From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Thu, 5 Apr 2018 09:12:31 +0000 (+0200)
Subject: lib/resolve: accept incoming requests with QDCOUNT = 0 only if cookie module has... 
X-Git-Tag: v2.3.0^2~2^2~8^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=96a12caf331d98c673a773c2bb073eece0c7ca9f;p=thirdparty%2Fknot-resolver.git

lib/resolve: accept incoming requests with QDCOUNT = 0 only if cookie module has loaded.
---

diff --git a/lib/resolve.c b/lib/resolve.c
index d5240d86e..7d47244dc 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -742,10 +742,13 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 	uint16_t qtype = knot_pkt_qtype(packet);
 	bool cd_is_set = knot_wire_get_cd(packet->wire);
 	struct kr_query *qry = NULL;
+	struct kr_context *ctx = request->ctx;
+	struct kr_cookie_ctx *cookie_ctx = ctx ? &ctx->cookie_ctx : NULL;
 
 	if (qname != NULL) {
 		qry = kr_rplan_push(rplan, NULL, qname, qclass, qtype);
-	} else if (knot_wire_get_qdcount(packet->wire) == 0 &&
+	} else if (cookie_ctx->srvr.enabled &&
+		   knot_wire_get_qdcount(packet->wire) == 0 &&
                    knot_pkt_has_edns(packet) &&
                    knot_edns_has_option(packet->opt_rr, KNOT_EDNS_OPTION_COOKIE)) {
 		/* Plan empty query only for cookies. */
@@ -755,12 +758,14 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 		return KR_STATE_FAIL;
 	}
 
-	/* Deferred zone cut lookup for this query. */
-	qry->flags.AWAIT_CUT = true;
-	/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
-	if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
-	    kr_ta_covers_qry(request->ctx, qname, qtype)) {
-		qry->flags.DNSSEC_WANT = true;
+	if (qname != NULL) {
+		/* Deferred zone cut lookup for this query. */
+		qry->flags.AWAIT_CUT = true;
+		/* Want DNSSEC if it's posible to secure this name (e.g. is covered by any TA) */
+		if ((knot_wire_get_ad(packet->wire) || knot_pkt_has_dnssec(packet)) &&
+		    kr_ta_covers_qry(request->ctx, qname, qtype)) {
+			qry->flags.DNSSEC_WANT = true;
+		}
 	}
 
 	/* Initialize answer packet */
@@ -780,8 +785,13 @@ static int resolve_query(struct kr_request *request, const knot_pkt_t *packet)
 	request->qsource.packet = packet;
 	ITERATE_LAYERS(request, qry, begin);
 	request->qsource.packet = NULL;
-	if (request->state == KR_STATE_DONE) {
+	if ((request->state & KR_STATE_DONE) != 0) {
 		kr_rplan_pop(rplan, qry);
+	} else if (qname == NULL) {
+		/* it is an empty query which must be resolved by
+		   `begin` layer of cookie module.
+		   If query isn't resolved, fail. */
+		request->state = KR_STATE_FAIL;
 	}
 	return request->state;
 }
diff --git a/modules/cookies/cookiemonster.c b/modules/cookies/cookiemonster.c
index dabd2854f..e4663f6e1 100644
--- a/modules/cookies/cookiemonster.c
+++ b/modules/cookies/cookiemonster.c
@@ -355,6 +355,10 @@ int check_request(kr_layer_t *ctx)
 	struct kr_request *req = ctx->req;
 	struct kr_cookie_settings *srvr_sett = &req->ctx->cookie_ctx.srvr;
 
+	if (!srvr_sett->enabled) {
+		return ctx->state;
+	}
+
 	knot_pkt_t *answer = req->answer;
 
 	if (ctx->state & (KR_STATE_DONE | KR_STATE_FAIL)) {