From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 20 Feb 2020 11:12:15 +0000 (+0100)
Subject: rec: Drop truncated UDP dgrams. Only accept large packets w/ proxy
X-Git-Tag: dnsdist-1.5.0-alpha1~12^2~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6b8829d508b8a214dee395332df9d015a21a4bde;p=thirdparty%2Fpdns.git

rec: Drop truncated UDP dgrams. Only accept large packets w/ proxy
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 741a7f4339..f20c1174e4 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -2621,6 +2621,15 @@ static void handleNewUDPQuestion(int fd, FDMultiplexer::funcparam_t& var)
     if((len=recvmsg(fd, &msgh, 0)) >= 0) {
 
       firstQuery = false;
+
+      if (msgh.msg_flags & MSG_TRUNC) {
+        g_stats.truncatedDrops++;
+        if (!g_quiet) {
+          g_log<<Logger::Error<<"Ignoring truncated query from "<<fromaddr.toString()<<endl;
+        }
+        return;
+      }
+
       data.resize(static_cast<size_t>(len));
 
       if (expectProxyProtocol(fromaddr)) {
@@ -2635,9 +2644,13 @@ static void handleNewUDPQuestion(int fd, FDMultiplexer::funcparam_t& var)
         }
         data.erase(0, used);
       }
-
-      if (!proxyProto) {
-        source = fromaddr;
+      else if (len > 512) {
+        /* we only allow UDP packets larger than 512 for those with a proxy protocol header */
+        g_stats.truncatedDrops++;
+        if (!g_quiet) {
+          g_log<<Logger::Error<<"Ignoring truncated query from "<<fromaddr.toString()<<endl;
+        }
+        return;
       }
 
       if (data.size() < sizeof(dnsheader)) {
@@ -2648,12 +2661,8 @@ static void handleNewUDPQuestion(int fd, FDMultiplexer::funcparam_t& var)
         return;
       }
 
-      if (msgh.msg_flags & MSG_TRUNC) {
-        g_stats.truncatedDrops++;
-        if (!g_quiet) {
-          g_log<<Logger::Error<<"Ignoring truncated query from "<<fromaddr.toString()<<endl;
-        }
-        return;
+      if (!proxyProto) {
+        source = fromaddr;
       }
 
       if(t_remotes) {