summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-bus.c5
-rw-r--r--src/resolve/resolved-dns-packet.c6
-rw-r--r--src/resolve/resolved-dns-packet.h3
-rw-r--r--src/resolve/resolved-dns-server.c3
-rw-r--r--src/resolve/resolved-dns-stream.c6
-rw-r--r--src/resolve/resolved-dns-stub.c10
-rw-r--r--src/resolve/resolved-dns-transaction.c4
-rw-r--r--src/resolve/resolved-varlink.c5
8 files changed, 31 insertions, 11 deletions
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index d6d2273..847bb6b 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -1148,6 +1148,11 @@ static void resolve_service_all_complete(DnsQuery *query) {
if (r < 0)
goto finish;
+ if (isempty(type)) {
+ r = reply_method_errorf(q, BUS_ERROR_NO_SUCH_SERVICE, "'%s' does not provide valid service", dns_query_string(q));
+ goto finish;
+ }
+
r = sd_bus_message_append(
reply,
"ssst",
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index e626740..e446461 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1804,9 +1804,9 @@ int dns_packet_read_rr(
if (r < 0)
return r;
- /* RFC 2181, Section 8, suggests to
- * treat a TTL with the MSB set as a zero TTL. */
- if (rr->ttl & UINT32_C(0x80000000))
+ /* RFC 2181, Section 8, suggests to treat a TTL with the MSB set as a zero TTL. We avoid doing this
+ * for OPT records so that all 8 bits of the extended RCODE may be used .*/
+ if (key->type != DNS_TYPE_OPT && rr->ttl & UINT32_C(0x80000000))
rr->ttl = 0;
r = dns_packet_read_uint16(p, &rdlength, NULL);
diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
index 393b7b2..a43571a 100644
--- a/src/resolve/resolved-dns-packet.h
+++ b/src/resolve/resolved-dns-packet.h
@@ -111,13 +111,14 @@ static inline uint8_t* DNS_PACKET_DATA(const DnsPacket *p) {
#define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1)
#define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1)
+#define DNS_PACKET_FLAG_AD (UINT16_C(1) << 5)
#define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9)
static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) {
uint16_t rcode;
if (p->opt)
- rcode = (uint16_t) (p->opt->ttl >> 24);
+ rcode = (uint16_t) ((p->opt->ttl >> 20) & 0xFF0);
else
rcode = 0;
diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c
index 340f11f..b37f541 100644
--- a/src/resolve/resolved-dns-server.c
+++ b/src/resolve/resolved-dns-server.c
@@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) {
if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */
return true;
- if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level))
- return false;
-
if (server->packet_bad_opt)
return false;
diff --git a/src/resolve/resolved-dns-stream.c b/src/resolve/resolved-dns-stream.c
index 1a43d0b..8c15120 100644
--- a/src/resolve/resolved-dns-stream.c
+++ b/src/resolve/resolved-dns-stream.c
@@ -322,6 +322,12 @@ static int on_stream_io(sd_event_source *es, int fd, uint32_t revents, void *use
return dns_stream_complete(s, -r);
}
+ if (revents & EPOLLERR) {
+ socklen_t errlen = sizeof(r);
+ if (getsockopt(s->fd, SOL_SOCKET, SO_ERROR, &r, &errlen) == 0)
+ return dns_stream_complete(s, r);
+ }
+
if ((revents & EPOLLOUT) &&
s->write_packet &&
s->n_written < sizeof(s->write_size) + s->write_packet->size) {
diff --git a/src/resolve/resolved-dns-stub.c b/src/resolve/resolved-dns-stub.c
index 23d4db9..c604a51 100644
--- a/src/resolve/resolved-dns-stub.c
+++ b/src/resolve/resolved-dns-stub.c
@@ -685,7 +685,8 @@ static int dns_stub_send_failure(
static int dns_stub_patch_bypass_reply_packet(
DnsPacket **ret, /* Where to place the patched packet */
DnsPacket *original, /* The packet to patch */
- DnsPacket *request) { /* The packet the patched packet shall look like a reply to */
+ DnsPacket *request, /* The packet the patched packet shall look like a reply to */
+ bool authenticated) {
_cleanup_(dns_packet_unrefp) DnsPacket *c = NULL;
int r;
@@ -725,6 +726,10 @@ static int dns_stub_patch_bypass_reply_packet(
DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) | DNS_PACKET_FLAG_TC);
}
+ /* Ensure we don't pass along an untrusted ad flag for bypass packets */
+ if (!authenticated)
+ DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) & ~DNS_PACKET_FLAG_AD);
+
*ret = TAKE_PTR(c);
return 0;
}
@@ -745,7 +750,8 @@ static void dns_stub_query_complete(DnsQuery *query) {
q->answer_full_packet->protocol == DNS_PROTOCOL_DNS) {
_cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
- r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet);
+ r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet,
+ FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED));
if (r < 0)
log_debug_errno(r, "Failed to patch bypass reply packet: %m");
else
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 92ac075..17a815c 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -633,7 +633,7 @@ static int on_stream_complete(DnsStream *s, int error) {
if (ERRNO_IS_DISCONNECT(error) && s->protocol != DNS_PROTOCOL_LLMNR) {
log_debug_errno(error, "Connection failure for DNS TCP stream: %m");
- if (s->transactions) {
+ if (error != ECONNRESET && s->transactions) {
DnsTransaction *t;
t = s->transactions;
@@ -1264,7 +1264,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p, bool encrypt
}
/* These codes probably indicate a transient error. Let's try again. */
- if (IN_SET(t->answer_ede_rcode, DNS_EDE_RCODE_NOT_READY, DNS_EDE_RCODE_NET_ERROR)) {
+ if (t->answer_ede_rcode == DNS_EDE_RCODE_NOT_READY) {
log_debug("Server returned error: %s (%s%s%s), retrying transaction.",
FORMAT_DNS_RCODE(DNS_PACKET_RCODE(p)),
FORMAT_DNS_EDE_RCODE(t->answer_ede_rcode),
diff --git a/src/resolve/resolved-varlink.c b/src/resolve/resolved-varlink.c
index 25f85d8..f02ebe3 100644
--- a/src/resolve/resolved-varlink.c
+++ b/src/resolve/resolved-varlink.c
@@ -829,6 +829,11 @@ static void resolve_service_all_complete(DnsQuery *query) {
if (r < 0)
goto finish;
+ if (isempty(type)) {
+ r = varlink_error(q->varlink_request, "io.systemd.Resolve.ServiceNotProvided", NULL);
+ goto finish;
+ }
+
r = varlink_replyb(query->varlink_request, JSON_BUILD_OBJECT(
JSON_BUILD_PAIR("services", JSON_BUILD_VARIANT(srv)),
JSON_BUILD_PAIR_CONDITION(!json_variant_is_blank_object(txt), "txt", JSON_BUILD_VARIANT(txt)),
generated by cgit v1.2.3 (git 2.39.1) at 2024-10-23 23:06:54 +0000