+3124. [bug] Use an rdataset attribute flag to indicate
+ negative-cache records rather than using rrtype 0;
+ this will prevent problems when that rrtype is
+ used in actual DNS packets. [RT #24777]
+
+3123. [security] Change #2912 exposed a latent flaw in
+ dns_rdataset_totext() that could cause named to
+ crash with an assertion failure. [RT #24777]
+
--- 9.6-ESV-R5rc1 released ---
3121. [security] An authoritative name server sending a negative
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: tests.sh,v 1.25.332.3 2011/05/23 22:24:12 each Exp $
+# $Id: tests.sh,v 1.25.332.4 2011/06/09 00:16:33 each Exp $
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
status=1
fi
+n=`expr $n + 1`
+ret=0
+echo "I:check TYPE=0 update is rejected by nsupdate ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 && ret=1
+ server 10.53.0.1 5300
+ ttl 300
+ update add example.nil. in type0 ""
+ send
+END
+grep "unknown class/type" nsupdate.out > /dev/null 2>&1 ||
+ret=1
+if [ $ret -ne 0 ]; then
+ echo "I:failed"
+ status=1
+fi
+
+n=`expr $n + 1`
+ret=0
+echo "I:check TYPE=0 prerequisite is handled ($n)"
+$NSUPDATE <<END > nsupdate.out 2>&1 || ret=1
+ server 10.53.0.1 5300
+ prereq nxrrset example.nil. type0
+ send
+END
+$DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then
+ echo "I:failed"
+ status=1
+fi
+
+n=`expr $n + 1`
+ret=0
+echo "I:check that TYPE=0 update is handled ($n)"
+echo "a0e4280000010000000100000000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p 5300 -t tcp > /dev/null
+$DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+if test $ret -ne 0
+then
+ echo "I:failed"
+ status=1
+fi
+
+n=`expr $n + 1`
+echo "I:check that TYPE=0 additional data is handled ($n)"
+echo "a0e4280000010000000000010000060001c00c000000fe000000000000" |
+$PERL ../packet.pl -a 10.53.0.1 -p 5300 -t tcp > /dev/null
+$DIG +tcp version.bind txt ch @10.53.0.1 -p 5300 > dig.out.ns1.$n
+grep "status: NOERROR" dig.out.ns1.$n > /dev/null || ret=1
+if test $ret -ne 0
+then
+ echo "I:failed"
+ status=1
+fi
+
if $PERL -e 'use Net::DNS;' 2>/dev/null
then
echo "I:running update.pl test"
then
echo "I:failed"; status=1
fi
-
- echo "I:exit status: $status"
- exit $status
+
echo "I:exit status: $status"
exit $status
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataset.h,v 1.65.50.6 2011/05/28 00:01:52 tbox Exp $ */
+/* $Id: rdataset.h,v 1.65.50.7 2011/06/09 00:16:37 each Exp $ */
#ifndef DNS_RDATASET_H
#define DNS_RDATASET_H 1
#define DNS_RDATASETATTR_RESIGN 0x00040000
#define DNS_RDATASETATTR_CLOSEST 0x00080000
#define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */
+#define DNS_RDATASETATTR_NEGATIVE 0x00200000
/*%
* _OMITDNSSEC:
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: masterdump.c,v 1.94.50.9 2011/05/27 05:04:17 marka Exp $ */
+/* $Id: masterdump.c,v 1.94.50.10 2011/06/09 00:16:34 each Exp $ */
/*! \file */
isc_uint32_t current_ttl;
isc_boolean_t current_ttl_valid;
dns_rdatatype_t type;
+ unsigned int type_start;
REQUIRE(DNS_RDATASET_VALID(rdataset));
* Type.
*/
- if (rdataset->type == 0) {
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
type = rdataset->covers;
} else {
type = rdataset->type;
}
- {
- unsigned int type_start;
- INDENT_TO(type_column);
- type_start = target->used;
- if (rdataset->type == 0)
- RETERR(str_totext("\\-", target));
- result = dns_rdatatype_totext(type, target);
- if (result != ISC_R_SUCCESS)
- return (result);
- column += (target->used - type_start);
- }
+ INDENT_TO(type_column);
+ type_start = target->used;
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+ RETERR(str_totext("\\-", target));
+ result = dns_rdatatype_totext(type, target);
+ if (result != ISC_R_SUCCESS)
+ return (result);
+ column += (target->used - type_start);
/*
* Rdata.
*/
INDENT_TO(rdata_column);
- if (rdataset->type == 0) {
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
if (NXDOMAIN(rdataset))
RETERR(str_totext(";-$NXDOMAIN\n", target));
else
dns_rdataset_t *rds = sorted[i];
if (ctx->style.flags & DNS_STYLEFLAG_TRUST)
fprintf(f, "; %s\n", dns_trust_totext(rds->trust));
- if (rds->type == 0 &&
+ if (((rds->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
(ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
/* Omit negative cache entries */
} else {
dns_rdataset_init(&rdataset);
dns_rdatasetiter_current(rdsiter, &rdataset);
- if (rdataset.type == 0 &&
+ if (((rdataset.attributes & DNS_RDATASETATTR_NEGATIVE) != 0) &&
(ctx->style.flags & DNS_STYLEFLAG_NCACHE) == 0) {
/* Omit negative cache entries */
} else {
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: message.c,v 1.245.50.9 2011/03/12 04:57:27 tbox Exp $ */
+/* $Id: message.c,v 1.245.50.10 2011/06/09 00:16:34 each Exp $ */
/*! \file */
isc_result_t
dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
- unsigned int first_section;
+ unsigned int clear_after;
isc_result_t result;
REQUIRE(DNS_MESSAGE_VALID(msg));
msg->opcode != dns_opcode_notify)
want_question_section = ISC_FALSE;
if (msg->opcode == dns_opcode_update)
- first_section = DNS_SECTION_ADDITIONAL;
+ clear_after = DNS_SECTION_PREREQUISITE;
else if (want_question_section) {
if (!msg->question_ok)
return (DNS_R_FORMERR);
- first_section = DNS_SECTION_ANSWER;
+ clear_after = DNS_SECTION_ANSWER;
} else
- first_section = DNS_SECTION_QUESTION;
+ clear_after = DNS_SECTION_QUESTION;
msg->from_to_wire = DNS_MESSAGE_INTENTRENDER;
- msgresetnames(msg, first_section);
+ msgresetnames(msg, clear_after);
msgresetopt(msg);
msgresetsigs(msg, ISC_TRUE);
msginitprivate(msg);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: ncache.c,v 1.43.48.9 2011/05/26 23:45:46 tbox Exp $ */
+/* $Id: ncache.c,v 1.43.48.10 2011/06/09 00:16:35 each Exp $ */
/*! \file */
RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
== ISC_R_SUCCESS);
ncrdataset.trust = trust;
+ ncrdataset.attributes |= DNS_RDATASETATTR_NEGATIVE;
if (message->rcode == dns_rcode_nxdomain)
ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (optout)
REQUIRE(rdataset != NULL);
REQUIRE(rdataset->type == 0);
+ REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
savedbuffer = *target;
count = 0;
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
REQUIRE(type != dns_rdatatype_rrsig);
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(name != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
REQUIRE(ncacherdataset != NULL);
REQUIRE(ncacherdataset->type == 0);
+ REQUIRE((ncacherdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0);
REQUIRE(found != NULL);
REQUIRE(!dns_rdataset_isassociated(rdataset));
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rbtdb.c,v 1.270.12.31 2011/03/11 10:49:55 marka Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.32 2011/06/09 00:16:35 each Exp $ */
/*! \file */
#define RDATASET_ATTR_RESIGN 0x0020
#define RDATASET_ATTR_STATCOUNT 0x0040
#define RDATASET_ATTR_OPTOUT 0x0080
+#define RDATASET_ATTR_NEGATIVE 0x0100
typedef struct acache_cbarg {
dns_rdatasetadditional_t type;
(((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
#define OPTOUT(header) \
(((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
+#define NEGATIVE(header) \
+ (((header)->attributes & RDATASET_ATTR_NEGATIVE) != 0)
#define DEFAULT_NODE_LOCK_COUNT 7 /*%< Should be prime. */
/* At the moment we count statistics only for cache DB */
INSIST(IS_CACHE(rbtdb));
- if (NXDOMAIN(header))
- statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
- else if (RBTDB_RDATATYPE_BASE(header->type) == 0) {
- statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
- base = RBTDB_RDATATYPE_EXT(header->type);
+ if (NEGATIVE(header)) {
+ if (NXDOMAIN(header))
+ statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+ else {
+ statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+ base = RBTDB_RDATATYPE_EXT(header->type);
+ }
} else
base = RBTDB_RDATATYPE_BASE(header->type);
rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
rdataset->ttl = header->rdh_ttl - now;
rdataset->trust = header->trust;
+ if (NEGATIVE(header))
+ rdataset->attributes |= DNS_RDATASETATTR_NEGATIVE;
if (NXDOMAIN(header))
rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
if (OPTOUT(header))
*nodep = node;
}
- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+ if (NEGATIVE(found)) {
/*
* We found a negative cache entry.
*/
if (found == NULL)
return (ISC_R_NOTFOUND);
- if (RBTDB_RDATATYPE_BASE(found->type) == 0) {
+ if (NEGATIVE(found)) {
/*
* We found a negative cache entry.
*/
negtype = 0;
if (rbtversion == NULL && !newheader_nx) {
rdtype = RBTDB_RDATATYPE_BASE(newheader->type);
- if (rdtype == 0) {
+ if (NEGATIVE(newheader)) {
/*
* We're adding a negative cache entry.
*/
} else {
newheader->serial = 1;
newheader->resign = 0;
+ if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+ newheader->attributes |= RDATASET_ATTR_NEGATIVE;
if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
type = header->type;
rdtype = RBTDB_RDATATYPE_BASE(header->type);
- if (rdtype == 0) {
+ if (NEGATIVE(header)) {
covers = RBTDB_RDATATYPE_EXT(header->type);
negtype = RBTDB_RDATATYPE_VALUE(covers, 0);
} else
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: rdataset.c,v 1.82.50.7 2011/05/27 05:04:17 marka Exp $ */
+/* $Id: rdataset.c,v 1.82.50.8 2011/06/09 00:16:36 each Exp $ */
/*! \file */
count = 1;
result = dns_rdataset_first(rdataset);
INSIST(result == ISC_R_NOMORE);
- } else if (rdataset->type == 0) {
+ } else if ((rdataset->attributes & DNS_RDATASETATTR_NEGATIVE) != 0) {
/*
* This is a negative caching rdataset.
*/
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: resolver.c,v 1.384.14.31 2011/03/11 10:49:55 marka Exp $ */
+/* $Id: resolver.c,v 1.384.14.32 2011/06/09 00:16:36 each Exp $ */
/*! \file */
FCTX_ADDRINFO_TRIED) != 0)
#define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
static void destroy(dns_resolver_t *res);
static void empty_bucket(dns_resolver_t *res);
* Negative results must be indicated in event->result.
*/
if (dns_rdataset_isassociated(event->rdataset) &&
- event->rdataset->type == dns_rdatatype_none) {
+ NEGATIVE(event->rdataset)) {
INSIST(event->result == DNS_R_NCACHENXDOMAIN ||
event->result == DNS_R_NCACHENXRRSET);
}
if (result != ISC_R_SUCCESS &&
result != DNS_R_UNCHANGED)
goto noanswer_response;
- if (ardataset != NULL && ardataset->type == 0) {
+ if (ardataset != NULL && NEGATIVE(ardataset)) {
if (NXDOMAIN(ardataset))
eresult = DNS_R_NCACHENXDOMAIN;
else
result = ISC_R_SUCCESS;
if (!need_validation &&
ardataset != NULL &&
- ardataset->type == 0) {
+ NEGATIVE(ardataset)) {
/*
* The answer in the cache is
* better than the answer we
if (result == DNS_R_UNCHANGED) {
if (ANSWER(rdataset) &&
ardataset != NULL &&
- ardataset->type == 0) {
+ NEGATIVE(ardataset)) {
/*
* The answer in the cache is better
* than the answer we found, and is
* Negative results must be indicated in event->result.
*/
if (dns_rdataset_isassociated(event->rdataset) &&
- event->rdataset->type == dns_rdatatype_none) {
+ NEGATIVE(event->rdataset)) {
INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
eresult == DNS_R_NCACHENXRRSET);
}
* care about whether it is DNS_R_NCACHENXDOMAIN or
* DNS_R_NCACHENXRRSET then extract it.
*/
- if (ardataset->type == 0) {
+ if (NEGATIVE(ardataset)) {
/*
* The cache data is a negative cache entry.
*/
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: validator.c,v 1.164.12.28 2011/05/27 00:50:10 marka Exp $ */
+/* $Id: validator.c,v 1.164.12.29 2011/06/09 00:16:37 each Exp $ */
#include <config.h>
#define SHUTDOWN(v) (((v)->attributes & VALATTR_SHUTDOWN) != 0)
#define CANCELED(v) (((v)->attributes & VALATTR_CANCELED) != 0)
+#define NEGATIVE(r) (((r)->attributes & DNS_RDATASETATTR_NEGATIVE) != 0)
+
static void
destroy(dns_validator_t *val);
name = dns_fixedname_name(&val->fname);
if ((val->attributes & VALATTR_INSECURITY) != 0 &&
val->frdataset.covers == dns_rdatatype_ds &&
- val->frdataset.type == 0 &&
+ NEGATIVE(&val->frdataset) &&
isdelegation(name, &val->frdataset, DNS_R_NCACHENXRRSET)) {
if (val->mustbesecure) {
validator_log(val, ISC_LOG_WARNING,
val->attributes |= VALATTR_NEEDNODATA;
result = nsecvalidate(val, ISC_FALSE);
} else if (val->event->rdataset != NULL &&
- val->event->rdataset->type == 0)
+ NEGATIVE(val->event->rdataset))
{
/*
* This is a nonexistence validation.
projects / thirdparty / bind9.git / commitdiff
