From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 10 Dec 2015 12:46:53 +0000 (+0100)
Subject: resolved: refuse OPT RRs in incoming packets that are not in the additional section
X-Git-Tag: v229~212^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e6b57b378709af68d1828e26aec684f88bd04172;p=thirdparty%2Fsystemd.git

resolved: refuse OPT RRs in incoming packets that are not in the additional section

We later rely that the DnsAnswer object contains all RRs from the
original packet, at least when it comes to the answer and authorization
sections, hence we better make sure we don#t silently end up removing an
OPT RR from these two sections.
---

diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 2117b709790..7c5be538b8f 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1993,8 +1993,18 @@ int dns_packet_extract(DnsPacket *p) {
                                 goto finish;
 
                         if (rr->key->type == DNS_TYPE_OPT) {
-                                if (p->opt)
-                                        return -EBADMSG;
+
+                                /* The OPT RR is only valid in the Additional section */
+                                if (i < DNS_PACKET_ANCOUNT(p) + DNS_PACKET_NSCOUNT(p)) {
+                                        r = -EBADMSG;
+                                        goto finish;
+                                }
+
+                                /* Two OPT RRs? */
+                                if (p->opt) {
+                                        r = -EBADMSG;
+                                        goto finish;
+                                }
 
                                 p->opt = dns_resource_record_ref(rr);
                         } else {