From: Artem Boldariev <artem@boldariev.com>
Date: Tue, 18 Mar 2025 10:52:18 +0000 (+0200)
Subject: Dispatch: carefully check if the server name for SNI is a hostname
X-Git-Tag: v9.21.7~12^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2592e309c77a3dab7580a7b98b69d8c0a7e10062;p=thirdparty%2Fbind9.git

Dispatch: carefully check if the server name for SNI is a hostname

Previously the code would not check if the string intended to be used
for SNI is a hostname.
---

diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 12f3d9c5a2c..b72077d4c86 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -1966,6 +1966,25 @@ udp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 			  udp_connected, resp, resp->timeout);
 }
 
+static inline const char *
+get_tls_sni_hostname(dns_dispentry_t *resp) {
+	char *hostname = NULL;
+
+	if (resp->transport != NULL) {
+		hostname = dns_transport_get_remote_hostname(resp->transport);
+	}
+
+	if (hostname == NULL) {
+		return NULL;
+	}
+
+	if (isc_tls_valid_sni_hostname(hostname)) {
+		return hostname;
+	}
+
+	return NULL;
+}
+
 static isc_result_t
 tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 	dns_transport_type_t transport_type = DNS_TRANSPORT_TCP;
@@ -2013,11 +2032,7 @@ tcp_dispatch_connect(dns_dispatch_t *disp, dns_dispentry_t *resp) {
 			      "connecting from %s to %s, timeout %u", localbuf,
 			      peerbuf, resp->connect_timeout);
 
-		char *hostname = NULL;
-		if (resp->transport != NULL) {
-			hostname = dns_transport_get_remote_hostname(
-				resp->transport);
-		}
+		const char *hostname = get_tls_sni_hostname(resp);
 
 		isc_nm_streamdnsconnect(disp->mgr->nm, &disp->local,
 					&disp->peer, tcp_connected, disp,