From: bert hubert <bert.hubert@netherlabs.nl>
Date: Sat, 27 Aug 2016 08:48:35 +0000 (+0200)
Subject: turns out TSIG signing code was using the DNSPacketWriter in a superspecial way.... 
X-Git-Tag: dnsdist-1.1.0-beta2~166^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57ddc8ba51655fa74837575b5256b41a45431f90;p=thirdparty%2Fpdns.git

turns out TSIG signing code was using the DNSPacketWriter in a superspecial way. Fixed now.
---

diff --git a/pdns/dnssecinfra.cc b/pdns/dnssecinfra.cc
index 6edc8297d8..f213d353e8 100644
--- a/pdns/dnssecinfra.cc
+++ b/pdns/dnssecinfra.cc
@@ -632,6 +632,7 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff
 
   vector<uint8_t> signVect;
   DNSPacketWriter dw(signVect, DNSName(), 0);
+  auto pos=signVect.size();
   if(!timersonly) {
     dw.xfrName(keyname, false);
     dw.xfr16BitInt(QClass::ANY); // class
@@ -648,8 +649,7 @@ string makeTSIGMessageFromTSIGPacket(const string& opacket, unsigned int tsigOff
     dw.xfr16BitInt(trc.d_otherData.length()); // length of 'other' data
     //    dw.xfrBlob(trc->d_otherData);
   }
-  const vector<uint8_t>& signRecord=dw.getRecordBeingWritten();
-  message.append(signRecord.begin(), signRecord.end());
+  message.append(signVect.begin()+pos, signVect.end());
   return message;
 }
 
@@ -672,6 +672,7 @@ void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const DNSName& tsigkey
   // now add something that looks a lot like a TSIG record, but isn't
   vector<uint8_t> signVect;
   DNSPacketWriter dw(signVect, DNSName(), 0);
+  auto pos=dw.size();
   if(!timersonly) {
     dw.xfrName(tsigkeyname, false);
     dw.xfr16BitInt(QClass::ANY); // class
@@ -688,8 +689,7 @@ void addTSIG(DNSPacketWriter& pw, TSIGRecordContent* trc, const DNSName& tsigkey
     //    dw.xfrBlob(trc->d_otherData);
   }
   
-  const vector<uint8_t>& signRecord=dw.getRecordBeingWritten();
-  toSign.append(signRecord.begin(), signRecord.end());
+  toSign.append(signVect.begin() + pos, signVect.end());
 
   if (algo == TSIG_GSS) {
     if (!gss_add_signature(tsigkeyname, toSign, trc->d_mac)) {
diff --git a/pdns/dnswriter.hh b/pdns/dnswriter.hh
index 024cfae9e6..3c5f33e266 100644
--- a/pdns/dnswriter.hh
+++ b/pdns/dnswriter.hh
@@ -116,7 +116,6 @@ public:
 
   dnsheader* getHeader();
   void getRecordPayload(string& records); // call __before commit__
-  const vector<uint8_t> getRecordBeingWritten() { return vector<uint8_t>(d_content.begin()+d_sor, d_content.end()); }
 
   void setCanonic(bool val)
   {