From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 7 Jul 2020 08:54:15 +0000 (+0200)
Subject: rec: backport of 9268 to 4.3.x: Better exception handling in houseKeeping / handlePol... 
X-Git-Tag: rec-4.3.3~4^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b5393633b78ab70661b6a008e31c0b1066020bd5;p=thirdparty%2Fpdns.git

rec: backport of 9268 to 4.3.x: Better exception handling in houseKeeping / handlePolicyHit
---

diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index eb95325613..1ad3b241e1 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -1359,7 +1359,23 @@ static void startDoResolve(void *p)
             spoofed=appliedPolicy.getCustomRecords(dc->d_mdp.d_qname, dc->d_mdp.d_qtype);
             for (const auto& dr : spoofed) {
               ret.push_back(dr);
-              handleRPZCustom(dr, QType(dc->d_mdp.d_qtype), sr, res, ret);
+              try {
+                handleRPZCustom(dr, QType(dc->d_mdp.d_qtype), sr, res, ret);
+              }
+              catch (const ImmediateServFailException& e) {
+                if (g_logCommonErrors) {
+                  g_log << Logger::Notice << "Sending SERVFAIL to " << dc->getRemote() << " during resolve of the custom filter policy while resolving '"<<dc->d_mdp.d_qname<<"' because: "<<e.reason<<endl;
+                }
+                res = RCode::ServFail;
+                break;
+              }
+              catch (const PolicyHitException& e) {
+                if (g_logCommonErrors) {
+                  g_log << Logger::Notice << "Sending SERVFAIL to " << dc->getRemote() << " during resolve of the custom filter policy while resolving '"<<dc->d_mdp.d_qname<<"' because another RPZ policy was hit"<<endl;
+                }
+                res = RCode::ServFail;
+                break;
+              }
             }
             goto haveAnswer;
           case DNSFilterEngine::PolicyKind::Truncate:
@@ -2946,7 +2962,24 @@ static void houseKeeping(void *)
       int res = SyncRes::getRootNS(g_now, nullptr);
       if (!res) {
         last_rootupdate=now.tv_sec;
-        primeRootNSZones(g_dnssecmode != DNSSECMode::Off);
+        try {
+          primeRootNSZones(g_dnssecmode != DNSSECMode::Off);
+        }
+        catch (const std::exception& e) {
+          g_log<<Logger::Error<<"Exception while priming the root NS zones: "<<e.what()<<endl;
+        }
+        catch (const PDNSException& e) {
+          g_log<<Logger::Error<<"Exception while priming the root NS zones: "<<e.reason<<endl;
+        }
+        catch (const ImmediateServFailException& e) {
+          g_log<<Logger::Error<<"Exception while priming the root NS zones: "<<e.reason<<endl;
+        }
+        catch (const PolicyHitException& e) {
+          g_log<<Logger::Error<<"Policy hit while priming the root NS zones"<<endl;
+        }
+        catch (...) {
+          g_log<<Logger::Error<<"Exception while priming the root NS zones"<<endl;
+        }
       }
     }
 
@@ -3001,6 +3034,12 @@ static void houseKeeping(void *)
       g_log<<Logger::Error<<"Fatal error in housekeeping thread: "<<ae.reason<<endl;
       throw;
     }
+  catch(...)
+    {
+      s_running=false;
+      g_log<<Logger::Error<<"Uncaught exception in housekeeping thread"<<endl;
+      throw;
+    }
 }
 
 static void makeThreadPipes()