From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Wed, 11 Mar 2020 16:37:50 +0000 (+0100)
Subject: - Add check to make sure RPZ records are subdomain of configured zone origin.
X-Git-Tag: release-1.11.0~98
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28e6c86e618985a9359da4af77370b9dad3295ae;p=thirdparty%2Funbound.git

- Add check to make sure RPZ records are subdomain of configured zone origin.
---

diff --git a/doc/Changelog b/doc/Changelog
index f6e1ce1b3..becded77e 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+11 March 2020: Ralph
+	- Add check to make sure RPZ records are subdomains of configured
+	  zone origin.
+
 11 March 2020: George
 	- Fix #189: mini_event.h:142:17: error: field 'ev_timeout' has incomplete
 	  type, by noloader.
diff --git a/services/authzone.c b/services/authzone.c
index 34170abaf..c5803757a 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -1178,9 +1178,9 @@ az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
 		return 0;
 	}
 	if(z->rpz) {
-		if(!(rpz_insert_rr(z->rpz, z->namelen, dname, dname_len, 
-			rr_type, rr_class, rr_ttl, rdata, rdatalen, rr,
-			rr_len)))
+		if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname,
+			dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen,
+			rr, rr_len)))
 			return 0;
 	}
 	return 1;
diff --git a/services/rpz.c b/services/rpz.c
index 643b20c91..efb7ad5a8 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -586,7 +586,7 @@ rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 }
 
 int
-rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
+rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl,
 	uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len)
 {
@@ -596,9 +596,17 @@ rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
 	enum rpz_action a;
 	uint8_t* policydname;
 
+	if(!dname_subdomain_c(dname, azname)) {
+		log_err("RPZ: name of record to insert into RPZ is not a "
+			"subdomain of the configured name of the RPZ zone");
+		return 0;
+	}
+
 	log_assert(dnamelen >= aznamelen);
-	if(!(policydname = calloc(1, (dnamelen-aznamelen)+1)))
+	if(!(policydname = calloc(1, (dnamelen-aznamelen)+1))) {
+		log_err("malloc error while inserting RPZ RR");
 		return 0;
+	}
 
 	a = rpz_rr_to_action(rr_type, rdatawl, rdatalen);
 	if(!(policydnamelen = strip_dname_origin(dname, dnamelen, aznamelen,
diff --git a/services/rpz.h b/services/rpz.h
index 676a4f2a8..a404350d3 100644
--- a/services/rpz.h
+++ b/services/rpz.h
@@ -105,6 +105,7 @@ struct rpz {
 /**
  * Create policy from RR and add to this RPZ.
  * @param r: the rpz to add the policy to.
+ * @param azname: dname of the auth-zone
  * @param aznamelen: the length of the auth-zone name
  * @param dname: dname of the RR
  * @param dnamelen: length of the dname
@@ -117,7 +118,7 @@ struct rpz {
  * @param rr_len: the length of the complete RR
  * @return: 0 on error
  */
-int rpz_insert_rr(struct rpz* r, size_t aznamelen, uint8_t* dname,
+int rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname,
 	size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl,
 	uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len);