From: Lennart Poettering Date: Sat, 1 Nov 2025 15:29:39 +0000 (+0100) Subject: resolvectl: do not use strjoina() on user provided strings X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7517e41a49d9fa7d79567ec293fe0a353bd1441b;p=thirdparty%2Fsystemd.git resolvectl: do not use strjoina() on user provided strings --- diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c index 8f8124d5bf8..4e63565afeb 100644 --- a/src/resolve/resolvectl.c +++ b/src/resolve/resolvectl.c @@ -1015,14 +1015,12 @@ static int verb_service(int argc, char **argv, void *userdata) { } static int resolve_openpgp(sd_bus *bus, const char *address) { - const char *domain, *full; int r; - _cleanup_free_ char *hashed = NULL; assert(bus); assert(address); - domain = strrchr(address, '@'); + const char *domain = strrchr(address, '@'); if (!domain) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Address does not contain '@': \"%s\"", address); @@ -1031,34 +1029,50 @@ static int resolve_openpgp(sd_bus *bus, const char *address) { "Address starts or ends with '@': \"%s\"", address); domain++; + _cleanup_free_ char *hashed = NULL; r = string_hashsum_sha256(address, domain - 1 - address, &hashed); if (r < 0) return log_error_errno(r, "Hashing failed: %m"); strshorten(hashed, 56); - full = strjoina(hashed, "._openpgpkey.", domain); - log_debug("Looking up \"%s\".", full); + _cleanup_free_ char *suffix = NULL; + r = dns_name_concat("_openpgpkey", domain, /* flags= */ 0, &suffix); + if (r < 0) + return log_error_errno(r, "Failed to join DNS suffix: %m"); - r = resolve_record(bus, full, - arg_class ?: DNS_CLASS_IN, - arg_type ?: DNS_TYPE_OPENPGPKEY, false); + _cleanup_free_ char *full = NULL; + r = dns_name_concat(hashed, suffix, /* flags= */ 0, &full); + if (r < 0) + return log_error_errno(r, "Failed to join OPENPGPKEY name: %m"); + log_debug("Looking up \"%s\".", full); - if (IN_SET(r, -ENXIO, -ESRCH)) { /* NXDOMAIN or NODATA? */ - hashed = mfree(hashed); - r = string_hashsum_sha224(address, domain - 1 - address, &hashed); - if (r < 0) - return log_error_errno(r, "Hashing failed: %m"); + r = resolve_record( + bus, + full, + arg_class ?: DNS_CLASS_IN, + arg_type ?: DNS_TYPE_OPENPGPKEY, + /* warn_missing= */ false); + if (!IN_SET(r, -ENXIO, -ESRCH)) /* Not NXDOMAIN or NODATA? Then fail immedately. */ + return r; - full = strjoina(hashed, "._openpgpkey.", domain); - log_debug("Looking up \"%s\".", full); + hashed = mfree(hashed); + r = string_hashsum_sha224(address, domain - 1 - address, &hashed); + if (r < 0) + return log_error_errno(r, "Hashing failed: %m"); - return resolve_record(bus, full, - arg_class ?: DNS_CLASS_IN, - arg_type ?: DNS_TYPE_OPENPGPKEY, true); - } + full = mfree(full); + r = dns_name_concat(hashed, suffix, /* flags= */ 0, &full); + if (r < 0) + return log_error_errno(r, "Failed to join OPENPGPKEY name: %m"); + log_debug("Looking up \"%s\".", full); - return r; + return resolve_record( + bus, + full, + arg_class ?: DNS_CLASS_IN, + arg_type ?: DNS_TYPE_OPENPGPKEY, + /* warn_missing= */ true); } static int verb_openpgp(int argc, char **argv, void *userdata) {