From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Wed, 12 Apr 2017 13:12:21 +0000 (+0000)
Subject: - Fix #1249: unbound doesn't return FORMERR to bogus ECS.
X-Git-Tag: release-1.6.2rc1~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c02193ddba690d40cf67d35f1fb46873adcc0d5;p=thirdparty%2Funbound.git

- Fix #1249: unbound doesn't return FORMERR to bogus ECS.


git-svn-id: file:///svn/unbound/trunk@4110 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/doc/Changelog b/doc/Changelog
index 79aa018e1..0b09222b1 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,7 @@
 	- Fix #1247: unbound does not shorten source prefix length when
 	  forwarding ECS.
 	- Properly check for allocation failure in local_data_find_tag_datas.
+	- Fix #1249: unbound doesn't return FORMERR to bogus ECS.
 
 11 April 2017: Ralph
 	- Display ECS module memory usage.
diff --git a/edns-subnet/subnetmod.c b/edns-subnet/subnetmod.c
index 5afbd2fc5..4008004e4 100644
--- a/edns-subnet/subnetmod.c
+++ b/edns-subnet/subnetmod.c
@@ -661,9 +661,14 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 		if((ecs_opt = edns_opt_list_find(
 			qstate->edns_opts_front_in,
 			qstate->env->cfg->client_subnet_opcode))) {
-			if(parse_subnet_option(ecs_opt, &sq->ecs_client_in)) {
-				sq->subnet_downstream = 1;
+			if(!parse_subnet_option(ecs_opt, &sq->ecs_client_in)) {
+				/* Wrongly formatted ECS option. RFC mandates to
+				 * return FORMERROR. */
+				qstate->return_rcode = LDNS_RCODE_FORMERR;
+				qstate->ext_state[id] = module_finished;
+				return;
 			}
+			sq->subnet_downstream = 1;
 		}
 		else if(qstate->mesh_info->reply_list) {
 			subnet_option_from_ss(