- Fix for #1079: fix RPZ taglist in iterator callback that no client

  info is like no taglist intersection.

diff --git a/doc/Changelog b/doc/Changelog
index eeb3f740e8b27ebe4a3cb9691a4610be70bf8a84..5f3e8d4feb7f2d1dd4b80912160437fc652d073f 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,6 +1,8 @@
 30 May 2024: Wouter
        - Fix #1079: tags from tagged rpz zones are no longer honored after
          upgrade from 1.19.3 to 1.20.0.
+       - Fix for #1079: fix RPZ taglist in iterator callback that no client
+         info is like no taglist intersection.
 
 29 May 2024: Wouter
        - Merge #1078: Only check old pid if no username.

diff --git a/services/rpz.c b/services/rpz.c
index 177d86e02173cf0f78de119004a83817dc9721db..1223f677107d75a49bffe32c0329266cd43e3d49 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -2453,10 +2453,10 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
                        lock_rw_unlock(&a->lock);
                        continue;
                }
-               if(r->taglist && ms->client_info &&
+               if(r->taglist && (!ms->client_info ||
                        !taglist_intersect(r->taglist, r->taglistlen,
                                ms->client_info->taglist,
-                               ms->client_info->taglen)) {
+                               ms->client_info->taglen))) {
                        lock_rw_unlock(&a->lock);
                        continue;
                }
@@ -2518,10 +2518,10 @@ struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
                        lock_rw_unlock(&a->lock);
                        continue;
                }
-               if(r->taglist && ms->client_info &&
+               if(r->taglist && (!ms->client_info ||
                        !taglist_intersect(r->taglist, r->taglistlen,
                                ms->client_info->taglist,
-                               ms->client_info->taglen)) {
+                               ms->client_info->taglen))) {
                        lock_rw_unlock(&a->lock);
                        continue;
                }

diff --git a/testdata/rpz_cname_tag.rpl b/testdata/rpz_cname_tag.rpl
index a545ef18c6832e1abef32c515eac15e3a9e68491..fb782b685ac7ce965b84c00a457cbb869c9559ea 100644 (file)
--- a/testdata/rpz_cname_tag.rpl
+++ b/testdata/rpz_cname_tag.rpl
@@ -4,9 +4,11 @@ server:
        target-fetch-policy: "0 0 0 0 0"
        qname-minimisation: no
        access-control: 192.0.0.0/8 allow
+       access-control: 193.0.0.0/8 allow
        define-tag: "internal server"
        access-control-tag: 192.0.0.0/8 "internal"
        access-control-tag: 127.0.0.0/8 "server"
+       ; 193.0.0.0/8 has no tags
 
 rpz:
        name: "rpz.example.com."
@@ -34,6 +36,7 @@ g4b.target.a CNAME g4c.target.a.
 g4c.target.a A 1.2.3.64
 ; server for a.
 32.40.30.20.10.rpz-nsip A 1.2.3.68
+www.gotham5.a TXT "txt5"
 TEMPFILE_END
 
 stub-zone:
@@ -95,6 +98,16 @@ www.gotham4.a. IN A
 SECTION ANSWER
 www.gotham4.a. IN A 1.2.3.54
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+www.gotham5.a. IN TXT
+SECTION ANSWER
+www.gotham5.a. IN TXT "gotham5"
+ENTRY_END
 RANGE_END
 
 ; Test with zero rpz CNAMEs, no tag match for rpz answer.
@@ -247,4 +260,22 @@ g4b.target.a. CNAME g4c.target.a.
 g4c.target.a. A 1.2.3.64
 ENTRY_END
 
+; Test with zero rpz CNAMEs, no tags for the query, and so no rpz answer.
+STEP 90 QUERY ADDRESS 193.0.0.1
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.gotham5.a. IN      TXT
+ENTRY_END
+
+STEP 91 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.gotham5.a. IN      TXT
+SECTION ANSWER
+www.gotham5.a. IN TXT "gotham5"
+ENTRY_END
+
 SCENARIO_END