From: mb Date: Tue, 24 Nov 2020 15:29:15 +0000 (+0100) Subject: rpz: fix forged response X-Git-Tag: release-1.14.0rc1~62^2~53^2^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7acf1a5088cb8ebc9d02a815918352b4961ed04f;p=thirdparty%2Funbound.git rpz: fix forged response --- diff --git a/iterator/iterator.c b/iterator/iterator.c index 85c0b29de..831d90761 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c @@ -2475,7 +2475,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, struct dns_msg* forged_response = rpz_iterator_module_callback(qstate, iq); if(forged_response != NULL) { qstate->ext_state[id] = module_finished; - qstate->return_rcode = forged_response->rep->flags; + qstate->return_rcode = FLAGS_GET_RCODE(forged_response->rep->flags); qstate->return_msg = forged_response; next_state(iq, FINISHED_STATE); return 0; diff --git a/services/rpz.c b/services/rpz.c index f39c5297c..a089f4fa4 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -1440,7 +1440,7 @@ rpz_patch_nodata(struct rpz* r, struct module_qstate* ms) if(msg == NULL) { return msg; } msg->qinfo = ms->qinfo; msg->rep = construct_reply_info_base(ms->region, - BIT_RD|BIT_QR|BIT_AA|BIT_RA, + BIT_RD | BIT_QR | BIT_AA | BIT_RA, 1, //qd 0, //ttl 0, //prettl @@ -1461,7 +1461,7 @@ rpz_patch_nxdomain(struct rpz* r, struct module_qstate* ms) if(msg == NULL) { return msg; } msg->qinfo = ms->qinfo; msg->rep = construct_reply_info_base(ms->region, - BIT_RD|BIT_QR|BIT_AA|BIT_RA, + BIT_RD | BIT_QR | BIT_AA | BIT_RA, 1, //qd 0, //ttl 0, //prettl @@ -1481,22 +1481,32 @@ rpz_patch_localdata(struct rpz* r, struct clientip_synthesized_rr* data) { struct dns_msg* msg = NULL; - struct query_info* qi = &msg->qinfo; + struct query_info* qi = &ms->qinfo; struct ub_packed_rrset_key* rp; struct local_rrset* rrset; struct reply_info* new_reply_info; - struct reply_info* ri = msg->rep; rrset = rpz_find_synthesized_rrset(qi->qtype, data); if(rrset == NULL) { verbose(VERB_ALGO, "rpz: nsip: no matching synthesized data found; resorting to nodata"); return rpz_patch_nodata(r, ms); } + msg = rpz_dns_msg_new(ms->region); if(msg == NULL) { return NULL; } // XXX: use ttl etc from rpz zone? - new_reply_info = make_new_reply_info(ri, ms->region, 0, 0); + new_reply_info = construct_reply_info_base(ms->region, + LDNS_RCODE_NOERROR | BIT_RD | BIT_QR | BIT_AA | BIT_RA, + 1, //qd + 0, //ttl + 0, //prettl + 0, //expttl + 1, //an + 0, //ns + 0, //ar + 1, //total + sec_status_secure); if(new_reply_info == NULL) { log_err("out of memory"); return NULL; @@ -1506,15 +1516,13 @@ rpz_patch_localdata(struct rpz* r, log_err("out of memory"); return NULL; } - new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets)); - if(new_reply_info->rrsets == NULL) { - log_err("out of memory"); - return NULL; - } + //new_reply_info->rrsets = regional_alloc(ms->region, sizeof(*new_reply_info->rrsets)); + //if(new_reply_info->rrsets == NULL) { + // log_err("out of memory"); + // return NULL; + //} rp->rk.dname = qi->qname; rp->rk.dname_len = qi->qname_len; - new_reply_info->rrset_count = 1; - new_reply_info->an_numrrsets = 1; new_reply_info->rrsets[0] = rp; msg->rep = new_reply_info; return msg; @@ -1590,12 +1598,16 @@ rpz_iterator_module_callback(struct module_qstate* ms, struct iter_qstate* is) verbose(VERB_ALGO, "rpz: nsip: tcp-only trigger ignored"); ret = NULL; break; - case RPZ_PASSTHRU_ACTION: - ret = NULL; + case RPZ_DROP_ACTION: + ret = rpz_patch_nodata(r, ms); + ms->is_drop = 1; break; case RPZ_LOCAL_DATA_ACTION: ret = rpz_patch_localdata(r, ms, raddr); break; + case RPZ_PASSTHRU_ACTION: + ret = NULL; + break; default: verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'", rpz_action_to_string(action));