From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 16 Oct 2008 13:12:32 +0000 (+0000)
Subject: Fixup negative TTLs Attila Nagy has reported.
X-Git-Tag: release-1.1.0~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=265c199445118073aef069229f6456edee7fda00;p=thirdparty%2Funbound.git

Fixup negative TTLs Attila Nagy has reported.


git-svn-id: file:///svn/unbound/trunk@1306 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/daemon/cachedump.c b/daemon/cachedump.c
index 2d800e5c3..4466290d9 100644
--- a/daemon/cachedump.c
+++ b/daemon/cachedump.c
@@ -67,7 +67,9 @@ to_rr(struct ub_packed_rrset_key* k, struct packed_rrset_data* d,
 	}
 	ldns_rr_set_type(rr, type);
 	ldns_rr_set_class(rr, ntohs(k->rk.rrset_class));
-	ldns_rr_set_ttl(rr, d->rr_ttl[i] - now);
+	if(d->rr_ttl[i] < now)
+		ldns_rr_set_ttl(rr, 0);
+	else	ldns_rr_set_ttl(rr, d->rr_ttl[i] - now);
 	pos = 0;
 	status = ldns_wire2dname(&rdf, k->rk.dname, k->rk.dname_len, &pos);
 	if(status != LDNS_STATUS_OK) {
diff --git a/doc/Changelog b/doc/Changelog
index be1336228..8c11885ea 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,6 @@
+16 October 2008: Wouter
+	- Fixup negative TTL values appearing (reported by Attila Nagy).
+
 15 October 2008: Wouter
 	- better documentation for 0x20; remove fallback TODO, it is done.
 	- harden-referral-path feature includes A, AAAA queries for glue,
diff --git a/services/cache/rrset.c b/services/cache/rrset.c
index c9856c96c..721599096 100644
--- a/services/cache/rrset.c
+++ b/services/cache/rrset.c
@@ -334,10 +334,13 @@ rrset_update_sec_status(struct rrset_cache* r,
 	}
 	/* update the cached rrset */
 	if(updata->security > cachedata->security) {
+		size_t i;
 		if(updata->trust > cachedata->trust)
 			cachedata->trust = updata->trust;
 		cachedata->security = updata->security;
 		cachedata->ttl = updata->ttl + now;
+		for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
+			cachedata->rr_ttl[i] = updata->rr_ttl[i]+now;
 	}
 	lock_rw_unlock(&e->lock);
 }
@@ -364,8 +367,15 @@ rrset_check_sec_status(struct rrset_cache* r,
 	}
 	if(cachedata->security > updata->security) {
 		updata->security = cachedata->security;
-		if(cachedata->security == sec_status_bogus)
+		if(cachedata->security == sec_status_bogus) {
+			size_t i;
 			updata->ttl = cachedata->ttl - now;
+			for(i=0; i<cachedata->count+cachedata->rrsig_count; i++)
+				if(cachedata->rr_ttl[i] < now)
+					updata->rr_ttl[i] = 0;
+				else updata->rr_ttl[i] = 
+					cachedata->rr_ttl[i]-now;
+		}
 		if(cachedata->trust > updata->trust)
 			updata->trust = cachedata->trust;
 	}
diff --git a/util/data/msgencode.c b/util/data/msgencode.c
index 33685e869..75e199d93 100644
--- a/util/data/msgencode.c
+++ b/util/data/msgencode.c
@@ -466,7 +466,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, ldns_buffer* pkt,
 				return r;
 			ldns_buffer_write(pkt, &key->rk.type, 2);
 			ldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			ldns_buffer_write_u32(pkt, data->rr_ttl[i]-timenow);
+			if(data->rr_ttl[i] < timenow)
+				ldns_buffer_write_u32(pkt, 0);
+			else 	ldns_buffer_write_u32(pkt, 
+					data->rr_ttl[i]-timenow);
 			if(c) {
 				if((r=compress_rdata(pkt, data->rr_data[i],
 					data->rr_len[i], region, tree, c))
@@ -500,7 +503,10 @@ packed_rrset_encode(struct ub_packed_rrset_key* key, ldns_buffer* pkt,
 			}
 			ldns_buffer_write_u16(pkt, LDNS_RR_TYPE_RRSIG);
 			ldns_buffer_write(pkt, &key->rk.rrset_class, 2);
-			ldns_buffer_write_u32(pkt, data->rr_ttl[i]-timenow);
+			if(data->rr_ttl[i] < timenow)
+				ldns_buffer_write_u32(pkt, 0);
+			else 	ldns_buffer_write_u32(pkt, 
+					data->rr_ttl[i]-timenow);
 			/* rrsig rdata cannot be compressed, perform 100+ byte
 			 * memcopy. */
 			ldns_buffer_write(pkt, data->rr_data[i],
diff --git a/util/data/packed_rrset.c b/util/data/packed_rrset.c
index 74855c9c0..5925b8757 100644
--- a/util/data/packed_rrset.c
+++ b/util/data/packed_rrset.c
@@ -292,9 +292,14 @@ packed_rrset_copy_region(struct ub_packed_rrset_key* key,
 	ck->entry.data = d;
 	packed_rrset_ptr_fixup(d);
 	/* make TTLs relative - once per rrset */
-	for(i=0; i<d->count + d->rrsig_count; i++)
-		d->rr_ttl[i] -= now;
-	d->ttl -= now;
+	for(i=0; i<d->count + d->rrsig_count; i++) {
+		if(d->rr_ttl[i] < now)
+			d->rr_ttl[i] = 0;
+		else	d->rr_ttl[i] -= now;
+	}
+	if(d->ttl < now)
+		d->ttl = 0;
+	else	d->ttl -= now;
 	return ck;
 }
 
diff --git a/validator/val_utils.c b/validator/val_utils.c
index 274347f3b..9f7a44372 100644
--- a/validator/val_utils.c
+++ b/validator/val_utils.c
@@ -337,8 +337,11 @@ val_verify_rrset(struct module_env* env, struct val_env* ve,
 		if(sec == sec_status_secure)
 			d->trust = rrset_trust_validated;
 		else if(sec == sec_status_bogus) {
+			size_t i;
 			/* update ttl for rrset to fixed value. */
 			d->ttl = ve->bogus_ttl;
+			for(i=0; i<d->count+d->rrsig_count; i++)
+				d->rr_ttl[i] = ve->bogus_ttl;
 			/* leave RR specific TTL: not used for determine
 			 * if RRset timed out and clients see proper value. */
 			lock_basic_lock(&ve->bogus_lock);