summaryrefslogtreecommitdiffstats
path: root/contrib/bind/bin/named/ns_req.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind/bin/named/ns_req.c')
-rw-r--r--contrib/bind/bin/named/ns_req.c81
1 files changed, 58 insertions, 23 deletions
diff --git a/contrib/bind/bin/named/ns_req.c b/contrib/bind/bin/named/ns_req.c
index f103ad6..671b31e 100644
--- a/contrib/bind/bin/named/ns_req.c
+++ b/contrib/bind/bin/named/ns_req.c
@@ -1,6 +1,6 @@
#if !defined(lint) && !defined(SABER)
static const char sccsid[] = "@(#)ns_req.c 4.47 (Berkeley) 7/1/91";
-static const char rcsid[] = "$Id: ns_req.c,v 8.129 2001/01/08 23:46:41 marka Exp $";
+static const char rcsid[] = "$Id: ns_req.c,v 8.138.2.1 2001/04/27 07:44:05 marka Exp $";
#endif /* not lint */
/*
@@ -204,16 +204,26 @@ ns_req(u_char *msg, int msglen, int buflen, struct qstream *qsp,
ns_debug(ns_log_default, 1,
"ns_req: bad TSIG key name",
buf);
+ error = ns_r_formerr;
+ hp->rcode = ns_r_formerr;
key = NULL;
- }
- key = find_key(buf, NULL);
- if (key == NULL) {
+ } else if ((key = find_key(buf, NULL)) == NULL) {
error = ns_r_badkey;
hp->rcode = ns_r_notauth;
ns_debug(ns_log_default, 1,
"ns_req: TSIG verify failed - unknown key %s",
buf);
}
+#ifdef LOG_TSIG_BUG
+ if (n < 0 || key == NULL)
+ ns_error(ns_log_security,
+ "SECURITY: POSSIBLE ATTEMPT TO EXERCISE \"TSIG BUG\" FROM %s: %s%s%s",
+ sin_ntoa(from),
+ (n < 0) ? "bad key (formerr)" :
+ "unknown key (",
+ (n < 0) ? "" : (buf[0] != '\0' ? buf : "."),
+ (n < 0) ? "" : ")");
+#endif
}
if (has_tsig && key != NULL) {
n = ns_verify(msg, &msglen, key, NULL, 0, sig, &siglen,
@@ -419,10 +429,12 @@ ns_req(u_char *msg, int msglen, int buflen, struct qstream *qsp,
}
#ifdef DEBUG
- ns_debug(ns_log_default, 1,
- "ns_req: answer -> %s fd=%d id=%d size=%d rc=%d",
- sin_ntoa(from), (qsp == NULL) ? dfd : qsp->s_rfd,
- ntohs(hp->id), cp - msg, hp->rcode);
+ if (ns_wouldlog(ns_log_default, 1)) {
+ ns_debug(ns_log_default, 1,
+ "ns_req: answer -> %s fd=%d id=%d size=%d rc=%d",
+ sin_ntoa(from), (qsp == NULL) ? dfd : qsp->s_rfd,
+ ntohs(hp->id), cp - msg, hp->rcode);
+ }
if (debug >= 10)
res_pquery(&res, msg, cp - msg,
log_get_stream(packet_channel));
@@ -512,6 +524,13 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg,
/* XXX - when answers are allowed, we'll need to do compression
* correctly here, and we will need to check for packet underflow.
*/
+ /*
+ * We are ignoring the other field, make sure the header reflects
+ * *cpp.
+ */
+ hp->ancount = htons(0);
+ hp->nscount = htons(0);
+ hp->arcount = htons(0);
/* Find the zone this NOTIFY refers to. */
zp = find_auth_zone(dnbuf, class);
if (zp == NULL) {
@@ -536,7 +555,7 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg,
* AXFR from you.
*/
ns_info(ns_log_notify,
- "NOTIFY(SOA) for non-secondary name (%s), from %s",
+ "NOTIFY(SOA) for non-slave zone (%s), from %s",
dnbuf, sin_ntoa(from));
goto refuse;
}
@@ -565,6 +584,7 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg,
ns_info(ns_log_notify,
"NOTIFY(SOA) for zone already xferring (%s)",
dnbuf);
+ zp->z_flags |= Z_NEEDREFRESH;
goto noerror;
}
zp->z_time = tt.tv_sec;
@@ -804,6 +824,19 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
#endif /*YPKLUDGE*/
/*
+ * Don't accept in a query names which would be rejected in responses.
+ * (This is primarily in case we have to forward it, but it's also a
+ * matter of architectural symmetry.)
+ */
+ if (!ns_nameok(NULL, dname, class, NULL, response_trans,
+ ns_ownercontext(type, response_trans),
+ dname, from.sin_addr)) {
+ ns_debug(ns_log_default, 1, "bad name in query");
+ hp->rcode = ns_r_formerr;
+ return (Refuse);
+ }
+
+ /*
* Begin Access Control Point
*/
@@ -929,8 +962,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
}
}
ns_notice(ns_log_security,
- "denied query from %s for \"%s\"",
- sin_ntoa(from), *dname ? dname : ".");
+ "denied query from %s for \"%s\" %s",
+ sin_ntoa(from), *dname ? dname : ".",
+ p_class(class));
nameserIncr(from.sin_addr, nssRcvdUQ);
return (Refuse);
}
@@ -949,9 +983,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
in_key))
{
ns_notice(ns_log_security,
- "denied %s from %s for \"%s\" (acl)",
+ "denied %s from %s for \"%s\" %s (acl)",
p_type(type), sin_ntoa(from),
- *dname ? dname : ".");
+ *dname ? dname : ".", p_class(class));
nameserIncr(from.sin_addr, nssRcvdUXFR);
if (type == ns_t_ixfr) {
hp->rcode = ns_r_refused;
@@ -979,9 +1013,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
if ((zp->z_flags & Z_AUTH) == 0) {
ns_notice(ns_log_security,
- "denied %s from %s for \"%s\" (not authoritative)",
+ "denied %s from %s for \"%s\" %s (not authoritative)",
p_type(type), sin_ntoa(from),
- *dname ? dname : ".");
+ *dname ? dname : ".", p_class(class));
nameserIncr(from.sin_addr, nssRcvdUXFR);
if (type == ns_t_ixfr) {
hp->rcode = ns_r_refused;
@@ -994,9 +1028,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
if (ns_samename(zp->z_origin, dname) != 1) {
ns_notice(ns_log_security,
- "denied %s from %s for \"%s\" (not zone top)",
+ "denied %s from %s for \"%s\" %s (not zone top)",
p_type(type), sin_ntoa(from),
- *dname ? dname : ".");
+ *dname ? dname : ".", p_class(class));
nameserIncr(from.sin_addr, nssRcvdUXFR);
if (type == ns_t_ixfr) {
hp->rcode = ns_r_refused;
@@ -1271,8 +1305,8 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
if (!founddata && hp->rd && recursion_blocked_by_acl) {
ns_notice(ns_log_security,
- "denied recursion for query from %s for %s",
- sin_ntoa(from), *dname ? dname : ".");
+ "denied recursion for query from %s for %s %s",
+ sin_ntoa(from), *dname ? dname : ".", p_class(class));
nameserIncr(from.sin_addr, nssRcvdURQ);
}
@@ -1333,6 +1367,7 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
ns_info(ns_log_default, "res_mkquery(%s) failed",
dname);
hp->rcode = ns_r_servfail;
+ memput(omsg, omsglen);
free_nsp(nsp);
return (Finish);
}
@@ -1350,6 +1385,7 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp,
qp->q_cname = cname;
qp->q_cmsg = omsg;
qp->q_cmsglen = omsglen;
+ qp->q_cmsgsize = omsglen;
qp->q_id = id;
}
break;
@@ -1557,7 +1593,7 @@ stale(struct databuf *dp) {
#endif
case z_slave:
/*
- * Check to see whether a secondary zone has expired or
+ * Check to see whether a slave zone has expired or
* time warped; if so clear authority flag for zone,
* schedule the zone for immediate maintenance, and
* return true.
@@ -1569,7 +1605,7 @@ stale(struct databuf *dp) {
zp->z_origin);
if (!haveComplained((u_long)zp, (u_long)stale)) {
ns_notice(ns_log_default,
- "secondary zone \"%s\" expired",
+ "slave zone \"%s\" expired",
zp->z_origin);
}
zp->z_flags &= ~Z_AUTH;
@@ -1582,7 +1618,7 @@ stale(struct databuf *dp) {
if (zp->z_lastupdate > tt.tv_sec) {
if (!haveComplained((u_long)zp, (u_long)stale)) {
ns_notice(ns_log_default,
- "secondary zone \"%s\" time warp",
+ "slave zone \"%s\" time warp",
zp->z_origin);
}
zp->z_flags &= ~Z_AUTH;
@@ -1606,7 +1642,6 @@ stale(struct databuf *dp) {
default:
/* FALLTHROUGH */ ;
-
}
panic("stale: impossible condition", NULL);
/* NOTREACHED */
OpenPOWER on IntegriCloud