Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 18:28:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix crash on REFUSED answers to DNSSEC queries.

Browse Source 
Some REFUSED answers to DNSSEC-originated queries would
bypass the DNSSEC code entirely, and be returned as answers
to the original query. In the process, they'd mess up datastructures
so that a retry of the original query would crash dnsmasq.
This commit is contained in:
Simon Kelley
2019-10-11 23:22:17 +01:00
parent 6fe436a448
commit 04db1483d1
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/forward.c
View File

@@ -946,12 +946,12 @@ void reply_query(int fd, int family, time_t now)
/* We tried resending to this server with a smaller maximum size and got an answer. /* We tried resending to this server with a smaller maximum size and got an answer.
Make that permanent. To avoid reduxing the packet size for a single dropped packet, Make that permanent. To avoid reduxing the packet size for a single dropped packet,
only do this when we get a truncated answer, or one larger than the safe size. */ only do this when we get a truncated answer, or one larger than the safe size. */
if (server && server->edns_pktsz > SAFE_PKTSZ && (forward->flags & FREC_TEST_PKTSZ) && if (forward->sentto->edns_pktsz > SAFE_PKTSZ && (forward->flags & FREC_TEST_PKTSZ) &&
((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ)) ((header->hb3 & HB3_TC) || n >= SAFE_PKTSZ))
{ {
server->edns_pktsz = SAFE_PKTSZ; forward->sentto->edns_pktsz = SAFE_PKTSZ;
server->pktsz_reduced = now; forward->sentto->pktsz_reduced = now;
prettyprint_addr(&server->addr, daemon->addrbuff); prettyprint_addr(&forward->sentto->addr, daemon->addrbuff);
my_syslog(LOG_WARNING, _("reducing DNS packet size for nameserver %s to %d"), daemon->addrbuff, SAFE_PKTSZ); my_syslog(LOG_WARNING, _("reducing DNS packet size for nameserver %s to %d"), daemon->addrbuff, SAFE_PKTSZ);
} }
@@ -973,7 +973,7 @@ void reply_query(int fd, int family, time_t now)
no_cache_dnssec = 1; no_cache_dnssec = 1;
#ifdef HAVE_DNSSEC #ifdef HAVE_DNSSEC
if (server && (server->flags & SERV_DO_DNSSEC) && if ((forward->sentto->flags & SERV_DO_DNSSEC) &&
option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED)) option_bool(OPT_DNSSEC_VALID) && !(forward->flags & FREC_CHECKING_DISABLED))
{ {
int status = 0; int status = 0;
@@ -1201,6 +1201,7 @@ void reply_query(int fd, int family, time_t now)
bogusanswer = 1; bogusanswer = 1;
} }
} }
#endif #endif
/* restore CD bit to the value in the query */ /* restore CD bit to the value in the query */