return sizeof(*priv) + regional_get_mem(priv->region);
}
+/** remove RR from msgparse RRset, return true if rrset is entirely bad */
+static int
+remove_rr(const char* str, ldns_buffer* pkt, struct rrset_parse* rrset,
+ struct rr_parse* prev, struct rr_parse** rr, struct sockaddr_storage* addr, socklen_t addrlen)
+{
+ if(verbosity >= VERB_QUERY && rrset->dname_len <= LDNS_MAX_DOMAINLEN) {
+ uint8_t buf[LDNS_MAX_DOMAINLEN+1];
+ dname_pkt_copy(pkt, buf, rrset->dname);
+ log_name_addr(VERB_QUERY, str, buf, addr, addrlen);
+ }
+ if(prev)
+ prev->next = (*rr)->next;
+ else rrset->rr_first = (*rr)->next;
+ if(rrset->rr_last == *rr)
+ rrset->rr_last = prev;
+ rrset->rr_count --;
+ rrset->size -= (*rr)->size;
+ (*rr) = (*rr)->next;
+ return rrset->rr_count == 0;
+}
+
int priv_rrset_bad(struct iter_priv* priv, ldns_buffer* pkt,
struct rrset_parse* rrset)
{
} else {
/* so its a public name, check the address */
socklen_t len;
- struct rr_parse* rr;
+ struct rr_parse* rr, *prev = NULL;
if(rrset->type == LDNS_RR_TYPE_A) {
struct sockaddr_storage addr;
struct sockaddr_in sa;
sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
for(rr = rrset->rr_first; rr; rr = rr->next) {
if(ldns_read_uint16(rr->ttl_data+4)
- != INET_SIZE)
+ != INET_SIZE) {
+ prev = rr;
continue;
+ }
memmove(&sa.sin_addr, rr->ttl_data+4+2,
INET_SIZE);
memmove(&addr, &sa, len);
- if(priv_lookup_addr(priv, &addr, len))
- return 1;
+ if(priv_lookup_addr(priv, &addr, len)) {
+ if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
+ return 1;
+ continue;
+ }
+ prev = rr;
}
} else if(rrset->type == LDNS_RR_TYPE_AAAA) {
struct sockaddr_storage addr;
sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
for(rr = rrset->rr_first; rr; rr = rr->next) {
if(ldns_read_uint16(rr->ttl_data+4)
- != INET6_SIZE)
+ != INET6_SIZE) {
+ prev = rr;
continue;
+ }
memmove(&sa.sin6_addr, rr->ttl_data+4+2,
INET6_SIZE);
memmove(&addr, &sa, len);
- if(priv_lookup_addr(priv, &addr, len))
- return 1;
+ if(priv_lookup_addr(priv, &addr, len)) {
+ if(remove_rr("sanitize: removing public name with private address", pkt, rrset, prev, &rr, &addr, len))
+ return 1;
+ continue;
+ }
+ prev = rr;
}
}
}
remove_rrset(const char* str, ldns_buffer* pkt, struct msg_parse* msg,
struct rrset_parse* prev, struct rrset_parse** rrset)
{
- if(verbosity >= VERB_QUERY
+ if(verbosity >= VERB_QUERY && str
&& (*rrset)->dname_len <= LDNS_MAX_DOMAINLEN) {
uint8_t buf[LDNS_MAX_DOMAINLEN+1];
dname_pkt_copy(pkt, buf, (*rrset)->dname);
/* remove private addresses */
if( (rrset->type == LDNS_RR_TYPE_A ||
- rrset->type == LDNS_RR_TYPE_AAAA) &&
- priv_rrset_bad(ie->priv, pkt, rrset)) {
+ rrset->type == LDNS_RR_TYPE_AAAA)) {
/* do not set servfail since this leads to too
* many drops of other people using rfc1918 space */
- remove_rrset("sanitize: removing public name with "
- "private address", pkt, msg, prev, &rrset);
- continue;
+ /* also do not remove entire rrset, unless all records
+ * in it are bad */
+ if(priv_rrset_bad(ie->priv, pkt, rrset)) {
+ remove_rrset(NULL, pkt, msg, prev, &rrset);
+ continue;
+ }
}
/* skip DNAME records -- they will always be followed by a
SECTION ADDITIONAL
ns.example.com. IN A 1.2.3.4
ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+toss.example.com. IN A
+SECTION ANSWER
+toss.example.com. IN A 10.20.30.40
+toss.example.com. IN A 1.2.3.4
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
RANGE_END
; public address is not scrubbed
mail.example.net. IN A 10.20.30.40
ENTRY_END
+; rest of RRset intact, only 10/8 tossed away.
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+toss.example.com. IN A
+ENTRY_END
+
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+toss.example.com. IN A
+SECTION ANSWER
+; toss.example.com. IN A 10.20.30.40
+toss.example.com. IN A 1.2.3.4
+SECTION AUTHORITY
+example.com. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com. IN A 1.2.3.4
+ENTRY_END
+
SCENARIO_END
projects / thirdparty / unbound.git / commitdiff
