From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 20 Feb 2017 09:27:39 +0000 (+0100)
Subject: rec: Ignore unsupported RPZ entries
X-Git-Tag: rec-4.1.0-alpha1~201^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39c9bef526a572052ff4e157e397e21d28a4ba53;p=thirdparty%2Fpdns.git

rec: Ignore unsupported RPZ entries
---

diff --git a/pdns/dnsname.cc b/pdns/dnsname.cc
index 8c6bf150ff..c3ad8e2f00 100644
--- a/pdns/dnsname.cc
+++ b/pdns/dnsname.cc
@@ -328,6 +328,17 @@ vector<string> DNSName::getRawLabels() const
   return ret;
 }
 
+std::string DNSName::getRawLabel(unsigned int pos) const
+{
+  unsigned int currentPos = 0;
+  for(const unsigned char* p = (const unsigned char*) d_storage.c_str(); p < ((const unsigned char*) d_storage.c_str()) + d_storage.size() && *p; p+=*p+1, currentPos++) {
+    if (currentPos == pos) {
+      return std::string((const char*)p+1, (size_t)*p);
+    }
+  }
+
+  throw std::out_of_range("trying to get label at position "+std::to_string(pos)+" of a DNSName that only has "+std::to_string(currentPos)+" labels");
+}
 
 bool DNSName::chopOff()
 {
diff --git a/pdns/dnsname.hh b/pdns/dnsname.hh
index 21b8d84680..408fc555e1 100644
--- a/pdns/dnsname.hh
+++ b/pdns/dnsname.hh
@@ -82,6 +82,7 @@ public:
   void appendRawLabel(const char* start, unsigned int length); //!< Append this unescaped label
   void prependRawLabel(const std::string& str); //!< Prepend this unescaped label
   std::vector<std::string> getRawLabels() const; //!< Individual raw unescaped labels
+  std::string getRawLabel(unsigned int pos) const; //!< Get the specified raw unescaped label
   bool chopOff();                               //!< Turn www.powerdns.com. into powerdns.com., returns false for .
   DNSName makeRelative(const DNSName& zone) const;
   DNSName makeLowerCase() const
diff --git a/pdns/rpzloader.cc b/pdns/rpzloader.cc
index cbda6e05cc..67c36f6ce0 100644
--- a/pdns/rpzloader.cc
+++ b/pdns/rpzloader.cc
@@ -63,6 +63,7 @@ void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrR
   static const DNSName drop("rpz-drop."), truncate("rpz-tcp-only."), noaction("rpz-passthru.");
   static const DNSName rpzClientIP("rpz-client-ip"), rpzIP("rpz-ip"),
     rpzNSDname("rpz-nsdname"), rpzNSIP("rpz-nsip.");
+  static const std::string rpzPrefix("rpz-");
 
   DNSFilterEngine::Policy pol;
 
@@ -98,6 +99,19 @@ void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrR
       // cerr<<"Wants NOACTION for "<<dr.d_name<<": ";
       pol.d_kind = DNSFilterEngine::PolicyKind::NoAction;
     }
+    /* "The special RPZ encodings which are not to be taken as Local Data are
+       CNAMEs with targets that are:
+       +  "."  (NXDOMAIN action),
+       +  "*." (NODATA action),
+       +  a top level domain starting with "rpz-",
+       +  a child of a top level domain starting with "rpz-".
+    */
+    else if(!crcTarget.empty() && !crcTarget.isRoot() && crcTarget.getRawLabel(crcTarget.countLabels() - 1).compare(0, rpzPrefix.length(), rpzPrefix) == 0) {
+      /* this is very likely an higher format number or a configuration error,
+         let's just ignore it. */
+      L<<Logger::Info<<"Discarding unsupported RPZ entry "<<crcTarget.toString()<<" for "<<dr.d_name<<endl;
+      return;
+    }
     else {
       pol.d_kind = DNSFilterEngine::PolicyKind::Custom;
       pol.d_custom = dr.d_content;
@@ -122,7 +136,7 @@ void RPZRecordToPolicy(const DNSRecord& dr, DNSFilterEngine& target, bool addOrR
   }
 
   // now to DO something with that
-  
+
   if(dr.d_name.isPartOf(rpzNSDname)) {
     DNSName filt=dr.d_name.makeRelative(rpzNSDname);
     if(addOrRemove)
diff --git a/pdns/test-dnsname_cc.cc b/pdns/test-dnsname_cc.cc
index cb24308f76..bb829614e9 100644
--- a/pdns/test-dnsname_cc.cc
+++ b/pdns/test-dnsname_cc.cc
@@ -849,5 +849,13 @@ BOOST_AUTO_TEST_CASE(test_wirelength) { // Testing if we get the correct value f
   BOOST_CHECK_EQUAL(sname.wirelength(), 19);
 }
 
+BOOST_AUTO_TEST_CASE(test_getrawlabel) {
+  DNSName name("a.bb.ccc.dddd.");
+  BOOST_CHECK_EQUAL(name.getRawLabel(0), "a");
+  BOOST_CHECK_EQUAL(name.getRawLabel(1), "bb");
+  BOOST_CHECK_EQUAL(name.getRawLabel(2), "ccc");
+  BOOST_CHECK_EQUAL(name.getRawLabel(3), "dddd");
+  BOOST_CHECK_THROW(name.getRawLabel(name.countLabels()), std::out_of_range);
+}
 
 BOOST_AUTO_TEST_SUITE_END()