From: Ondřej Surý <ondrej.sury@nic.cz>
Date: Wed, 8 Mar 2017 10:58:14 +0000 (+0100)
Subject: Merge branch 'fix-auth-qname' into 'master'
X-Git-Tag: v1.2.4~1^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a2f941e186c295817442af3d4afaa2c23f501ad9;p=thirdparty%2Fknot-resolver.git

Merge branch 'fix-auth-qname' into 'master'

layer\iterate: when processing delegations, check if qname is at\below new authority

See merge request !229
---

diff --git a/lib/layer/iterate.c b/lib/layer/iterate.c
index ac1c21f64..21c393c9c 100644
--- a/lib/layer/iterate.c
+++ b/lib/layer/iterate.c
@@ -209,8 +209,10 @@ static int update_cut(knot_pkt_t *pkt, const knot_rrset_t *rr,
 	int state = KR_STATE_CONSUME;
 
 	/* New authority MUST be at/below the authority of the current cut;
+	 * also qname must be below new authority;
 	 * otherwise it's a possible cache injection attempt. */
-	if (!knot_dname_in(current_cut, rr->owner)) {
+	if (!knot_dname_in(current_cut, rr->owner) ||
+	    !knot_dname_in(rr->owner, qry->sname)) {
 		VERBOSE_MSG("<= authority: ns outside bailiwick\n");
 #ifdef STRICT_MODE
 		return KR_STATE_FAIL;