diff options
Diffstat (limited to 'src/resolve')
-rw-r--r-- | src/resolve/resolved-bus.c | 5 | ||||
-rw-r--r-- | src/resolve/resolved-dns-packet.c | 6 | ||||
-rw-r--r-- | src/resolve/resolved-dns-packet.h | 3 | ||||
-rw-r--r-- | src/resolve/resolved-dns-server.c | 3 | ||||
-rw-r--r-- | src/resolve/resolved-dns-stream.c | 6 | ||||
-rw-r--r-- | src/resolve/resolved-dns-stub.c | 10 | ||||
-rw-r--r-- | src/resolve/resolved-dns-transaction.c | 4 | ||||
-rw-r--r-- | src/resolve/resolved-varlink.c | 5 |
8 files changed, 31 insertions, 11 deletions
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c index d6d2273..847bb6b 100644 --- a/src/resolve/resolved-bus.c +++ b/src/resolve/resolved-bus.c @@ -1148,6 +1148,11 @@ static void resolve_service_all_complete(DnsQuery *query) { if (r < 0) goto finish; + if (isempty(type)) { + r = reply_method_errorf(q, BUS_ERROR_NO_SUCH_SERVICE, "'%s' does not provide valid service", dns_query_string(q)); + goto finish; + } + r = sd_bus_message_append( reply, "ssst", diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index e626740..e446461 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -1804,9 +1804,9 @@ int dns_packet_read_rr( if (r < 0) return r; - /* RFC 2181, Section 8, suggests to - * treat a TTL with the MSB set as a zero TTL. */ - if (rr->ttl & UINT32_C(0x80000000)) + /* RFC 2181, Section 8, suggests to treat a TTL with the MSB set as a zero TTL. We avoid doing this + * for OPT records so that all 8 bits of the extended RCODE may be used .*/ + if (key->type != DNS_TYPE_OPT && rr->ttl & UINT32_C(0x80000000)) rr->ttl = 0; r = dns_packet_read_uint16(p, &rdlength, NULL); diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h index 393b7b2..a43571a 100644 --- a/src/resolve/resolved-dns-packet.h +++ b/src/resolve/resolved-dns-packet.h @@ -111,13 +111,14 @@ static inline uint8_t* DNS_PACKET_DATA(const DnsPacket *p) { #define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1) #define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1) +#define DNS_PACKET_FLAG_AD (UINT16_C(1) << 5) #define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9) static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) { uint16_t rcode; if (p->opt) - rcode = (uint16_t) (p->opt->ttl >> 24); + rcode = (uint16_t) ((p->opt->ttl >> 20) & 0xFF0); else rcode = 0; diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 340f11f..b37f541 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ return true; - if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) - return false; - if (server->packet_bad_opt) return false; diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c index 1a43d0b..8c15120 100644 --- a/src/resolve/resolved-dns-stream.c +++ b/src/resolve/resolved-dns-stream.c @@ -322,6 +322,12 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use return dns_stream_complete(s, -r); } + if (revents & EPOLLERR) { + socklen_t errlen = sizeof(r); + if (getsockopt(s->fd, SOL_SOCKET, SO_ERROR, &r, &errlen) == 0) + return dns_stream_complete(s, r); + } + if ((revents & EPOLLOUT) && s->write_packet && s->n_written < sizeof(s->write_size) + s->write_packet->size) { diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c index 23d4db9..c604a51 100644 --- a/src/resolve/resolved-dns-stub.c +++ b/src/resolve/resolved-dns-stub.c @@ -685,7 +685,8 @@ static int dns_stub_send_failure( static int dns_stub_patch_bypass_reply_packet( DnsPacket **ret, /* Where to place the patched packet */ DnsPacket *original, /* The packet to patch */ - DnsPacket *request) { /* The packet the patched packet shall look like a reply to */ + DnsPacket *request, /* The packet the patched packet shall look like a reply to */ + bool authenticated) { _cleanup_(dns_packet_unrefp) DnsPacket *c = NULL; int r; @@ -725,6 +726,10 @@ static int dns_stub_patch_bypass_reply_packet( DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) | DNS_PACKET_FLAG_TC); } + /* Ensure we don't pass along an untrusted ad flag for bypass packets */ + if (!authenticated) + DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) & ~DNS_PACKET_FLAG_AD); + *ret = TAKE_PTR(c); return 0; } @@ -745,7 +750,8 @@ static void dns_stub_query_complete(DnsQuery *query) { q->answer_full_packet->protocol == DNS_PROTOCOL_DNS) { _cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL; - r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet); + r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet, + FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED)); if (r < 0) log_debug_errno(r, "Failed to patch bypass reply packet: %m"); else diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c index 92ac075..17a815c 100644 --- a/src/resolve/resolved-dns-transaction.c +++ b/src/resolve/resolved-dns-transaction.c @@ -633,7 +633,7 @@ static int on_stream_complete(DnsStream *s, int error) { if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) { log_debug_errno(error, "Connection failure for DNS TCP stream: %m"); - if (s->transactions) { + if (error != ECONNRESET && s->transactions) { DnsTransaction *t; t = s->transactions; @@ -1264,7 +1264,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypt } /* These codes probably indicate a transient error. Let's try again. */ - if (IN_SET(t->answer_ede_rcode, DNS_EDE_RCODE_NOT_READY, DNS_EDE_RCODE_NET_ERROR)) { + if (t->answer_ede_rcode == DNS_EDE_RCODE_NOT_READY) { log_debug("Server returned error: %s (%s%s%s), retrying transaction.", FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)), FORMAT_DNS_EDE_RCODE(t->answer_ede_rcode), diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c index 25f85d8..f02ebe3 100644 --- a/src/resolve/resolved-varlink.c +++ b/src/resolve/resolved-varlink.c @@ -829,6 +829,11 @@ static void resolve_service_all_complete(DnsQuery *query) { if (r < 0) goto finish; + if (isempty(type)) { + r = varlink_error(q->varlink_request, "io.systemd.Resolve.ServiceNotProvided", NULL); + goto finish; + } + r = varlink_replyb(query->varlink_request, JSON_BUILD_OBJECT( JSON_BUILD_PAIR("services", JSON_BUILD_VARIANT(srv)), JSON_BUILD_PAIR_CONDITION(!json_variant_is_blank_object(txt), "txt", JSON_BUILD_VARIANT(txt)), |