resolved: tighten checks in dns_resource_record_get_cname_target()

Let's refuse to consider CNAME/DNAME replies matching for RR types where
that is not really conceptually allow (i.e. on CNAME/DNAME lookups
themselves).

(And add a similar check to dns_resource_key_match_cname_or_dname() too,
which implements a smilar match)

diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index 823117e5c92d3e0d752e89dc5b6cf2df1db2344e..7e76e0c6cc08c0f029d4e7dd3d571bcde842eed7 100644 (file)
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -244,6 +244,9 @@ int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsRe
         if (cname->class != key->class && key->class != DNS_CLASS_ANY)
                 return 0;
 
+        if (!dns_type_may_redirect(key->type))
+                return 0;
+
         if (cname->type == DNS_TYPE_CNAME)
                 r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname));
         else if (cname->type == DNS_TYPE_DNAME)
@@ -1743,9 +1746,16 @@ int dns_resource_record_get_cname_target(DnsResourceKey *key, DnsResourceRecord
         assert(key);
         assert(cname);
 
+        /* Checks if the RR `cname` is a CNAME/DNAME RR that matches the specified `key`. If so, returns the
+         * target domain. If not, returns -EUNATCH */
+
         if (key->class != cname->key->class && key->class != DNS_CLASS_ANY)
                 return -EUNATCH;
 
+        if (!dns_type_may_redirect(key->type)) /* This key type is not subject to CNAME/DNAME redirection?
+                                                * Then let's refuse right-away */
+                return -EUNATCH;
+
         if (cname->key->type == DNS_TYPE_CNAME) {
                 r = dns_name_equal(dns_resource_key_name(key),
                                    dns_resource_key_name(cname->key));