.matching_type
, NULL
);
2041 r
= dns_packet_read_memdup(p
, rdlength
- 3,
2042 &rr
->tlsa
.data
, &rr
->tlsa
.data_size
,
2045 if (rr
->tlsa
.data_size
<= 0)
2046 /* the accepted size depends on the algorithm, but for now
2047 just ensure that the value is greater than zero */
2053 r
= dns_packet_read_uint8(p
, &rr
->caa
.flags
, NULL
);
2057 r
= dns_packet_read_string(p
, &rr
->caa
.tag
, NULL
);
2061 if (rdlength
+ offset
< p
->rindex
)
2064 r
= dns_packet_read_memdup(p
,
2065 rdlength
+ offset
- p
->rindex
,
2066 &rr
->caa
.value
, &rr
->caa
.value_size
, NULL
);
2070 case DNS_TYPE_OPT
: /* we only care about the header of OPT for now. */
2071 case DNS_TYPE_OPENPGPKEY
:
2074 r
= dns_packet_read_memdup(p
, rdlength
, &rr
->generic
.data
, &rr
->generic
.data_size
, NULL
);
2080 if (p
->rindex
!= offset
+ rdlength
)
2083 *ret
= TAKE_PTR(rr
);
2085 if (ret_cache_flush
)
2086 *ret_cache_flush
= cache_flush
;
2088 *start
= rewinder
.saved_rindex
;
2089 CANCEL_REWINDER(rewinder
);
2094 static bool opt_is_good(DnsResourceRecord
*rr
, bool *rfc6975
) {
2096 bool found_dau_dhu_n3u
= false;
2099 /* Checks whether the specified OPT RR is well-formed and whether it contains RFC6975 data (which is not OK in
2103 assert(rr
->key
->type
== DNS_TYPE_OPT
);
2105 /* Check that the version is 0 */
2106 if (((rr
->ttl
>> 16) & UINT32_C(0xFF)) != 0) {
2108 return true; /* if it's not version 0, it's OK, but we will ignore the OPT field contents */
2112 l
= rr
->opt
.data_size
;
2114 uint16_t option_code
, option_length
;
2116 /* At least four bytes for OPTION-CODE and OPTION-LENGTH are required */
2120 option_code
= unaligned_read_be16(p
);
2121 option_length
= unaligned_read_be16(p
+ 2);
2123 if (l
< option_length
+ 4U)
2126 /* RFC 6975 DAU, DHU or N3U fields found. */
2127 if (IN_SET(option_code
, 5, 6, 7))
2128 found_dau_dhu_n3u
= true;
2130 p
+= option_length
+ 4U;
2131 l
-= option_length
+ 4U;
2134 *rfc6975
= found_dau_dhu_n3u
;
2138 static int dns_packet_extract_question(DnsPacket
*p
, DnsQuestion
**ret_question
) {
2139 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
2143 n
= DNS_PACKET_QDCOUNT(p
);
2145 question
= dns_question_new(n
);
2149 _cleanup_set_free_ Set
*keys
= NULL
; /* references to keys are kept by Question */
2151 keys
= set_new(&dns_resource_key_hash_ops
);
2155 r
= set_reserve(keys
, n
* 2); /* Higher multipliers give slightly higher efficiency through
2156 * hash collisions, but the gains quickly drop of after 2. */
2160 for (i
= 0; i
< n
; i
++) {
2161 _cleanup_(dns_resource_key_unrefp
) DnsResourceKey
*key
= NULL
;
2164 r
= dns_packet_read_key(p
, &key
, &cache_flush
, NULL
);
2171 if (!dns_type_is_valid_query(key
->type
))
2174 r
= set_put(keys
, key
);
2178 /* Already in the Question, let's skip */
2181 r
= dns_question_add_raw(question
, key
);
2187 *ret_question
= TAKE_PTR(question
);
2192 static int dns_packet_extract_answer(DnsPacket
*p
, DnsAnswer
**ret_answer
) {
2193 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
2195 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*previous
= NULL
;
2196 bool bad_opt
= false;
2199 n
= DNS_PACKET_RRCOUNT(p
);
2203 answer
= dns_answer_new(n
);
2207 for (i
= 0; i
< n
; i
++) {
2208 _cleanup_(dns_resource_record_unrefp
) DnsResourceRecord
*rr
= NULL
;
2209 bool cache_flush
= false;
2211 r
= dns_packet_read_rr(p
, &rr
, &cache_flush
, NULL
);
2215 /* Try to reduce memory usage a bit */
2217 dns_resource_key_reduce(&rr
->key
, &previous
->key
);
2219 if (rr
->key
->type
== DNS_TYPE_OPT
) {
2222 if (p
->opt
|| bad_opt
) {
2223 /* Multiple OPT RRs? if so, let's ignore all, because there's
2224 * something wrong with the server, and if one is valid we wouldn't
2225 * know which one. */
2226 log_debug("Multiple OPT RRs detected, ignoring all.");
2231 if (!dns_name_is_root(dns_resource_key_name(rr
->key
))) {
2232 /* If the OPT RR is not owned by the root domain, then it is bad,
2233 * let's ignore it. */
2234 log_debug("OPT RR is not owned by root domain, ignoring.");
2239 if (i
< DNS_PACKET_ANCOUNT(p
) + DNS_PACKET_NSCOUNT(p
)) {
2240 /* OPT RR is in the wrong section? Some Belkin routers do this. This
2241 * is a hint the EDNS implementation is borked, like the Belkin one
2242 * is, hence ignore it. */
2243 log_debug("OPT RR in wrong section, ignoring.");
2248 if (!opt_is_good(rr
, &has_rfc6975
)) {
2249 log_debug("Malformed OPT RR, ignoring.");
2254 if (DNS_PACKET_QR(p
)) {
2255 /* Additional checks for responses */
2257 if (!DNS_RESOURCE_RECORD_OPT_VERSION_SUPPORTED(rr
))
2258 /* If this is a reply and we don't know the EDNS version
2259 * then something is weird... */
2260 return log_debug_errno(SYNTHETIC_ERRNO(EBADMSG
),
2261 "EDNS version newer that our request, bad server.");
2264 /* If the OPT RR contains RFC6975 algorithm data, then this
2265 * is indication that the server just copied the OPT it got
2266 * from us (which contained that data) back into the reply.
2267 * If so, then it doesn't properly support EDNS, as RFC6975
2268 * makes it very clear that the algorithm data should only
2269 * be contained in questions, never in replies. Crappy
2270 * Belkin routers copy the OPT data for example, hence let's
2271 * detect this so that we downgrade early. */
2272 log_debug("OPT RR contains RFC6975 data, ignoring.");
2278 p
->opt
= dns_resource_record_ref(rr
);
2280 /* According to RFC 4795, section 2.9. only the RRs from the Answer section
2281 * shall be cached. Hence mark only those RRs as cacheable by default, but
2282 * not the ones from the Additional or Authority sections. */
2283 DnsAnswerFlags flags
=
2284 (i
< DNS_PACKET_ANCOUNT(p
) ? DNS_ANSWER_CACHEABLE
: 0) |
2285 (p
->protocol
== DNS_PROTOCOL_MDNS
&& !cache_flush
? DNS_ANSWER_SHARED_OWNER
: 0);
2287 r
= dns_answer_add(answer
, rr
, p
->ifindex
, flags
);
2292 /* Remember this RR, so that we potentically can merge it's ->key object with the
2293 * next RR. Note that we only do this if we actually decided to keep the RR around.
2295 dns_resource_record_unref(previous
);
2296 previous
= dns_resource_record_ref(rr
);
2300 p
->opt
= dns_resource_record_unref(p
->opt
);
2302 *ret_answer
= TAKE_PTR(answer
);
2307 int dns_packet_extract(DnsPacket
*p
) {
2308 _cleanup_(dns_question_unrefp
) DnsQuestion
*question
= NULL
;
2309 _cleanup_(dns_answer_unrefp
) DnsAnswer
*answer
= NULL
;
2310 _cleanup_(rewind_dns_packet
) DnsPacketRewinder rewinder
= {};
2316 INIT_REWINDER(rewinder
, p
);
2317 dns_packet_rewind(p
, DNS_PACKET_HEADER_SIZE
);
2319 r
= dns_packet_extract_question(p
, &question
);
2323 r
= dns_packet_extract_answer(p
, &answer
);
2327 p
->question
= TAKE_PTR(question
);
2328 p
->answer
= TAKE_PTR(answer
);
2330 p
->extracted
= true;
2332 /* no CANCEL, always rewind */
2336 int dns_packet_is_reply_for(DnsPacket
*p
, const DnsResourceKey
*key
) {
2342 /* Checks if the specified packet is a reply for the specified
2343 * key and the specified key is the only one in the question
2346 if (DNS_PACKET_QR(p
) != 1)
2349 /* Let's unpack the packet, if that hasn't happened yet. */
2350 r
= dns_packet_extract(p
);
2357 if (p
->question
->n_keys
!= 1)
2360 return dns_resource_key_equal(p
->question
->keys
[0], key
);
2363 static void dns_packet_hash_func(const DnsPacket
*s
, struct siphash
*state
) {
2366 siphash24_compress(&s
->size
, sizeof(s
->size
), state
);
2367 siphash24_compress(DNS_PACKET_DATA((DnsPacket
*) s
), s
->size
, state
);
2370 static int dns_packet_compare_func(const DnsPacket
*x
, const DnsPacket
*y
) {
2373 r
= CMP(x
->size
, y
->size
);
2377 return memcmp(DNS_PACKET_DATA((DnsPacket
*) x
), DNS_PACKET_DATA((DnsPacket
*) y
), x
->size
);
2380 DEFINE_HASH_OPS(dns_packet_hash_ops
, DnsPacket
, dns_packet_hash_func
, dns_packet_compare_func
);
2382 static const char* const dns_rcode_table
[_DNS_RCODE_MAX_DEFINED
] = {
2383 [DNS_RCODE_SUCCESS
] = "SUCCESS",
2384 [DNS_RCODE_FORMERR
] = "FORMERR",
2385 [DNS_RCODE_SERVFAIL
] = "SERVFAIL",
2386 [DNS_RCODE_NXDOMAIN
] = "NXDOMAIN",
2387 [DNS_RCODE_NOTIMP
] = "NOTIMP",
2388 [DNS_RCODE_REFUSED
] = "REFUSED",
2389 [DNS_RCODE_YXDOMAIN
] = "YXDOMAIN",
2390 [DNS_RCODE_YXRRSET
] = "YRRSET",
2391 [DNS_RCODE_NXRRSET
] = "NXRRSET",
2392 [DNS_RCODE_NOTAUTH
] = "NOTAUTH",
2393 [DNS_RCODE_NOTZONE
] = "NOTZONE",
2394 [DNS_RCODE_BADVERS
] = "BADVERS",
2395 [DNS_RCODE_BADKEY
] = "BADKEY",
2396 [DNS_RCODE_BADTIME
] = "BADTIME",
2397 [DNS_RCODE_BADMODE
] = "BADMODE",
2398 [DNS_RCODE_BADNAME
] = "BADNAME",
2399 [DNS_RCODE_BADALG
] = "BADALG",
2400 [DNS_RCODE_BADTRUNC
] = "BADTRUNC",
2401 [DNS_RCODE_BADCOOKIE
] = "BADCOOKIE",
2403 DEFINE_STRING_TABLE_LOOKUP(dns_rcode
, int);
2405 static const char* const dns_protocol_table
[_DNS_PROTOCOL_MAX
] = {
2406 [DNS_PROTOCOL_DNS
] = "dns",
2407 [DNS_PROTOCOL_MDNS
] = "mdns",
2408 [DNS_PROTOCOL_LLMNR
] = "llmnr",
2410 DEFINE_STRING_TABLE_LOOKUP(dns_protocol
, DnsProtocol
);