From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 18 Dec 2015 17:57:08 +0000 (+0100)
Subject: resolved: refuse accepting EDNS0 OPT RRs with a non-root domain
X-Git-Tag: v229~201^2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff7febd50a69c464eb2373706059194b60056883;p=thirdparty%2Fsystemd.git

resolved: refuse accepting EDNS0 OPT RRs with a non-root domain
---

diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index c8dd5fdeee5..e8f570555b6 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1997,13 +1997,19 @@ int dns_packet_extract(DnsPacket *p) {
 
                 for (i = 0; i < n; i++) {
                         _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
+                        bool cache_flush;
 
-                        r = dns_packet_read_rr(p, &rr, NULL);
+                        r = dns_packet_read_rr(p, &rr, &cache_flush, NULL);
                         if (r < 0)
                                 goto finish;
 
                         if (rr->key->type == DNS_TYPE_OPT) {
 
+                                if (!dns_name_is_root(DNS_RESOURCE_KEY_NAME(rr->key))) {
+                                        r = -EBADMSG;
+                                        goto finish;
+                                }
+
                                 /* The OPT RR is only valid in the Additional section */
                                 if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) {
                                         r = -EBADMSG;