enforce bounds of multiple configuration options

The configuration options `edns-version`, `edns-udp-size`,
`max-udp-size`, `no-cookie-udp-size` and `padding` now enforce
boundaries. The configuration (including when using `named-checkconf`)
now fails if those options are out of range.

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index c10916b82e60ad19fdc6385812df7e5710467407..ca726b737f830443cc024122fe111df652a444e9 100644 (file)
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -1138,6 +1138,24 @@ check_listeners(const cfg_obj_t *list, const cfg_obj_t *config,
        return result;
 }
 
+static void
+check_range_uint32(const cfg_obj_t *map, isc_result_t *result, const char *name,
+                  uint32_t lower, uint32_t upper) {
+       const cfg_obj_t *obj = NULL;
+       (void)cfg_map_get(map, name, &obj);
+       if (obj != NULL) {
+               uint32_t value = cfg_obj_asuint32(obj);
+               if (value < lower || value > upper) {
+                       cfg_obj_log(obj, ISC_LOG_ERROR,
+                                   "%s '%u' out of range (%u..%u)", name,
+                                   value, lower, upper);
+                       if (*result == ISC_R_SUCCESS) {
+                               *result = ISC_R_RANGE;
+                       }
+               }
+       }
+}
+
 static isc_result_t
 check_port(const cfg_obj_t *options, const char *type, in_port_t *portp) {
        const cfg_obj_t *portobj = NULL;
@@ -2026,6 +2044,11 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
                }
        }
 
+       check_range_uint32(options, &result, "edns-udp-size", 512, 4096);
+       check_range_uint32(options, &result, "max-udp-size", 512, 4096);
+       check_range_uint32(options, &result, "nocookie-udp-size", 128,
+                          UINT32_MAX);
+
        if (aclctx != NULL) {
                cfg_aclconfctx_detach(&aclctx);
        }
@@ -4799,6 +4822,11 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
                        }
                }
                dns_peer_detach(&peer);
+
+               check_range_uint32(v1, &result, "edns-udp-size", 512, 4096);
+               check_range_uint32(v1, &result, "max-udp-size", 512, 4096);
+               check_range_uint32(v1, &result, "edns-version", 0, 255);
+               check_range_uint32(v1, &result, "padding", 0, 512);
        }
        return result;
 }