From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Wed, 8 Mar 2017 10:14:00 +0000 (+0100)
Subject: layer\iterate: when proccessing delegations, check if qname is at\below new authority
X-Git-Tag: v1.3.0~23^2~60^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9dfaff68349b83c56b7ee5f24713f5df75c285f9;p=thirdparty%2Fknot-resolver.git

layer\iterate: when proccessing delegations, check if qname is at\below new authority
---

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index ac1c21f64..21c393c9c 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -209,8 +209,10 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr,
 	int state = KR_STATE_CONSUME;
 
 	/* New authority MUST be at/below the authority of the current cut;
+	 * also qname must be below new authority;
 	 * otherwise it's a possible cache injection attempt. */
-	if (!knot_dname_in(current_cut, rr->owner)) {
+	if (!knot_dname_in(current_cut, rr->owner) ||
+	    !knot_dname_in(rr->owner, qry->sname)) {
 		VERBOSE_MSG("<= authority: ns outside bailiwick\n");
 #ifdef STRICT_MODE
 		return KR_STATE_FAIL;