diff options
Diffstat (limited to 'contrib/bind/bin/named/ns_req.c')
-rw-r--r-- | contrib/bind/bin/named/ns_req.c | 81 |
1 files changed, 58 insertions, 23 deletions
diff --git a/contrib/bind/bin/named/ns_req.c b/contrib/bind/bin/named/ns_req.c index f103ad6..671b31e 100644 --- a/contrib/bind/bin/named/ns_req.c +++ b/contrib/bind/bin/named/ns_req.c @@ -1,6 +1,6 @@ #if !defined(lint) && !defined(SABER) static const char sccsid[] = "@(#)ns_req.c 4.47 (Berkeley) 7/1/91"; -static const char rcsid[] = "$Id: ns_req.c,v 8.129 2001/01/08 23:46:41 marka Exp $"; +static const char rcsid[] = "$Id: ns_req.c,v 8.138.2.1 2001/04/27 07:44:05 marka Exp $"; #endif /* not lint */ /* @@ -204,16 +204,26 @@ ns_req(u_char *msg, int msglen, int buflen, struct qstream *qsp, ns_debug(ns_log_default, 1, "ns_req: bad TSIG key name", buf); + error = ns_r_formerr; + hp->rcode = ns_r_formerr; key = NULL; - } - key = find_key(buf, NULL); - if (key == NULL) { + } else if ((key = find_key(buf, NULL)) == NULL) { error = ns_r_badkey; hp->rcode = ns_r_notauth; ns_debug(ns_log_default, 1, "ns_req: TSIG verify failed - unknown key %s", buf); } +#ifdef LOG_TSIG_BUG + if (n < 0 || key == NULL) + ns_error(ns_log_security, + "SECURITY: POSSIBLE ATTEMPT TO EXERCISE \"TSIG BUG\" FROM %s: %s%s%s", + sin_ntoa(from), + (n < 0) ? "bad key (formerr)" : + "unknown key (", + (n < 0) ? "" : (buf[0] != '\0' ? buf : "."), + (n < 0) ? "" : ")"); +#endif } if (has_tsig && key != NULL) { n = ns_verify(msg, &msglen, key, NULL, 0, sig, &siglen, @@ -419,10 +429,12 @@ ns_req(u_char *msg, int msglen, int buflen, struct qstream *qsp, } #ifdef DEBUG - ns_debug(ns_log_default, 1, - "ns_req: answer -> %s fd=%d id=%d size=%d rc=%d", - sin_ntoa(from), (qsp == NULL) ? dfd : qsp->s_rfd, - ntohs(hp->id), cp - msg, hp->rcode); + if (ns_wouldlog(ns_log_default, 1)) { + ns_debug(ns_log_default, 1, + "ns_req: answer -> %s fd=%d id=%d size=%d rc=%d", + sin_ntoa(from), (qsp == NULL) ? dfd : qsp->s_rfd, + ntohs(hp->id), cp - msg, hp->rcode); + } if (debug >= 10) res_pquery(&res, msg, cp - msg, log_get_stream(packet_channel)); @@ -512,6 +524,13 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg, /* XXX - when answers are allowed, we'll need to do compression * correctly here, and we will need to check for packet underflow. */ + /* + * We are ignoring the other field, make sure the header reflects + * *cpp. + */ + hp->ancount = htons(0); + hp->nscount = htons(0); + hp->arcount = htons(0); /* Find the zone this NOTIFY refers to. */ zp = find_auth_zone(dnbuf, class); if (zp == NULL) { @@ -536,7 +555,7 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg, * AXFR from you. */ ns_info(ns_log_notify, - "NOTIFY(SOA) for non-secondary name (%s), from %s", + "NOTIFY(SOA) for non-slave zone (%s), from %s", dnbuf, sin_ntoa(from)); goto refuse; } @@ -565,6 +584,7 @@ req_notify(HEADER *hp, u_char **cpp, u_char *eom, u_char *msg, ns_info(ns_log_notify, "NOTIFY(SOA) for zone already xferring (%s)", dnbuf); + zp->z_flags |= Z_NEEDREFRESH; goto noerror; } zp->z_time = tt.tv_sec; @@ -804,6 +824,19 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, #endif /*YPKLUDGE*/ /* + * Don't accept in a query names which would be rejected in responses. + * (This is primarily in case we have to forward it, but it's also a + * matter of architectural symmetry.) + */ + if (!ns_nameok(NULL, dname, class, NULL, response_trans, + ns_ownercontext(type, response_trans), + dname, from.sin_addr)) { + ns_debug(ns_log_default, 1, "bad name in query"); + hp->rcode = ns_r_formerr; + return (Refuse); + } + + /* * Begin Access Control Point */ @@ -929,8 +962,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, } } ns_notice(ns_log_security, - "denied query from %s for \"%s\"", - sin_ntoa(from), *dname ? dname : "."); + "denied query from %s for \"%s\" %s", + sin_ntoa(from), *dname ? dname : ".", + p_class(class)); nameserIncr(from.sin_addr, nssRcvdUQ); return (Refuse); } @@ -949,9 +983,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, in_key)) { ns_notice(ns_log_security, - "denied %s from %s for \"%s\" (acl)", + "denied %s from %s for \"%s\" %s (acl)", p_type(type), sin_ntoa(from), - *dname ? dname : "."); + *dname ? dname : ".", p_class(class)); nameserIncr(from.sin_addr, nssRcvdUXFR); if (type == ns_t_ixfr) { hp->rcode = ns_r_refused; @@ -979,9 +1013,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, if ((zp->z_flags & Z_AUTH) == 0) { ns_notice(ns_log_security, - "denied %s from %s for \"%s\" (not authoritative)", + "denied %s from %s for \"%s\" %s (not authoritative)", p_type(type), sin_ntoa(from), - *dname ? dname : "."); + *dname ? dname : ".", p_class(class)); nameserIncr(from.sin_addr, nssRcvdUXFR); if (type == ns_t_ixfr) { hp->rcode = ns_r_refused; @@ -994,9 +1028,9 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, if (ns_samename(zp->z_origin, dname) != 1) { ns_notice(ns_log_security, - "denied %s from %s for \"%s\" (not zone top)", + "denied %s from %s for \"%s\" %s (not zone top)", p_type(type), sin_ntoa(from), - *dname ? dname : "."); + *dname ? dname : ".", p_class(class)); nameserIncr(from.sin_addr, nssRcvdUXFR); if (type == ns_t_ixfr) { hp->rcode = ns_r_refused; @@ -1271,8 +1305,8 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, if (!founddata && hp->rd && recursion_blocked_by_acl) { ns_notice(ns_log_security, - "denied recursion for query from %s for %s", - sin_ntoa(from), *dname ? dname : "."); + "denied recursion for query from %s for %s %s", + sin_ntoa(from), *dname ? dname : ".", p_class(class)); nameserIncr(from.sin_addr, nssRcvdURQ); } @@ -1333,6 +1367,7 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, ns_info(ns_log_default, "res_mkquery(%s) failed", dname); hp->rcode = ns_r_servfail; + memput(omsg, omsglen); free_nsp(nsp); return (Finish); } @@ -1350,6 +1385,7 @@ req_query(HEADER *hp, u_char **cpp, u_char *eom, struct qstream *qsp, qp->q_cname = cname; qp->q_cmsg = omsg; qp->q_cmsglen = omsglen; + qp->q_cmsgsize = omsglen; qp->q_id = id; } break; @@ -1557,7 +1593,7 @@ stale(struct databuf *dp) { #endif case z_slave: /* - * Check to see whether a secondary zone has expired or + * Check to see whether a slave zone has expired or * time warped; if so clear authority flag for zone, * schedule the zone for immediate maintenance, and * return true. @@ -1569,7 +1605,7 @@ stale(struct databuf *dp) { zp->z_origin); if (!haveComplained((u_long)zp, (u_long)stale)) { ns_notice(ns_log_default, - "secondary zone \"%s\" expired", + "slave zone \"%s\" expired", zp->z_origin); } zp->z_flags &= ~Z_AUTH; @@ -1582,7 +1618,7 @@ stale(struct databuf *dp) { if (zp->z_lastupdate > tt.tv_sec) { if (!haveComplained((u_long)zp, (u_long)stale)) { ns_notice(ns_log_default, - "secondary zone \"%s\" time warp", + "slave zone \"%s\" time warp", zp->z_origin); } zp->z_flags &= ~Z_AUTH; @@ -1606,7 +1642,6 @@ stale(struct databuf *dp) { default: /* FALLTHROUGH */ ; - } panic("stale: impossible condition", NULL); /* NOTREACHED */ |