From b043bc5eb4150e755027d17d62596dbee17fd346 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 6 Oct 2022 10:01:09 +0200 Subject: [PATCH] - Fix to stop responses with TC flag from resulting in partial responses. It retries to fetch the data elsewhere, or fails the query and in depth fix removes the TC flag from the cached item. --- doc/Changelog | 5 +++ iterator/iter_resptype.c | 6 +++- iterator/iterator.c | 4 +-- testdata/iter_auth_tc.rpl | 35 ++++++++++++++------ testdata/stub_auth_tc.tdir/stub_auth_tc.test | 2 +- 5 files changed, 38 insertions(+), 14 deletions(-) diff --git a/doc/Changelog b/doc/Changelog index 20d3c05c9..61a10f9a5 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +6 October 2022: Wouter + - Fix to stop responses with TC flag from resulting in partial + responses. It retries to fetch the data elsewhere, or fails the + query and in depth fix removes the TC flag from the cached item. + 5 October 2022: Wouter - Fix dnscrypt compile for proxy protocol code changes. diff --git a/iterator/iter_resptype.c b/iterator/iter_resptype.c index f146a2b6b..c2b824a0f 100644 --- a/iterator/iter_resptype.c +++ b/iterator/iter_resptype.c @@ -113,7 +113,11 @@ response_type_from_server(int rdset, if(!msg || !request) return RESPONSE_TYPE_THROWAWAY; - + /* If the TC flag is set, the response is incomplete. Too large to + * fit even in TCP or so. Discard it, it cannot be retrieved here. */ + if((msg->rep->flags & BIT_TC)) + return RESPONSE_TYPE_THROWAWAY; + /* If the message is NXDOMAIN, then it answers the question. */ if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) { /* make sure its not recursive when we don't want it to */ diff --git a/iterator/iterator.c b/iterator/iterator.c index 2d676b1df..2f3ad06fe 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -2907,6 +2907,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), iq->response, &iq->qinfo_out, iq->dp); iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && !iq->auth_zone_response) { /* When forwarding (RD bit is set), we handle referrals @@ -4027,8 +4029,6 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, /* remove CD-bit, we asked for in case we handle validation ourself */ prs->flags &= ~BIT_CD; - /* remove TC flag, if this is erroneously set by TCP upstream */ - prs->flags &= ~BIT_TC; /* normalize and sanitize: easy to delete items from linked lists */ if(!scrub_message(pkt, prs, &iq->qinfo_out, iq->dp->name, diff --git a/testdata/iter_auth_tc.rpl b/testdata/iter_auth_tc.rpl index 2136ca8b0..417807724 100644 --- a/testdata/iter_auth_tc.rpl +++ b/testdata/iter_auth_tc.rpl @@ -55,11 +55,11 @@ a.gtld-servers.net. IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN -MATCH opcode qtype qname -ADJUST copy_id +MATCH opcode subdomain +ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -www.example.com. IN A +example.com. IN NS SECTION AUTHORITY example.com. IN NS ns.example.com. SECTION ADDITIONAL @@ -82,6 +82,27 @@ SECTION ADDITIONAL ns.example.com. IN A 1.2.3.4 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id @@ -109,15 +130,9 @@ ENTRY_END STEP 10 CHECK_ANSWER ENTRY_BEGIN MATCH all -REPLY QR RD RA NOERROR +REPLY QR RD RA SERVFAIL SECTION QUESTION www.example.com. IN A -SECTION ANSWER -www.example.com. IN A 10.20.30.40 -SECTION AUTHORITY -example.com. IN NS ns.example.com. -SECTION ADDITIONAL -ns.example.com. IN A 1.2.3.4 ENTRY_END SCENARIO_END diff --git a/testdata/stub_auth_tc.tdir/stub_auth_tc.test b/testdata/stub_auth_tc.tdir/stub_auth_tc.test index 2d3df5365..7b7440274 100644 --- a/testdata/stub_auth_tc.tdir/stub_auth_tc.test +++ b/testdata/stub_auth_tc.tdir/stub_auth_tc.test @@ -12,7 +12,7 @@ echo "> cat logfiles" cat fwd.log cat unbound.log echo "> check answer" -if grep "10.20.30.42" outfile; then +if grep "SERVFAIL" outfile; then echo "OK" else echo "Not OK" -- 2.47.3