From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 3 Mar 2025 23:17:21 +0000 (+0100)
Subject: dns-stream: only read DNS packet data if we identified the peer properly
X-Git-Tag: v258-rc1~1193
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=facc9439a76b4c3a5c273c71bd7a676e4c74778c;p=thirdparty%2Fsystemd.git

dns-stream: only read DNS packet data if we identified the peer properly

If we use TCP fastopen to connect to a DNS server via TCP, and it
responds really quickly between our connection attempt and our immediate
check back, then we have not identified the peer yet, and will not be
able to use the peer metadata to fill in our packet info.

Let's fix that, and simply not read from the socket until identification
is complete.

Fixes: #34956
---

diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c
index 0696857802f..7545065bae6 100644
--- a/src/resolve/resolved-dns-stream.c
+++ b/src/resolve/resolved-dns-stream.c
@@ -360,7 +360,8 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
                 }
         }
 
-        while ((revents & (EPOLLIN|EPOLLHUP|EPOLLRDHUP)) &&
+        while (s->identified && /* Only read data once we identified the peer, because we cannot fill in the DNS packet meta info otherwise */
+               (revents & (EPOLLIN|EPOLLHUP|EPOLLRDHUP)) &&
                (!s->read_packet ||
                 s->n_read < sizeof(s->read_size) + s->read_packet->size)) {