From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 30 May 2024 12:41:21 +0000 (+0200)
Subject: s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last... 
X-Git-Tag: samba-4.19.8~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c7188e1746422ea97c316a130c61962e9b187e7b;p=thirdparty%2Fsamba.git

s4:dns_server: also search DNS_QTYPE_TKEY in the answers section if it's the last section

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 5906ed94f2c5c68e83c63e7c201534eeb323cfe7)
---

diff --git a/selftest/knownfail.d/dns_tkey b/selftest/knownfail.d/dns_tkey
index 8ce60f8507c..12c38d83b97 100644
--- a/selftest/knownfail.d/dns_tkey
+++ b/selftest/knownfail.d/dns_tkey
@@ -1,7 +1,6 @@
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_keyname.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_mac.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_answers.fl2008r2dc
-^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_microsoft_com_tkey_req_answers.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_bad_algorithm.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_tsig_changed_algorithm1.fl2008r2dc
 ^samba.tests.dns_tkey.__main__.TestDNSUpdates.test_update_gss_tsig_tkey_req_additional.fl2008r2dc
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index 3ac3cd4b2b1..1f46ee0aa19 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -799,12 +799,22 @@ static WERROR handle_tkey(struct dns_server *dns,
 {
 	struct dns_res_rec *in_tkey = NULL;
 	struct dns_res_rec *ret_tkey;
-	uint16_t i;
 
-	for (i = 0; i < in->arcount; i++) {
+	/*
+	 * TKEY needs to we the last one in
+	 * additional or answers
+	 */
+	if (in->arcount >= 1) {
+		uint16_t i = in->arcount - 1;
 		if (in->additional[i].rr_type == DNS_QTYPE_TKEY) {
 			in_tkey = &in->additional[i];
-			break;
+		}
+	} else if (in->nscount >= 1) {
+		/* no lookup */
+	} else if (in->ancount >= 1) {
+		uint16_t i = in->ancount - 1;
+		if (in->answers[i].rr_type == DNS_QTYPE_TKEY) {
+			in_tkey = &in->answers[i];
 		}
 	}