From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Tue, 25 Nov 2025 10:26:53 +0000 (+0100)
Subject: rec: do proper validation of TCP notifies
X-Git-Tag: rec-5.4.0-alpha1~18^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d985105eab38e933ee4ca2711854703372c497dd;p=thirdparty%2Fpdns.git

rec: do proper validation of TCP notifies

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/rec-tcp.cc b/pdns/recursordist/rec-tcp.cc
index 517ed521a5..1b9f305572 100644
--- a/pdns/recursordist/rec-tcp.cc
+++ b/pdns/recursordist/rec-tcp.cc
@@ -249,7 +249,7 @@ private:
   int d_fd{-1};
 };
 
-static void handleNotify(std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname)
+[[nodiscard]] static bool handleNotify(std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname)
 {
   if (!t_allowNotifyFrom || !t_allowNotifyFrom->match(comboWriter->d_mappedSource)) {
     if (!g_quiet) {
@@ -257,17 +257,18 @@ static void handleNotify(std::unique_ptr<DNSComboWriter>& comboWriter, const DNS
     }
 
     t_Counters.at(rec::Counter::sourceDisallowedNotify)++;
-    return;
+    return false;
   }
 
   if (!isAllowNotifyForZone(qname)) {
     if (!g_quiet) {
-      g_slogtcpin->info(Logr::Error, "Dropping TCP NOTIFY,  zone not matched by allow-notify-for", "source", Logging::Loggable(comboWriter->d_mappedSource), "zone", Logging::Loggable(qname));
+      g_slogtcpin->info(Logr::Error, "Dropping TCP NOTIFY, zone not matched by allow-notify-for", "source", Logging::Loggable(comboWriter->d_mappedSource), "zone", Logging::Loggable(qname));
     }
 
     t_Counters.at(rec::Counter::zoneDisallowedNotify)++;
-    return;
+    return false;
   }
+  return true;
 }
 
 static void doProtobufLogQuery(bool logQuery, LocalStateHolder<LuaConfigItems>& luaconfsLocal, const std::unique_ptr<DNSComboWriter>& comboWriter, const DNSName& qname, QType qtype, QClass qclass, const dnsheader* dnsheader, const shared_ptr<TCPConnection>& conn, const std::optional<uint32_t>& ednsVersion)
@@ -444,7 +445,9 @@ static void doProcessTCPQuestion(std::unique_ptr<DNSComboWriter>& comboWriter, s
     }
 
     if (comboWriter->d_mdp.d_header.opcode == static_cast<unsigned>(Opcode::Notify)) {
-      handleNotify(comboWriter, qname);
+      if (!handleNotify(comboWriter, qname)) {
+        return;
+      }
     }
 
     string response;