/* SPDX-License-Identifier: LGPL-2.1-or-later */
#if HAVE_GCRYPT
-#include <gcrypt.h>
+# include <gcrypt.h>
#endif
#include "alloc-util.h"
#include "memory-util.h"
#include "resolved-dns-packet.h"
#include "set.h"
+#include "stdio-util.h"
#include "string-table.h"
#include "strv.h"
#include "unaligned.h"
#include "utf8.h"
-#include "util.h"
#define EDNS0_OPT_DO (1<<15)
dns_packet_rewind(rewinder->packet, rewinder->saved_rindex);
}
-#define INIT_REWINDER(rewinder, p) do { rewinder.packet = p; rewinder.saved_rindex = p->rindex; } while (0)
-#define CANCEL_REWINDER(rewinder) do { rewinder.packet = NULL; } while (0)
+#define REWINDER_INIT(p) { \
+ .packet = (p), \
+ .saved_rindex = (p)->rindex, \
+ }
+#define CANCEL_REWINDER(rewinder) do { (rewinder).packet = NULL; } while (0)
int dns_packet_new(
DnsPacket **ret,
h = DNS_PACKET_HEADER(p);
- switch(p->protocol) {
+ switch (p->protocol) {
case DNS_PROTOCOL_LLMNR:
assert(!truncated);
if (DNS_PACKET_OPCODE(p) != 0)
return -EBADMSG;
- if (DNS_PACKET_TC(p))
- return -EBADMSG;
-
switch (p->protocol) {
case DNS_PROTOCOL_LLMNR:
case DNS_PROTOCOL_DNS:
+ if (DNS_PACKET_TC(p)) /* mDNS query may have truncation flag. */
+ return -EBADMSG;
+
/* RFC 4795, Section 2.1.1. says to discard all queries with QDCOUNT != 1 */
if (DNS_PACKET_QDCOUNT(p) != 1)
return -EBADMSG;
*(w++) = (uint8_t) l;
- if (p->canonical_form && canonical_candidate) {
- size_t i;
-
+ if (p->canonical_form && canonical_candidate)
/* Generate in canonical form, as defined by DNSSEC
* RFC 4034, Section 6.2, i.e. all lower-case. */
-
- for (i = 0; i < l; i++)
+ for (size_t i = 0; i < l; i++)
w[i] = (uint8_t) ascii_tolower(d[i]);
- } else
+ else
/* Otherwise, just copy the string unaltered. This is
* essential for DNS-SD, where the casing of labels
* matters and needs to be retained. */
while (!dns_name_is_root(name)) {
const char *z = name;
- char label[DNS_LABEL_MAX];
+ char label[DNS_LABEL_MAX+1];
size_t n = 0;
if (allow_compression)
static const uint8_t rfc6975[] = {
0, 5, /* OPTION_CODE: DAU */
-#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
+#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
0, 7, /* LIST_LENGTH */
#else
0, 6, /* LIST_LENGTH */
DNSSEC_ALGORITHM_RSASHA512,
DNSSEC_ALGORITHM_ECDSAP256SHA256,
DNSSEC_ALGORITHM_ECDSAP384SHA384,
-#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
+#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
DNSSEC_ALGORITHM_ED25519,
#endif
if (r < 0)
goto fail;
- /* RFC 2782 states "Unless and until permitted by future standards
- * action, name compression is not to be used for this field." */
- r = dns_packet_append_name(p, rr->srv.name, false, true, NULL);
+ /* RFC 2782 states "Unless and until permitted by future standards action, name compression
+ * is not to be used for this field." Hence we turn off compression here. */
+ r = dns_packet_append_name(p, rr->srv.name, /* allow_compression= */ false, /* canonical_candidate= */ true, NULL);
break;
case DNS_TYPE_PTR:
r = dns_packet_append_raw_string(p, NULL, 0, NULL);
if (r < 0)
goto fail;
- } else {
- DnsTxtItem *i;
-
+ } else
LIST_FOREACH(items, i, rr->txt.items) {
r = dns_packet_append_raw_string(p, i->data, i->length, NULL);
if (r < 0)
goto fail;
}
- }
r = 0;
break;
int dns_packet_read(DnsPacket *p, size_t sz, const void **ret, size_t *start) {
assert(p);
+ assert(p->rindex <= p->size);
- if (p->rindex + sz > p->size)
+ if (sz > p->size - p->rindex)
return -EMSGSIZE;
if (ret)
}
int dns_packet_read_string(DnsPacket *p, char **ret, size_t *start) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
+ _cleanup_free_ char *t = NULL;
const void *d;
- char *t;
uint8_t c;
int r;
assert(p);
- INIT_REWINDER(rewinder, p);
r = dns_packet_read_uint8(p, &c, NULL);
if (r < 0)
if (r < 0)
return r;
- if (memchr(d, 0, c))
- return -EBADMSG;
-
- t = strndup(d, c);
- if (!t)
- return -ENOMEM;
+ r = make_cstring(d, c, MAKE_CSTRING_REFUSE_TRAILING_NUL, &t);
+ if (r < 0)
+ return r;
- if (!utf8_is_valid(t)) {
- free(t);
+ if (!utf8_is_valid(t))
return -EBADMSG;
- }
- *ret = t;
+ *ret = TAKE_PTR(t);
if (start)
*start = rewinder.saved_rindex;
}
int dns_packet_read_raw_string(DnsPacket *p, const void **ret, size_t *size, size_t *start) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
+ assert(p);
+
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
uint8_t c;
int r;
- assert(p);
- INIT_REWINDER(rewinder, p);
-
r = dns_packet_read_uint8(p, &c, NULL);
if (r < 0)
return r;
bool allow_compression,
size_t *ret_start) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
- size_t after_rindex = 0, jump_barrier;
+ assert(p);
+
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
+ size_t after_rindex = 0, jump_barrier = p->rindex;
_cleanup_free_ char *name = NULL;
bool first = true;
size_t n = 0;
int r;
- assert(p);
-
- INIT_REWINDER(rewinder, p);
- jump_barrier = p->rindex;
-
if (p->refuse_compression)
allow_compression = false;
}
static int dns_packet_read_type_window(DnsPacket *p, Bitmap **types, size_t *start) {
- uint8_t window;
- uint8_t length;
+ assert(p);
+ assert(types);
+
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
+ uint8_t window, length;
const uint8_t *bitmap;
uint8_t bit = 0;
- unsigned i;
bool found = false;
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
int r;
- assert(p);
- assert(types);
- INIT_REWINDER(rewinder, p);
-
r = bitmap_ensure_allocated(types);
if (r < 0)
return r;
if (r < 0)
return r;
- for (i = 0; i < length; i++) {
+ for (uint8_t i = 0; i < length; i++) {
uint8_t bitmask = 1 << 7;
if (!bitmap[i]) {
}
static int dns_packet_read_type_windows(DnsPacket *p, Bitmap **types, size_t size, size_t *start) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
int r;
- INIT_REWINDER(rewinder, p);
-
- while (p->rindex < rewinder.saved_rindex + size) {
+ while (p->rindex - rewinder.saved_rindex < size) {
r = dns_packet_read_type_window(p, types, NULL);
if (r < 0)
return r;
+ assert(p->rindex >= rewinder.saved_rindex);
+
/* don't read past end of current RR */
- if (p->rindex > rewinder.saved_rindex + size)
+ if (p->rindex - rewinder.saved_rindex > size)
return -EBADMSG;
}
- if (p->rindex != rewinder.saved_rindex + size)
+ if (p->rindex - rewinder.saved_rindex != size)
return -EBADMSG;
if (start)
bool *ret_cache_flush_or_qu,
size_t *ret_start) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
+ assert(p);
+
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
_cleanup_free_ char *name = NULL;
bool cache_flush_or_qu = false;
uint16_t class, type;
int r;
- assert(p);
- INIT_REWINDER(rewinder, p);
-
r = dns_packet_read_name(p, &name, true, NULL);
if (r < 0)
return r;
bool *ret_cache_flush,
size_t *ret_start) {
+ assert(p);
+
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
size_t offset;
uint16_t rdlength;
bool cache_flush;
int r;
- assert(p);
-
- INIT_REWINDER(rewinder, p);
-
r = dns_packet_read_key(p, &key, &cache_flush, NULL);
if (r < 0)
return r;
if (r < 0)
return r;
- if (p->rindex + rdlength > p->size)
+ if (rdlength > p->size - p->rindex)
return -EBADMSG;
offset = p->rindex;
r = dns_packet_read_uint16(p, &rr->srv.port, NULL);
if (r < 0)
return r;
- r = dns_packet_read_name(p, &rr->srv.name, true, NULL);
+
+ /* RFC 2782 states "Unless and until permitted by future standards action, name compression
+ * is not to be used for this field." Nonetheless, we support it here, in the interest of
+ * increasing compatibility with implementations that do not implement this correctly. After
+ * all we didn't do this right once upon a time ourselves (see
+ * https://github.com/systemd/systemd/issues/9793). */
+ r = dns_packet_read_name(p, &rr->srv.name, /* allow_compression= */ true, NULL);
break;
case DNS_TYPE_PTR:
} else {
DnsTxtItem *last = NULL;
- while (p->rindex < offset + rdlength) {
+ while (p->rindex - offset < rdlength) {
DnsTxtItem *i;
const void *data;
size_t sz;
if (r < 0)
return r;
- if (rdlength + offset < p->rindex)
+ if (rdlength < p->rindex - offset)
return -EBADMSG;
r = dns_packet_read_memdup(p, offset + rdlength - p->rindex,
if (r < 0)
return r;
+ if (rdlength < p->rindex - offset)
+ return -EBADMSG;
+
r = dns_packet_read_type_windows(p, &rr->nsec.types, offset + rdlength - p->rindex, NULL);
/* We accept empty NSEC bitmaps. The bit indicating the presence of the NSEC record itself
if (r < 0)
return r;
+ if (rdlength < p->rindex - offset)
+ return -EBADMSG;
+
r = dns_packet_read_type_windows(p, &rr->nsec3.types, offset + rdlength - p->rindex, NULL);
/* empty non-terminals can have NSEC3 records, so empty bitmaps are allowed */
if (r < 0)
return r;
- if (rdlength + offset < p->rindex)
+ if (rdlength < p->rindex - offset)
return -EBADMSG;
r = dns_packet_read_memdup(p,
}
if (r < 0)
return r;
- if (p->rindex != offset + rdlength)
+ if (p->rindex - offset != rdlength)
return -EBADMSG;
if (ret)
static int dns_packet_extract_question(DnsPacket *p, DnsQuestion **ret_question) {
_cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
- unsigned n, i;
+ unsigned n;
int r;
n = DNS_PACKET_QDCOUNT(p);
if (r < 0)
return r;
- for (i = 0; i < n; i++) {
+ for (unsigned i = 0; i < n; i++) {
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
bool qu;
static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) {
_cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
- unsigned n, i;
+ unsigned n;
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *previous = NULL;
bool bad_opt = false;
int r;
if (!answer)
return -ENOMEM;
- for (i = 0; i < n; i++) {
+ for (unsigned i = 0; i < n; i++) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
bool cache_flush = false;
size_t start;
} else {
DnsAnswerFlags flags = 0;
- if (p->protocol == DNS_PROTOCOL_MDNS && !cache_flush)
- flags |= DNS_ANSWER_SHARED_OWNER;
+ if (p->protocol == DNS_PROTOCOL_MDNS) {
+ flags |= DNS_ANSWER_REFUSE_TTL_NO_MATCH;
+ if (!cache_flush)
+ flags |= DNS_ANSWER_SHARED_OWNER;
+ }
/* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be
* cached. Hence mark only those RRs as cacheable by default, but not the ones from
- * the Additional or Authority sections. */
+ * the Additional or Authority sections.
+ * This restriction does not apply to mDNS records (RFC 6762). */
if (i < DNS_PACKET_ANCOUNT(p))
flags |= DNS_ANSWER_CACHEABLE|DNS_ANSWER_SECTION_ANSWER;
else if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p))
flags |= DNS_ANSWER_SECTION_AUTHORITY;
- else
+ else {
flags |= DNS_ANSWER_SECTION_ADDITIONAL;
+ if (p->protocol == DNS_PROTOCOL_MDNS)
+ flags |= DNS_ANSWER_CACHEABLE;
+ }
r = dns_answer_add(answer, rr, p->ifindex, flags, NULL);
if (r < 0)
/* Remember this RR, so that we can potentially merge its ->key object with the
* next RR. Note that we only do this if we actually decided to keep the RR around.
*/
- dns_resource_record_unref(previous);
- previous = dns_resource_record_ref(rr);
+ DNS_RR_REPLACE(previous, dns_resource_record_ref(rr));
}
if (bad_opt) {
}
int dns_packet_extract(DnsPacket *p) {
- _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
- _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = {};
- int r;
+ assert(p);
if (p->extracted)
return 0;
- INIT_REWINDER(rewinder, p);
+ _cleanup_(dns_question_unrefp) DnsQuestion *question = NULL;
+ _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
+ _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
+ int r;
+
dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
r = dns_packet_extract_question(p, &question);
p->question = TAKE_PTR(question);
p->answer = TAKE_PTR(answer);
-
p->extracted = true;
/* no CANCEL, always rewind */
}
static int patch_rr(DnsPacket *p, usec_t age) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder;
+ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
size_t ttl_index;
uint32_t ttl;
uint16_t type, rdlength;
int r;
- INIT_REWINDER(rewinder, p);
-
/* Patches the RR at the current rindex, subtracts the specified time from the TTL */
r = dns_packet_read_name(p, NULL, true, NULL);
}
int dns_packet_patch_ttls(DnsPacket *p, usec_t timestamp) {
- _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = {};
- unsigned i, n;
- usec_t k;
- int r;
-
assert(p);
assert(timestamp_is_set(timestamp));
/* Adjusts all TTLs in the packet by subtracting the time difference between now and the specified timestamp */
- k = now(clock_boottime_or_monotonic());
+ _unused_ _cleanup_(rewind_dns_packet) DnsPacketRewinder rewinder = REWINDER_INIT(p);
+ unsigned n;
+ usec_t k;
+ int r;
+
+ k = now(CLOCK_BOOTTIME);
assert(k >= timestamp);
k -= timestamp;
- INIT_REWINDER(rewinder, p);
-
dns_packet_rewind(p, DNS_PACKET_HEADER_SIZE);
n = DNS_PACKET_QDCOUNT(p);
- for (i = 0; i < n; i++) {
+ for (unsigned i = 0; i < n; i++) {
r = dns_packet_read_key(p, NULL, NULL, NULL);
if (r < 0)
return r;
}
n = DNS_PACKET_RRCOUNT(p);
- for (i = 0; i < n; i++) {
+ for (unsigned i = 0; i < n; i++) {
/* DNS servers suck, hence the RR count is in many servers off. If we reached the end
* prematurely, accept that, exit early */
};
DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int);
+const char *format_dns_rcode(int i, char buf[static DECIMAL_STR_MAX(int)]) {
+ const char *p = dns_rcode_to_string(i);
+ if (p)
+ return p;
+
+ return snprintf_ok(buf, DECIMAL_STR_MAX(int), "%i", i);
+}
+
static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
[DNS_PROTOCOL_DNS] = "dns",
[DNS_PROTOCOL_MDNS] = "mdns",