From: Wouter Wijngaards Date: Wed, 21 Nov 2018 06:37:00 +0000 (+0000) Subject: - Scrub NS records from NODATA responses as well. X-Git-Tag: release-1.8.2rc1~28 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7458729d28103390043b36c503020b9b6e2a61a8;p=thirdparty%2Funbound.git - Scrub NS records from NODATA responses as well. git-svn-id: file:///svn/unbound/trunk@4964 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/Changelog b/doc/Changelog index d02f00a61..c339e15b6 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +21 November 2018: Wouter + - Scrub NS records from NODATA responses as well. + 20 November 2018: Wouter - Scrub NS records from NXDOMAIN responses to stop fragmentation poisoning of the cache. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c index a1cd0f441..8cc5effe8 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c @@ -502,7 +502,14 @@ scrub_normalize(sldns_buffer* pkt, struct msg_parse* msg, * from. eg. fragmentation attacks, inserted after * long RRSIGs in the packet get to the packet * border and such */ - if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN) { + /* also for NODATA answers + * (nodata has an empty answer section, ie. the + * first rr is from the next section */ + if(FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NXDOMAIN || + (FLAGS_GET_RCODE(msg->flags) == LDNS_RCODE_NOERROR + && (msg->rrset_first->section == LDNS_SECTION_AUTHORITY + || msg->rrset_first->section == LDNS_SECTION_ADDITIONAL) + )) { remove_rrset("normalize: removing irrelevant " "RRset:", pkt, msg, prev, &rrset); continue;