From: mb <mb@64k.by>
Date: Tue, 24 Nov 2020 11:02:59 +0000 (+0100)
Subject: rpz: fix forged messages
X-Git-Tag: release-1.14.0rc1~62^2~53^2^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=afc73e28d8d601354c516a4cddaf66debe7a1e7d;p=thirdparty%2Funbound.git

rpz: fix forged messages
---

diff --git a/iterator/iterator.c b/iterator/iterator.c
index 6655ec875..85c0b29de 100644
--- a/iterator/iterator.c
+++ b/iterator/iterator.c
@@ -2474,9 +2474,10 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	{ /* apply rpz triggers at query time */
 		struct dns_msg* forged_response = rpz_iterator_module_callback(qstate, iq);
 		if(forged_response != NULL) {
-			iq->response = forged_response;
-			next_state(iq, FINISHED_STATE);
 			qstate->ext_state[id] = module_finished;
+			qstate->return_rcode = forged_response->rep->flags;
+			qstate->return_msg = forged_response;
+			next_state(iq, FINISHED_STATE);
 			return 0;
 		}
 	}
diff --git a/services/rpz.c b/services/rpz.c
index fb219ab09..f39c5297c 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -1440,7 +1440,7 @@ rpz_patch_nodata(struct rpz* r, struct module_qstate* ms)
 	if(msg == NULL) { return msg; }
 	msg->qinfo = ms->qinfo;
 	msg->rep = construct_reply_info_base(ms->region,
-					     LDNS_RCODE_NOERROR|BIT_QR|BIT_AA|BIT_RA,
+					     BIT_RD|BIT_QR|BIT_AA|BIT_RA,
 					     1, //qd
 					     0, //ttl
 					     0, //prettl
@@ -1450,6 +1450,7 @@ rpz_patch_nodata(struct rpz* r, struct module_qstate* ms)
 					     0, //ar
 					     0, //total
 					     sec_status_secure);
+	FLAGS_SET_RCODE(msg->rep->flags, LDNS_RCODE_NOERROR);
 	return msg;
 }
 
@@ -1460,7 +1461,7 @@ rpz_patch_nxdomain(struct rpz* r, struct module_qstate* ms)
 	if(msg == NULL) { return msg; }
 	msg->qinfo = ms->qinfo;
 	msg->rep = construct_reply_info_base(ms->region,
-					     LDNS_RCODE_NXDOMAIN|BIT_QR|BIT_AA|BIT_RA,
+					     BIT_RD|BIT_QR|BIT_AA|BIT_RA,
 					     1, //qd
 					     0, //ttl
 					     0, //prettl
@@ -1470,6 +1471,7 @@ rpz_patch_nxdomain(struct rpz* r, struct module_qstate* ms)
 					     0, //ar
 					     0, //total
 					     sec_status_secure);
+	FLAGS_SET_RCODE(msg->rep->flags, LDNS_RCODE_NXDOMAIN);
 	return msg;
 }
 
diff --git a/testdata/rpz_nsip.rpl b/testdata/rpz_nsip.rpl
index ac9e80b80..215ee3a28 100644
--- a/testdata/rpz_nsip.rpl
+++ b/testdata/rpz_nsip.rpl
@@ -346,7 +346,7 @@ ENTRY_END
 STEP 11 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA NXDOMAIN
+REPLY QR AA RD RA NXDOMAIN
 SECTION QUESTION
 gotham.aa. IN A
 SECTION ANSWER
@@ -362,7 +362,7 @@ ENTRY_END
 STEP 21 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RD RA NOERROR
+REPLY QR AA RD RA NOERROR
 SECTION QUESTION
 gotham.bb. IN A
 SECTION ANSWER