From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 7 Jul 2020 07:00:04 +0000 (+0200)
Subject: - Fix #259: Fix unbound-checkconf does not check view existence.
X-Git-Tag: release-1.11.0~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d009e19fc80b2642c2ce0fd04b819ca70102ca4;p=thirdparty%2Funbound.git

- Fix #259: Fix unbound-checkconf does not check view existence.
  unbound-checkconf checks access-control-view, access-control-tags,
  access-control-tag-actions and access-control-tag-datas.
- Fix offset of error printout for access-control-tag-datas.
---

diff --git a/daemon/acl_list.c b/daemon/acl_list.c
index c16a920d9..84324575e 100644
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@@ -273,7 +273,7 @@ check_data(const char* data, const struct config_strlist* head)
 	if(res == 0)
 		return 1;
 	log_err("rr data [char %d] parse error %s",
-		(int)LDNS_WIREPARSE_OFFSET(res)-13,
+		(int)LDNS_WIREPARSE_OFFSET(res)-2,
 		sldns_get_errorstr_parse(res));
 	return 0;
 }
diff --git a/doc/Changelog b/doc/Changelog
index 58f0493bd..93d69d945 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+7 July 2020: Wouter
+	- Fix #259: Fix unbound-checkconf does not check view existence.
+	  unbound-checkconf checks access-control-view, access-control-tags,
+	  access-control-tag-actions and access-control-tag-datas.
+	- Fix offset of error printout for access-control-tag-datas.
+
 6 July 2020: Wouter
 	- run_vm cleanup better and removes trailing slash on single argument.
 
diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index 54a0ab78c..409d29fea 100644
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -58,6 +58,7 @@
 #include "services/authzone.h"
 #include "respip/respip.h"
 #include "sldns/sbuffer.h"
+#include "sldns/str2wire.h"
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -194,6 +195,94 @@ localzonechecks(struct config_file* cfg)
 	local_zones_delete(zs);
 }
 
+/** checks for acl and views */
+static void
+acl_view_checks(struct config_file* cfg, struct views* views)
+{
+	int d;
+	struct sockaddr_storage a;
+	socklen_t alen;
+	struct config_str2list* acl;
+	struct config_str3list* s3;
+	struct config_strbytelist* sb;
+	struct view* v;
+
+	/* acl_view */
+	for(acl=cfg->acl_view; acl; acl = acl->next) {
+		if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
+			&d)) {
+			fatal_exit("cannot parse access-control-view "
+				"address %s %s", acl->str, acl->str2);
+		}
+		v = views_find_view(views, acl->str2, 0);
+		if(!v) {
+			fatal_exit("cannot find view for "
+				"access-control-view: %s %s",
+				acl->str, acl->str2);
+		}
+		lock_rw_unlock(&v->lock);
+	}
+
+	/* acl_tags */
+	for(sb=cfg->acl_tags; sb; sb = sb->next) {
+		if(!netblockstrtoaddr(sb->str, UNBOUND_DNS_PORT, &a, &alen,
+			&d)) {
+			fatal_exit("cannot parse access-control-tags "
+				"address %s", sb->str);
+		}
+	}
+
+	/* acl_tag_actions */
+	for(s3=cfg->acl_tag_actions; s3; s3 = s3->next) {
+		enum localzone_type t;
+		if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
+			&d)) {
+			fatal_exit("cannot parse access-control-tag-actions "
+				"address %s %s %s",
+				s3->str, s3->str2, s3->str3);
+		}
+		if(find_tag_id(cfg, s3->str2) == -1) {
+			fatal_exit("cannot parse tag %s (define-tag it), "
+				"for access-control-tag-actions: %s %s %s",
+				s3->str2, s3->str, s3->str2, s3->str3);
+		}
+		if(!local_zone_str2type(s3->str3, &t)) {
+			fatal_exit("cannot parse access control action type %s"
+				" for access-control-tag-actions: %s %s %s",
+				s3->str3, s3->str, s3->str2, s3->str3);
+		}
+	}
+
+	/* acl_tag_datas */
+	for(s3=cfg->acl_tag_datas; s3; s3 = s3->next) {
+		char buf[65536];
+		uint8_t rr[LDNS_RR_BUF_SIZE];
+		size_t len = sizeof(rr);
+		int res;
+		if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
+			&d)) {
+			fatal_exit("cannot parse access-control-tag-datas address %s %s '%s'",
+				s3->str, s3->str2, s3->str3);
+		}
+		if(find_tag_id(cfg, s3->str2) == -1) {
+			fatal_exit("cannot parse tag %s (define-tag it), "
+				"for access-control-tag-datas: %s %s '%s'",
+				s3->str2, s3->str, s3->str2, s3->str3);
+		}
+		/* '.' is sufficient for validation, and it makes the call to
+		 * sldns_wirerr_get_type() simpler below. */
+		snprintf(buf, sizeof(buf), "%s %s", ".", s3->str3);
+		res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL,
+			0, NULL, 0);
+		if(res != 0) {
+			fatal_exit("cannot parse rr data [char %d] parse error %s, for access-control-tag-datas: %s %s '%s'",
+				(int)LDNS_WIREPARSE_OFFSET(res)-2,
+				sldns_get_errorstr_parse(res),
+				s3->str, s3->str2, s3->str3);
+		}
+	}
+}
+
 /** check view and response-ip configuration */
 static void
 view_and_respipchecks(struct config_file* cfg)
@@ -211,6 +300,7 @@ view_and_respipchecks(struct config_file* cfg)
 		fatal_exit("Could not setup respip set");
 	if(!respip_views_apply_cfg(views, cfg, &ignored))
 		fatal_exit("Could not setup per-view respip sets");
+	acl_view_checks(cfg, views);
 	views_delete(views);
 	respip_set_delete(respip);
 }