blob: 6a9af242534bd3a7b0b883c8c78d467f10878df5 [file] [log] [blame]
Simon Kelleyd1ced3a2018-01-01 22:18:03 +00001/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
Simon Kelley824af852008-02-12 20:43:05 +00005 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
7
Simon Kelley9e4abcb2004-01-22 19:47:41 +00008 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
Simon Kelley824af852008-02-12 20:43:05 +000012
Simon Kelley73a08a22009-02-05 20:28:08 +000013 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
Simon Kelley9e4abcb2004-01-22 19:47:41 +000015*/
16
17#include "dnsmasq.h"
18
Simon Kelley4f7b3042012-11-28 21:27:02 +000019int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
20 char *name, int isExtract, int extrabytes)
Simon Kelley9e4abcb2004-01-22 19:47:41 +000021{
Simon Kelley3d8df262005-08-29 12:19:27 +010022 unsigned char *cp = (unsigned char *)name, *p = *pp, *p1 = NULL;
Simon Kelleyb8f16552015-04-22 21:14:31 +010023 unsigned int j, l, namelen = 0, hops = 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +000024 int retvalue = 1;
25
Simon Kelleyf6b7dc42005-01-23 12:06:08 +000026 if (isExtract)
27 *cp = 0;
28
Simon Kelley9009d742008-11-14 20:04:27 +000029 while (1)
30 {
31 unsigned int label_type;
32
33 if (!CHECK_LEN(header, p, plen, 1))
34 return 0;
35
36 if ((l = *p++) == 0)
37 /* end marker */
38 {
Josh Soref74f0f9a2017-12-01 21:38:27 +000039 /* check that there are the correct no. of bytes after the name */
Simon Kelley6a0b00f2017-09-25 20:19:55 +010040 if (!CHECK_LEN(header, p1 ? p1 : p, plen, extrabytes))
Simon Kelley9009d742008-11-14 20:04:27 +000041 return 0;
42
43 if (isExtract)
44 {
45 if (cp != (unsigned char *)name)
46 cp--;
47 *cp = 0; /* terminate: lose final period */
48 }
49 else if (*cp != 0)
50 retvalue = 2;
51
52 if (p1) /* we jumped via compression */
53 *pp = p1;
54 else
55 *pp = p;
56
57 return retvalue;
58 }
59
60 label_type = l & 0xc0;
61
Simon Kelley9e4abcb2004-01-22 19:47:41 +000062 if (label_type == 0xc0) /* pointer */
63 {
Simon Kelley9009d742008-11-14 20:04:27 +000064 if (!CHECK_LEN(header, p, plen, 1))
Simon Kelley9e4abcb2004-01-22 19:47:41 +000065 return 0;
66
67 /* get offset */
68 l = (l&0x3f) << 8;
69 l |= *p++;
Simon Kelley9e4abcb2004-01-22 19:47:41 +000070
71 if (!p1) /* first jump, save location to go back to */
72 p1 = p;
73
74 hops++; /* break malicious infinite loops */
75 if (hops > 255)
76 return 0;
77
78 p = l + (unsigned char *)header;
79 }
Simon Kelley06568c62015-05-15 20:43:48 +010080 else if (label_type == 0x00)
Simon Kelley9e4abcb2004-01-22 19:47:41 +000081 { /* label_type = 0 -> label. */
Simon Kelley5d07d772015-05-15 18:13:06 +010082 namelen += l + 1; /* include period */
83 if (namelen >= MAXDNAME)
Simon Kelley9e4abcb2004-01-22 19:47:41 +000084 return 0;
Simon Kelley9009d742008-11-14 20:04:27 +000085 if (!CHECK_LEN(header, p, plen, l))
Simon Kelley9e4abcb2004-01-22 19:47:41 +000086 return 0;
Simon Kelley9009d742008-11-14 20:04:27 +000087
Simon Kelley9e4abcb2004-01-22 19:47:41 +000088 for(j=0; j<l; j++, p++)
89 if (isExtract)
90 {
Simon Kelley1f15b812009-10-13 17:49:32 +010091 unsigned char c = *p;
Simon Kelleycbe379a2015-04-21 22:57:06 +010092#ifdef HAVE_DNSSEC
93 if (option_bool(OPT_DNSSEC_VALID))
94 {
95 if (c == 0 || c == '.' || c == NAME_ESCAPE)
Simon Kelleyb8f16552015-04-22 21:14:31 +010096 {
97 *cp++ = NAME_ESCAPE;
98 *cp++ = c+1;
99 }
100 else
101 *cp++ = c;
Simon Kelleycbe379a2015-04-21 22:57:06 +0100102 }
103 else
104#endif
Simon Kelley394ff492015-03-29 22:17:14 +0100105 if (c != 0 && c != '.')
106 *cp++ = c;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000107 else
108 return 0;
109 }
110 else
111 {
112 unsigned char c1 = *cp, c2 = *p;
113
114 if (c1 == 0)
115 retvalue = 2;
116 else
117 {
118 cp++;
119 if (c1 >= 'A' && c1 <= 'Z')
120 c1 += 'a' - 'A';
Simon Kelleycbe379a2015-04-21 22:57:06 +0100121#ifdef HAVE_DNSSEC
122 if (option_bool(OPT_DNSSEC_VALID) && c1 == NAME_ESCAPE)
Simon Kelleyb8f16552015-04-22 21:14:31 +0100123 c1 = (*cp++)-1;
Simon Kelleycbe379a2015-04-21 22:57:06 +0100124#endif
125
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000126 if (c2 >= 'A' && c2 <= 'Z')
127 c2 += 'a' - 'A';
Simon Kelleycbe379a2015-04-21 22:57:06 +0100128
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000129 if (c1 != c2)
130 retvalue = 2;
131 }
132 }
Simon Kelley06568c62015-05-15 20:43:48 +0100133
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000134 if (isExtract)
135 *cp++ = '.';
Simon Kelleyf6b7dc42005-01-23 12:06:08 +0000136 else if (*cp != 0 && *cp++ != '.')
137 retvalue = 2;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000138 }
Simon Kelley06568c62015-05-15 20:43:48 +0100139 else
140 return 0; /* label types 0x40 and 0x80 not supported */
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000141 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000142}
143
144/* Max size of input string (for IPv6) is 75 chars.) */
145#define MAXARPANAME 75
Simon Kelleycc921df2019-01-02 22:48:59 +0000146int in_arpa_name_2_addr(char *namein, union all_addr *addrp)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000147{
148 int j;
149 char name[MAXARPANAME+1], *cp1;
150 unsigned char *addr = (unsigned char *)addrp;
151 char *lastchunk = NULL, *penchunk = NULL;
152
153 if (strlen(namein) > MAXARPANAME)
154 return 0;
155
Simon Kelleycc921df2019-01-02 22:48:59 +0000156 memset(addrp, 0, sizeof(union all_addr));
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000157
158 /* turn name into a series of asciiz strings */
Josh Soref74f0f9a2017-12-01 21:38:27 +0000159 /* j counts no. of labels */
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000160 for(j = 1,cp1 = name; *namein; cp1++, namein++)
161 if (*namein == '.')
162 {
163 penchunk = lastchunk;
164 lastchunk = cp1 + 1;
165 *cp1 = 0;
166 j++;
167 }
168 else
169 *cp1 = *namein;
170
171 *cp1 = 0;
172
173 if (j<3)
174 return 0;
175
176 if (hostname_isequal(lastchunk, "arpa") && hostname_isequal(penchunk, "in-addr"))
177 {
178 /* IP v4 */
Josh Soref730c6742017-02-06 16:14:04 +0000179 /* address arrives as a name of the form
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000180 www.xxx.yyy.zzz.in-addr.arpa
181 some of the low order address octets might be missing
182 and should be set to zero. */
183 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
184 {
185 /* check for digits only (weeds out things like
186 50.0/24.67.28.64.in-addr.arpa which are used
187 as CNAME targets according to RFC 2317 */
188 char *cp;
189 for (cp = cp1; *cp; cp++)
Simon Kelley572b41e2011-02-18 18:11:18 +0000190 if (!isdigit((unsigned char)*cp))
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000191 return 0;
192
193 addr[3] = addr[2];
194 addr[2] = addr[1];
195 addr[1] = addr[0];
196 addr[0] = atoi(cp1);
197 }
198
199 return F_IPV4;
200 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000201 else if (hostname_isequal(penchunk, "ip6") &&
202 (hostname_isequal(lastchunk, "int") || hostname_isequal(lastchunk, "arpa")))
203 {
204 /* IP v6:
205 Address arrives as 0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.[int|arpa]
206 or \[xfedcba9876543210fedcba9876543210/128].ip6.[int|arpa]
207
Josh Soref730c6742017-02-06 16:14:04 +0000208 Note that most of these the various representations are obsolete and
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000209 left-over from the many DNS-for-IPv6 wars. We support all the formats
210 that we can since there is no reason not to.
211 */
212
213 if (*name == '\\' && *(name+1) == '[' &&
214 (*(name+2) == 'x' || *(name+2) == 'X'))
215 {
Simon Kelley572b41e2011-02-18 18:11:18 +0000216 for (j = 0, cp1 = name+3; *cp1 && isxdigit((unsigned char) *cp1) && j < 32; cp1++, j++)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000217 {
218 char xdig[2];
219 xdig[0] = *cp1;
220 xdig[1] = 0;
221 if (j%2)
222 addr[j/2] |= strtol(xdig, NULL, 16);
223 else
224 addr[j/2] = strtol(xdig, NULL, 16) << 4;
225 }
226
227 if (*cp1 == '/' && j == 32)
228 return F_IPV6;
229 }
230 else
231 {
232 for (cp1 = name; cp1 != penchunk; cp1 += strlen(cp1)+1)
233 {
Simon Kelley572b41e2011-02-18 18:11:18 +0000234 if (*(cp1+1) || !isxdigit((unsigned char)*cp1))
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000235 return 0;
236
Simon Kelleycc921df2019-01-02 22:48:59 +0000237 for (j = sizeof(struct in6_addr)-1; j>0; j--)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000238 addr[j] = (addr[j] >> 4) | (addr[j-1] << 4);
239 addr[0] = (addr[0] >> 4) | (strtol(cp1, NULL, 16) << 4);
240 }
241
242 return F_IPV6;
243 }
244 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000245
246 return 0;
247}
248
Giovanni Bajo32f82c62012-04-28 01:01:16 +0200249unsigned char *skip_name(unsigned char *ansp, struct dns_header *header, size_t plen, int extrabytes)
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100250{
251 while(1)
252 {
Simon Kelley9009d742008-11-14 20:04:27 +0000253 unsigned int label_type;
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100254
Simon Kelley9009d742008-11-14 20:04:27 +0000255 if (!CHECK_LEN(header, ansp, plen, 1))
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100256 return NULL;
257
Simon Kelley9009d742008-11-14 20:04:27 +0000258 label_type = (*ansp) & 0xc0;
259
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100260 if (label_type == 0xc0)
261 {
262 /* pointer for compression. */
263 ansp += 2;
264 break;
265 }
266 else if (label_type == 0x80)
267 return NULL; /* reserved */
268 else if (label_type == 0x40)
269 {
270 /* Extended label type */
271 unsigned int count;
272
Simon Kelley9009d742008-11-14 20:04:27 +0000273 if (!CHECK_LEN(header, ansp, plen, 2))
274 return NULL;
275
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100276 if (((*ansp++) & 0x3f) != 1)
277 return NULL; /* we only understand bitstrings */
278
279 count = *(ansp++); /* Bits in bitstring */
280
281 if (count == 0) /* count == 0 means 256 bits */
282 ansp += 32;
283 else
284 ansp += ((count-1)>>3)+1;
285 }
286 else
287 { /* label type == 0 Bottom six bits is length */
288 unsigned int len = (*ansp++) & 0x3f;
Simon Kelley9009d742008-11-14 20:04:27 +0000289
290 if (!ADD_RDLEN(header, ansp, plen, len))
291 return NULL;
292
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100293 if (len == 0)
294 break; /* zero length label marks the end. */
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100295 }
296 }
Simon Kelley9009d742008-11-14 20:04:27 +0000297
298 if (!CHECK_LEN(header, ansp, plen, extrabytes))
299 return NULL;
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100300
301 return ansp;
302}
303
Simon Kelley4f7b3042012-11-28 21:27:02 +0000304unsigned char *skip_questions(struct dns_header *header, size_t plen)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000305{
Simon Kelley5aabfc72007-08-29 11:24:47 +0100306 int q;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000307 unsigned char *ansp = (unsigned char *)(header+1);
308
Simon Kelley5aabfc72007-08-29 11:24:47 +0100309 for (q = ntohs(header->qdcount); q != 0; q--)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000310 {
Simon Kelley9009d742008-11-14 20:04:27 +0000311 if (!(ansp = skip_name(ansp, header, plen, 4)))
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100312 return NULL;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000313 ansp += 4; /* class and type */
314 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000315
316 return ansp;
317}
318
Simon Kelley5107ace2014-02-23 10:48:32 +0000319unsigned char *skip_section(unsigned char *ansp, int count, struct dns_header *header, size_t plen)
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100320{
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100321 int i, rdlen;
Simon Kelley36717ee2004-09-20 19:20:58 +0100322
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100323 for (i = 0; i < count; i++)
Simon Kelley36717ee2004-09-20 19:20:58 +0100324 {
Simon Kelley9009d742008-11-14 20:04:27 +0000325 if (!(ansp = skip_name(ansp, header, plen, 10)))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100326 return NULL;
Simon Kelley36717ee2004-09-20 19:20:58 +0100327 ansp += 8; /* type, class, TTL */
328 GETSHORT(rdlen, ansp);
Simon Kelley9009d742008-11-14 20:04:27 +0000329 if (!ADD_RDLEN(header, ansp, plen, rdlen))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100330 return NULL;
Simon Kelley36717ee2004-09-20 19:20:58 +0100331 }
332
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100333 return ansp;
334}
335
Simon Kelley0a852542005-03-23 20:28:59 +0000336/* CRC the question section. This is used to safely detect query
Josh Soref730c6742017-02-06 16:14:04 +0000337 retransmission and to detect answers to questions we didn't ask, which
Simon Kelley0a852542005-03-23 20:28:59 +0000338 might be poisoning attacks. Note that we decode the name rather
339 than CRC the raw bytes, since replies might be compressed differently.
Simon Kelley832af0b2007-01-21 20:01:28 +0000340 We ignore case in the names for the same reason. Return all-ones
341 if there is not question section. */
Simon Kelley17fb9ea2014-01-26 09:36:54 +0000342#ifndef HAVE_DNSSEC
Simon Kelley572b41e2011-02-18 18:11:18 +0000343unsigned int questions_crc(struct dns_header *header, size_t plen, char *name)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100344{
Simon Kelley91dccd02005-03-31 17:48:32 +0100345 int q;
346 unsigned int crc = 0xffffffff;
Simon Kelley0a852542005-03-23 20:28:59 +0000347 unsigned char *p1, *p = (unsigned char *)(header+1);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100348
Simon Kelley5aabfc72007-08-29 11:24:47 +0100349 for (q = ntohs(header->qdcount); q != 0; q--)
Simon Kelley0a852542005-03-23 20:28:59 +0000350 {
Simon Kelley9009d742008-11-14 20:04:27 +0000351 if (!extract_name(header, plen, &p, name, 1, 4))
Simon Kelley0a852542005-03-23 20:28:59 +0000352 return crc; /* bad packet */
353
Simon Kelley3d8df262005-08-29 12:19:27 +0100354 for (p1 = (unsigned char *)name; *p1; p1++)
Simon Kelley0a852542005-03-23 20:28:59 +0000355 {
356 int i = 8;
357 char c = *p1;
358
359 if (c >= 'A' && c <= 'Z')
360 c += 'a' - 'A';
361
362 crc ^= c << 24;
363 while (i--)
364 crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
365 }
366
367 /* CRC the class and type as well */
368 for (p1 = p; p1 < p+4; p1++)
369 {
370 int i = 8;
371 crc ^= *p1 << 24;
372 while (i--)
373 crc = crc & 0x80000000 ? (crc << 1) ^ 0x04c11db7 : crc << 1;
374 }
375
376 p += 4;
Simon Kelley9009d742008-11-14 20:04:27 +0000377 if (!CHECK_LEN(header, p, plen, 0))
Simon Kelley0a852542005-03-23 20:28:59 +0000378 return crc; /* bad packet */
379 }
380
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100381 return crc;
382}
Simon Kelley17fb9ea2014-01-26 09:36:54 +0000383#endif
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100384
Simon Kelley572b41e2011-02-18 18:11:18 +0000385size_t resize_packet(struct dns_header *header, size_t plen, unsigned char *pheader, size_t hlen)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100386{
387 unsigned char *ansp = skip_questions(header, plen);
388
Simon Kelley9009d742008-11-14 20:04:27 +0000389 /* if packet is malformed, just return as-is. */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100390 if (!ansp)
Simon Kelley9009d742008-11-14 20:04:27 +0000391 return plen;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100392
393 if (!(ansp = skip_section(ansp, ntohs(header->ancount) + ntohs(header->nscount) + ntohs(header->arcount),
394 header, plen)))
Simon Kelley9009d742008-11-14 20:04:27 +0000395 return plen;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100396
Simon Kelley36717ee2004-09-20 19:20:58 +0100397 /* restore pseudoheader */
398 if (pheader && ntohs(header->arcount) == 0)
399 {
400 /* must use memmove, may overlap */
401 memmove(ansp, pheader, hlen);
402 header->arcount = htons(1);
403 ansp += hlen;
404 }
405
406 return ansp - (unsigned char *)header;
407}
408
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000409/* is addr in the non-globally-routed IP space? */
Simon Kelleydc27e142013-10-16 13:09:53 +0100410int private_net(struct in_addr addr, int ban_localhost)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000411{
Simon Kelleyf2621c72007-04-29 19:47:21 +0100412 in_addr_t ip_addr = ntohl(addr.s_addr);
413
414 return
Simon Kelleyd2aa7df2015-08-03 21:52:12 +0100415 (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
416 ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ ||
Simon Kelleyf2621c72007-04-29 19:47:21 +0100417 ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
418 ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
Simon Kelley90477fb2015-10-20 21:21:32 +0100419 ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
420 ((ip_addr & 0xFFFF0000) == 0xA9FE0000) /* 169.254.0.0/16 (zeroconf) */ ||
421 ((ip_addr & 0xFFFFFF00) == 0xC0000200) /* 192.0.2.0/24 (test-net) */ ||
422 ((ip_addr & 0xFFFFFF00) == 0xC6336400) /* 198.51.100.0/24(test-net) */ ||
423 ((ip_addr & 0xFFFFFF00) == 0xCB007100) /* 203.0.113.0/24 (test-net) */ ||
424 ((ip_addr & 0xFFFFFFFF) == 0xFFFFFFFF) /* 255.255.255.255/32 (broadcast)*/ ;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000425}
Simon Kelley1cff1662004-03-12 08:12:58 +0000426
Simon Kelleyfca008d2017-02-19 18:50:41 +0000427static int private_net6(struct in6_addr *a)
428{
429 return
430 IN6_IS_ADDR_UNSPECIFIED(a) || /* RFC 6303 4.3 */
431 IN6_IS_ADDR_LOOPBACK(a) || /* RFC 6303 4.3 */
432 IN6_IS_ADDR_LINKLOCAL(a) || /* RFC 6303 4.5 */
433 ((unsigned char *)a)[0] == 0xfd || /* RFC 6303 4.4 */
434 ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
435}
Simon Kelleyfca008d2017-02-19 18:50:41 +0000436
Simon Kelley6938f342014-01-26 22:47:39 +0000437static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, char *name, int *doctored)
Simon Kelley824af852008-02-12 20:43:05 +0000438{
439 int i, qtype, qclass, rdlen;
Simon Kelley824af852008-02-12 20:43:05 +0000440
441 for (i = count; i != 0; i--)
442 {
Simon Kelley28866e92011-02-14 20:19:14 +0000443 if (name && option_bool(OPT_LOG))
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100444 {
445 if (!extract_name(header, qlen, &p, name, 1, 10))
446 return 0;
447 }
448 else if (!(p = skip_name(p, header, qlen, 10)))
Simon Kelley824af852008-02-12 20:43:05 +0000449 return 0; /* bad packet */
450
451 GETSHORT(qtype, p);
452 GETSHORT(qclass, p);
Simon Kelley7de060b2011-08-26 17:24:52 +0100453 p += 4; /* ttl */
Simon Kelley824af852008-02-12 20:43:05 +0000454 GETSHORT(rdlen, p);
455
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100456 if (qclass == C_IN && qtype == T_A)
Simon Kelley824af852008-02-12 20:43:05 +0000457 {
458 struct doctor *doctor;
459 struct in_addr addr;
460
Simon Kelley9009d742008-11-14 20:04:27 +0000461 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
462 return 0;
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100463
464 /* alignment */
Simon Kelley824af852008-02-12 20:43:05 +0000465 memcpy(&addr, p, INADDRSZ);
466
467 for (doctor = daemon->doctors; doctor; doctor = doctor->next)
Simon Kelley73a08a22009-02-05 20:28:08 +0000468 {
469 if (doctor->end.s_addr == 0)
470 {
471 if (!is_same_net(doctor->in, addr, doctor->mask))
472 continue;
473 }
474 else if (ntohl(doctor->in.s_addr) > ntohl(addr.s_addr) ||
475 ntohl(doctor->end.s_addr) < ntohl(addr.s_addr))
476 continue;
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100477
Simon Kelley73a08a22009-02-05 20:28:08 +0000478 addr.s_addr &= ~doctor->mask.s_addr;
479 addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
480 /* Since we munged the data, the server it came from is no longer authoritative */
Simon Kelley572b41e2011-02-18 18:11:18 +0000481 header->hb3 &= ~HB3_AA;
Simon Kelley6938f342014-01-26 22:47:39 +0000482 *doctored = 1;
Simon Kelley73a08a22009-02-05 20:28:08 +0000483 memcpy(p, &addr, INADDRSZ);
484 break;
485 }
Simon Kelley824af852008-02-12 20:43:05 +0000486 }
Simon Kelley28866e92011-02-14 20:19:14 +0000487 else if (qtype == T_TXT && name && option_bool(OPT_LOG))
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100488 {
489 unsigned char *p1 = p;
490 if (!CHECK_LEN(header, p1, qlen, rdlen))
491 return 0;
492 while ((p1 - p) < rdlen)
493 {
494 unsigned int i, len = *p1;
495 unsigned char *p2 = p1;
Simon Kelley6a0b00f2017-09-25 20:19:55 +0100496 if ((p1 + len - p) >= rdlen)
497 return 0; /* bad packet */
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100498 /* make counted string zero-term and sanitise */
499 for (i = 0; i < len; i++)
Simon Kelley231d0612012-04-27 13:50:45 +0100500 {
501 if (!isprint((int)*(p2+1)))
502 break;
503
504 *p2 = *(p2+1);
505 p2++;
506 }
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100507 *p2 = 0;
Simon Kelley28866e92011-02-14 20:19:14 +0000508 my_syslog(LOG_INFO, "reply %s is %s", name, p1);
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100509 /* restore */
Simon Kelley231d0612012-04-27 13:50:45 +0100510 memmove(p1 + 1, p1, i);
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100511 *p1 = len;
512 p1 += len+1;
513 }
514 }
Simon Kelley824af852008-02-12 20:43:05 +0000515
Simon Kelley9009d742008-11-14 20:04:27 +0000516 if (!ADD_RDLEN(header, p, qlen, rdlen))
517 return 0; /* bad packet */
Simon Kelley824af852008-02-12 20:43:05 +0000518 }
519
520 return p;
521}
522
Simon Kelley6938f342014-01-26 22:47:39 +0000523static int find_soa(struct dns_header *header, size_t qlen, char *name, int *doctored)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000524{
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100525 unsigned char *p;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000526 int qtype, qclass, rdlen;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100527 unsigned long ttl, minttl = ULONG_MAX;
528 int i, found_soa = 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000529
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100530 /* first move to NS section and find TTL from any SOA section */
531 if (!(p = skip_questions(header, qlen)) ||
Simon Kelley6938f342014-01-26 22:47:39 +0000532 !(p = do_doctor(p, ntohs(header->ancount), header, qlen, name, doctored)))
Simon Kelley824af852008-02-12 20:43:05 +0000533 return 0; /* bad packet */
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000534
Simon Kelley5aabfc72007-08-29 11:24:47 +0100535 for (i = ntohs(header->nscount); i != 0; i--)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000536 {
Simon Kelley9009d742008-11-14 20:04:27 +0000537 if (!(p = skip_name(p, header, qlen, 10)))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100538 return 0; /* bad packet */
539
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000540 GETSHORT(qtype, p);
541 GETSHORT(qclass, p);
542 GETLONG(ttl, p);
543 GETSHORT(rdlen, p);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100544
545 if ((qclass == C_IN) && (qtype == T_SOA))
546 {
547 found_soa = 1;
548 if (ttl < minttl)
549 minttl = ttl;
550
551 /* MNAME */
Simon Kelley9009d742008-11-14 20:04:27 +0000552 if (!(p = skip_name(p, header, qlen, 0)))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100553 return 0;
554 /* RNAME */
Simon Kelley9009d742008-11-14 20:04:27 +0000555 if (!(p = skip_name(p, header, qlen, 20)))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100556 return 0;
557 p += 16; /* SERIAL REFRESH RETRY EXPIRE */
558
559 GETLONG(ttl, p); /* minTTL */
560 if (ttl < minttl)
561 minttl = ttl;
562 }
Simon Kelley9009d742008-11-14 20:04:27 +0000563 else if (!ADD_RDLEN(header, p, qlen, rdlen))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100564 return 0; /* bad packet */
565 }
Simon Kelley9009d742008-11-14 20:04:27 +0000566
Simon Kelley6938f342014-01-26 22:47:39 +0000567 /* rewrite addresses in additional section too */
568 if (!do_doctor(p, ntohs(header->arcount), header, qlen, NULL, doctored))
Simon Kelley824af852008-02-12 20:43:05 +0000569 return 0;
570
571 if (!found_soa)
572 minttl = daemon->neg_ttl;
573
574 return minttl;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100575}
576
577/* Note that the following code can create CNAME chains that don't point to a real record,
578 either because of lack of memory, or lack of SOA records. These are treated by the cache code as
Simon Kelley824af852008-02-12 20:43:05 +0000579 expired and cleaned out that way.
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100580 Return 1 if we reject an address because it look like part of dns-rebinding attack. */
Simon Kelley572b41e2011-02-18 18:11:18 +0000581int extract_addresses(struct dns_header *header, size_t qlen, char *name, time_t now,
Simon Kelleya6004d72017-10-25 17:48:19 +0100582 char **ipsets, int is_sign, int check_rebind, int no_cache_dnssec,
Simon Kelley373e9172017-12-01 22:40:56 +0000583 int secure, int *doctored)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100584{
Simon Kelley824af852008-02-12 20:43:05 +0000585 unsigned char *p, *p1, *endrr, *namep;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100586 int i, j, qtype, qclass, aqtype, aqclass, ardlen, res, searched_soa = 0;
Simon Kelley0a852542005-03-23 20:28:59 +0000587 unsigned long ttl = 0;
Simon Kelleycc921df2019-01-02 22:48:59 +0000588 union all_addr addr;
Jason A. Donenfeld13d86c72013-02-22 18:20:53 +0000589#ifdef HAVE_IPSET
590 char **ipsets_cur;
591#else
592 (void)ipsets; /* unused */
593#endif
Simon Kelleya6004d72017-10-25 17:48:19 +0100594
Jason A. Donenfeld13d86c72013-02-22 18:20:53 +0000595
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100596 cache_start_insert();
Simon Kelley0a852542005-03-23 20:28:59 +0000597
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100598 /* find_soa is needed for dns_doctor and logging side-effects, so don't call it lazily if there are any. */
Simon Kelley6938f342014-01-26 22:47:39 +0000599 if (daemon->doctors || option_bool(OPT_LOG) || option_bool(OPT_DNSSEC_VALID))
Simon Kelley0a852542005-03-23 20:28:59 +0000600 {
601 searched_soa = 1;
Simon Kelley6938f342014-01-26 22:47:39 +0000602 ttl = find_soa(header, qlen, name, doctored);
Simon Kelleya6004d72017-10-25 17:48:19 +0100603
604 if (*doctored)
605 {
606 if (secure)
607 return 0;
Simon Kelley8c707e12017-12-05 22:28:10 +0000608#ifdef HAVE_DNSSEC
Simon Kelley373e9172017-12-01 22:40:56 +0000609 if (option_bool(OPT_DNSSEC_VALID))
Simon Kelleya6004d72017-10-25 17:48:19 +0100610 for (i = 0; i < ntohs(header->ancount); i++)
Simon Kelleyae7a3b92019-09-03 14:40:47 +0100611 if (daemon->rr_status[i] != 0)
Simon Kelleya6004d72017-10-25 17:48:19 +0100612 return 0;
Simon Kelley8c707e12017-12-05 22:28:10 +0000613#endif
Simon Kelleya6004d72017-10-25 17:48:19 +0100614 }
Simon Kelley0a852542005-03-23 20:28:59 +0000615 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100616
617 /* go through the questions. */
618 p = (unsigned char *)(header+1);
619
Simon Kelley5aabfc72007-08-29 11:24:47 +0100620 for (i = ntohs(header->qdcount); i != 0; i--)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100621 {
Simon Kelley1fbe4d22014-03-01 20:03:47 +0000622 int found = 0, cname_count = CNAME_CHAIN;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100623 struct crec *cpp = NULL;
Simon Kelley572b41e2011-02-18 18:11:18 +0000624 int flags = RCODE(header) == NXDOMAIN ? F_NXDOMAIN : 0;
Simon Kelley8c707e12017-12-05 22:28:10 +0000625#ifdef HAVE_DNSSEC
Simon Kelleya6004d72017-10-25 17:48:19 +0100626 int cname_short = 0;
Simon Kelley8c707e12017-12-05 22:28:10 +0000627#endif
Simon Kelley0a852542005-03-23 20:28:59 +0000628 unsigned long cttl = ULONG_MAX, attl;
Simon Kelley0fc2f312014-01-08 10:26:58 +0000629
Simon Kelley824af852008-02-12 20:43:05 +0000630 namep = p;
Simon Kelley9009d742008-11-14 20:04:27 +0000631 if (!extract_name(header, qlen, &p, name, 1, 4))
Simon Kelley824af852008-02-12 20:43:05 +0000632 return 0; /* bad packet */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100633
634 GETSHORT(qtype, p);
635 GETSHORT(qclass, p);
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000636
637 if (qclass != C_IN)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100638 continue;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000639
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100640 /* PTRs: we chase CNAMEs here, since we have no way to
641 represent them in the cache. */
642 if (qtype == T_PTR)
643 {
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000644 int name_encoding = in_arpa_name_2_addr(name, &addr);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100645
646 if (!name_encoding)
647 continue;
648
649 if (!(flags & F_NXDOMAIN))
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000650 {
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100651 cname_loop:
652 if (!(p1 = skip_questions(header, qlen)))
Simon Kelley824af852008-02-12 20:43:05 +0000653 return 0;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100654
Simon Kelleya6004d72017-10-25 17:48:19 +0100655 for (j = 0; j < ntohs(header->ancount); j++)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100656 {
Simon Kelleya6004d72017-10-25 17:48:19 +0100657 int secflag = 0;
Simon Kelley824af852008-02-12 20:43:05 +0000658 unsigned char *tmp = namep;
659 /* the loop body overwrites the original name, so get it back here. */
Simon Kelley9009d742008-11-14 20:04:27 +0000660 if (!extract_name(header, qlen, &tmp, name, 1, 0) ||
661 !(res = extract_name(header, qlen, &p1, name, 0, 10)))
Simon Kelley824af852008-02-12 20:43:05 +0000662 return 0; /* bad packet */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100663
664 GETSHORT(aqtype, p1);
665 GETSHORT(aqclass, p1);
666 GETLONG(attl, p1);
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100667 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
668 {
Simon Kelley572b41e2011-02-18 18:11:18 +0000669 (p1) -= 4;
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100670 PUTLONG(daemon->max_ttl, p1);
671 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100672 GETSHORT(ardlen, p1);
673 endrr = p1+ardlen;
674
675 /* TTL of record is minimum of CNAMES and PTR */
676 if (attl < cttl)
677 cttl = attl;
678
679 if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == T_PTR))
680 {
Simon Kelley9009d742008-11-14 20:04:27 +0000681 if (!extract_name(header, qlen, &p1, name, 1, 0))
Simon Kelley824af852008-02-12 20:43:05 +0000682 return 0;
Simon Kelley8c707e12017-12-05 22:28:10 +0000683#ifdef HAVE_DNSSEC
Simon Kelleyae7a3b92019-09-03 14:40:47 +0100684 if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0)
Simon Kelleya6004d72017-10-25 17:48:19 +0100685 {
686 /* validated RR anywhere in CNAME chain, don't cache. */
687 if (cname_short || aqtype == T_CNAME)
688 return 0;
689
690 secflag = F_DNSSECOK;
Simon Kelleyae7a3b92019-09-03 14:40:47 +0100691 /* limit TTL based on signature. */
692 if (daemon->rr_status[j] < cttl)
693 cttl = daemon->rr_status[j];
Simon Kelleya6004d72017-10-25 17:48:19 +0100694 }
Simon Kelley8c707e12017-12-05 22:28:10 +0000695#endif
Simon Kelleya6004d72017-10-25 17:48:19 +0100696
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100697 if (aqtype == T_CNAME)
698 {
Simon Kelleya6004d72017-10-25 17:48:19 +0100699 if (!cname_count--)
700 return 0; /* looped CNAMES, we can't cache. */
Simon Kelley8c707e12017-12-05 22:28:10 +0000701#ifdef HAVE_DNSSEC
Simon Kelleya6004d72017-10-25 17:48:19 +0100702 cname_short = 1;
Simon Kelley8c707e12017-12-05 22:28:10 +0000703#endif
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100704 goto cname_loop;
705 }
706
Simon Kelley65a01b72018-12-31 23:56:33 +0000707 cache_insert(name, &addr, C_IN, now, cttl, name_encoding | secflag | F_REVERSE);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100708 found = 1;
709 }
710
711 p1 = endrr;
Simon Kelley9009d742008-11-14 20:04:27 +0000712 if (!CHECK_LEN(header, p1, qlen, 0))
Simon Kelley824af852008-02-12 20:43:05 +0000713 return 0; /* bad packet */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100714 }
715 }
716
Simon Kelley28866e92011-02-14 20:19:14 +0000717 if (!found && !option_bool(OPT_NO_NEG))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100718 {
719 if (!searched_soa)
720 {
721 searched_soa = 1;
Simon Kelley6938f342014-01-26 22:47:39 +0000722 ttl = find_soa(header, qlen, NULL, doctored);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100723 }
724 if (ttl)
Simon Kelley65a01b72018-12-31 23:56:33 +0000725 cache_insert(NULL, &addr, C_IN, now, ttl, name_encoding | F_REVERSE | F_NEG | flags | (secure ? F_DNSSECOK : 0));
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000726 }
727 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100728 else
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000729 {
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100730 /* everything other than PTR */
731 struct crec *newc;
Simon Kelley5b99eae2019-01-06 23:09:50 +0000732 int addrlen = 0;
Simon Kelley5aabfc72007-08-29 11:24:47 +0100733
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100734 if (qtype == T_A)
Simon Kelley5aabfc72007-08-29 11:24:47 +0100735 {
736 addrlen = INADDRSZ;
737 flags |= F_IPV4;
738 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100739 else if (qtype == T_AAAA)
Simon Kelley5aabfc72007-08-29 11:24:47 +0100740 {
741 addrlen = IN6ADDRSZ;
742 flags |= F_IPV6;
743 }
Simon Kelley5b99eae2019-01-06 23:09:50 +0000744 else if (qtype == T_SRV)
745 flags |= F_SRV;
746 else
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100747 continue;
748
Simon Kelley45cca582013-10-15 10:20:13 +0100749 cname_loop1:
750 if (!(p1 = skip_questions(header, qlen)))
751 return 0;
752
Simon Kelleya6004d72017-10-25 17:48:19 +0100753 for (j = 0; j < ntohs(header->ancount); j++)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100754 {
Simon Kelleya6004d72017-10-25 17:48:19 +0100755 int secflag = 0;
756
Simon Kelley45cca582013-10-15 10:20:13 +0100757 if (!(res = extract_name(header, qlen, &p1, name, 0, 10)))
758 return 0; /* bad packet */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100759
Simon Kelley45cca582013-10-15 10:20:13 +0100760 GETSHORT(aqtype, p1);
761 GETSHORT(aqclass, p1);
762 GETLONG(attl, p1);
763 if ((daemon->max_ttl != 0) && (attl > daemon->max_ttl) && !is_sign)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000764 {
Simon Kelley45cca582013-10-15 10:20:13 +0100765 (p1) -= 4;
766 PUTLONG(daemon->max_ttl, p1);
767 }
768 GETSHORT(ardlen, p1);
769 endrr = p1+ardlen;
770
771 if (aqclass == C_IN && res != 2 && (aqtype == T_CNAME || aqtype == qtype))
772 {
Simon Kelleya6004d72017-10-25 17:48:19 +0100773#ifdef HAVE_DNSSEC
Simon Kelleyae7a3b92019-09-03 14:40:47 +0100774 if (option_bool(OPT_DNSSEC_VALID) && daemon->rr_status[j] != 0)
775 {
Simon Kelleya6004d72017-10-25 17:48:19 +0100776 secflag = F_DNSSECOK;
Simon Kelleyae7a3b92019-09-03 14:40:47 +0100777
778 /* limit TTl based on sig. */
779 if (daemon->rr_status[j] < attl)
780 attl = daemon->rr_status[j];
781 }
Simon Kelleya6004d72017-10-25 17:48:19 +0100782#endif
Simon Kelley45cca582013-10-15 10:20:13 +0100783 if (aqtype == T_CNAME)
Simon Kelley8ef5ada2010-06-03 19:42:45 +0100784 {
Simon Kelley45cca582013-10-15 10:20:13 +0100785 if (!cname_count--)
786 return 0; /* looped CNAMES */
Simon Kelley65a01b72018-12-31 23:56:33 +0000787 newc = cache_insert(name, NULL, C_IN, now, attl, F_CNAME | F_FORWARD | secflag);
Simon Kelley45cca582013-10-15 10:20:13 +0100788 if (newc)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100789 {
Simon Kelley45cca582013-10-15 10:20:13 +0100790 newc->addr.cname.target.cache = NULL;
Simon Kelley03431d62014-03-20 16:25:43 +0000791 /* anything other than zero, to avoid being mistaken for CNAME to interface-name */
792 newc->addr.cname.uid = 1;
Simon Kelley45cca582013-10-15 10:20:13 +0100793 if (cpp)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100794 {
Simon Kelley45d8a242018-07-17 21:01:14 +0100795 next_uid(newc);
Simon Kelleyd56a6042013-10-11 14:39:03 +0100796 cpp->addr.cname.target.cache = newc;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100797 cpp->addr.cname.uid = newc->uid;
798 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100799 }
Simon Kelley45cca582013-10-15 10:20:13 +0100800
801 cpp = newc;
802 if (attl < cttl)
803 cttl = attl;
804
Simon Kelley122997d2019-10-25 17:23:56 +0100805 namep = p1;
Simon Kelley45cca582013-10-15 10:20:13 +0100806 if (!extract_name(header, qlen, &p1, name, 1, 0))
807 return 0;
Simon Kelley122997d2019-10-25 17:23:56 +0100808
Simon Kelley45cca582013-10-15 10:20:13 +0100809 goto cname_loop1;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100810 }
Simon Kelley45cca582013-10-15 10:20:13 +0100811 else if (!(flags & F_NXDOMAIN))
812 {
813 found = 1;
814
Simon Kelley5b99eae2019-01-06 23:09:50 +0000815 if (flags & F_SRV)
Simon Kelleyb059c962015-05-08 20:25:51 +0100816 {
Simon Kelley5b99eae2019-01-06 23:09:50 +0000817 unsigned char *tmp = namep;
818
819 if (!CHECK_LEN(header, p1, qlen, 6))
820 return 0; /* bad packet */
821 GETSHORT(addr.srv.priority, p1);
822 GETSHORT(addr.srv.weight, p1);
823 GETSHORT(addr.srv.srvport, p1);
824 if (!extract_name(header, qlen, &p1, name, 1, 0))
825 return 0;
826 addr.srv.targetlen = strlen(name) + 1; /* include terminating zero */
827 if (!(addr.srv.target = blockdata_alloc(name, addr.srv.targetlen)))
828 return 0;
829
830 /* we overwrote the original name, so get it back here. */
831 if (!extract_name(header, qlen, &tmp, name, 1, 0))
832 return 0;
833 }
834 else
835 {
836 /* copy address into aligned storage */
837 if (!CHECK_LEN(header, p1, qlen, addrlen))
838 return 0; /* bad packet */
839 memcpy(&addr, p1, addrlen);
840
841 /* check for returned address in private space */
842 if (check_rebind)
Simon Kelleyb059c962015-05-08 20:25:51 +0100843 {
Simon Kelley5b99eae2019-01-06 23:09:50 +0000844 if ((flags & F_IPV4) &&
845 private_net(addr.addr4, !option_bool(OPT_LOCAL_REBIND)))
Simon Kelleyb059c962015-05-08 20:25:51 +0100846 return 1;
Simon Kelley5b99eae2019-01-06 23:09:50 +0000847
848 if ((flags & F_IPV6) &&
849 IN6_IS_ADDR_V4MAPPED(&addr.addr6))
850 {
851 struct in_addr v4;
852 v4.s_addr = ((const uint32_t *) (&addr.addr6))[3];
853 if (private_net(v4, !option_bool(OPT_LOCAL_REBIND)))
854 return 1;
855 }
Simon Kelleyb059c962015-05-08 20:25:51 +0100856 }
Simon Kelley5b99eae2019-01-06 23:09:50 +0000857
Simon Kelley45cca582013-10-15 10:20:13 +0100858#ifdef HAVE_IPSET
Simon Kelley5b99eae2019-01-06 23:09:50 +0000859 if (ipsets && (flags & (F_IPV4 | F_IPV6)))
Wang Jian49752b92014-03-28 20:52:47 +0000860 {
Simon Kelley5b99eae2019-01-06 23:09:50 +0000861 ipsets_cur = ipsets;
862 while (*ipsets_cur)
863 {
864 log_query((flags & (F_IPV4 | F_IPV6)) | F_IPSET, name, &addr, *ipsets_cur);
865 add_to_ipset(*ipsets_cur++, &addr, flags, 0);
866 }
Wang Jian49752b92014-03-28 20:52:47 +0000867 }
Simon Kelley45cca582013-10-15 10:20:13 +0100868#endif
Simon Kelley5b99eae2019-01-06 23:09:50 +0000869 }
Simon Kelley45cca582013-10-15 10:20:13 +0100870
Simon Kelley65a01b72018-12-31 23:56:33 +0000871 newc = cache_insert(name, &addr, C_IN, now, attl, flags | F_FORWARD | secflag);
Simon Kelley45cca582013-10-15 10:20:13 +0100872 if (newc && cpp)
873 {
Simon Kelley45d8a242018-07-17 21:01:14 +0100874 next_uid(newc);
Simon Kelley45cca582013-10-15 10:20:13 +0100875 cpp->addr.cname.target.cache = newc;
876 cpp->addr.cname.uid = newc->uid;
877 }
878 cpp = NULL;
879 }
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100880 }
Simon Kelley45cca582013-10-15 10:20:13 +0100881
882 p1 = endrr;
883 if (!CHECK_LEN(header, p1, qlen, 0))
884 return 0; /* bad packet */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100885 }
886
Simon Kelley28866e92011-02-14 20:19:14 +0000887 if (!found && !option_bool(OPT_NO_NEG))
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100888 {
889 if (!searched_soa)
890 {
891 searched_soa = 1;
Simon Kelley6938f342014-01-26 22:47:39 +0000892 ttl = find_soa(header, qlen, NULL, doctored);
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100893 }
894 /* If there's no SOA to get the TTL from, but there is a CNAME
Simon Kelley824af852008-02-12 20:43:05 +0000895 pointing at this, inherit its TTL */
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100896 if (ttl || cpp)
897 {
Simon Kelley65a01b72018-12-31 23:56:33 +0000898 newc = cache_insert(name, NULL, C_IN, now, ttl ? ttl : cttl, F_FORWARD | F_NEG | flags | (secure ? F_DNSSECOK : 0));
Simon Kelley26128d22004-11-14 16:43:54 +0000899 if (newc && cpp)
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100900 {
Simon Kelley45d8a242018-07-17 21:01:14 +0100901 next_uid(newc);
Simon Kelleyd56a6042013-10-11 14:39:03 +0100902 cpp->addr.cname.target.cache = newc;
Simon Kelleyfd9fa482004-10-21 20:24:00 +0100903 cpp->addr.cname.uid = newc->uid;
904 }
905 }
906 }
907 }
908 }
909
Simon Kelley1023dcb2012-04-09 18:00:08 +0100910 /* Don't put stuff from a truncated packet into the cache.
Simon Kelley1023dcb2012-04-09 18:00:08 +0100911 Don't cache replies from non-recursive nameservers, since we may get a
912 reply containing a CNAME but not its target, even though the target
913 does exist. */
914 if (!(header->hb3 & HB3_TC) &&
915 !(header->hb4 & HB4_CD) &&
916 (header->hb4 & HB4_RA) &&
Simon Kelley3a237152013-12-12 12:15:50 +0000917 !no_cache_dnssec)
Simon Kelley824af852008-02-12 20:43:05 +0000918 cache_end_insert();
919
920 return 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000921}
922
923/* If the packet holds exactly one query
Simon Kelley28866e92011-02-14 20:19:14 +0000924 return F_IPV4 or F_IPV6 and leave the name from the query in name */
Simon Kelley572b41e2011-02-18 18:11:18 +0000925unsigned int extract_request(struct dns_header *header, size_t qlen, char *name, unsigned short *typep)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000926{
927 unsigned char *p = (unsigned char *)(header+1);
928 int qtype, qclass;
929
Simon Kelleyc1bb8502004-08-11 18:40:17 +0100930 if (typep)
931 *typep = 0;
932
Simon Kelley572b41e2011-02-18 18:11:18 +0000933 if (ntohs(header->qdcount) != 1 || OPCODE(header) != QUERY)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000934 return 0; /* must be exactly one query. */
935
Simon Kelley9009d742008-11-14 20:04:27 +0000936 if (!extract_name(header, qlen, &p, name, 1, 4))
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000937 return 0; /* bad packet */
938
939 GETSHORT(qtype, p);
940 GETSHORT(qclass, p);
941
Simon Kelley0a852542005-03-23 20:28:59 +0000942 if (typep)
943 *typep = qtype;
944
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000945 if (qclass == C_IN)
946 {
947 if (qtype == T_A)
948 return F_IPV4;
949 if (qtype == T_AAAA)
950 return F_IPV6;
951 if (qtype == T_ANY)
952 return F_IPV4 | F_IPV6;
953 }
Simon Kelley07e25da2018-12-16 18:21:58 +0000954
955 /* F_DNSSECOK as agument to search_servers() inhibits forwarding
956 to servers for domains without a trust anchor. This make the
957 behaviour for DS and DNSKEY queries we forward the same
958 as for DS and DNSKEY queries we originate. */
959 if (qtype == T_DS || qtype == T_DNSKEY)
960 return F_DNSSECOK;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000961
962 return F_QUERY;
963}
964
Simon Kelley572b41e2011-02-18 18:11:18 +0000965size_t setup_reply(struct dns_header *header, size_t qlen,
Simon Kelleycc921df2019-01-02 22:48:59 +0000966 union all_addr *addrp, unsigned int flags, unsigned long ttl)
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000967{
Simon Kelleyad4a8ff2015-04-09 21:48:00 +0100968 unsigned char *p;
Simon Kelley07ed5852018-05-04 21:52:22 +0100969
Simon Kelleyad4a8ff2015-04-09 21:48:00 +0100970 if (!(p = skip_questions(header, qlen)))
971 return 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000972
Simon Kelley572b41e2011-02-18 18:11:18 +0000973 /* clear authoritative and truncated flags, set QR flag */
Simon Kelleya2205452018-10-22 18:21:48 +0100974 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC )) | HB3_QR;
975 /* clear AD flag, set RA flag */
976 header->hb4 = (header->hb4 & ~HB4_AD) | HB4_RA;
Simon Kelley572b41e2011-02-18 18:11:18 +0000977
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000978 header->nscount = htons(0);
979 header->arcount = htons(0);
Simon Kelleyfeba5c12004-07-27 20:28:58 +0100980 header->ancount = htons(0); /* no answers unless changed below */
Simon Kelleyd05dd582016-01-19 21:23:30 +0000981 if (flags == F_NOERR)
Simon Kelley572b41e2011-02-18 18:11:18 +0000982 SET_RCODE(header, NOERROR); /* empty domain */
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000983 else if (flags == F_NXDOMAIN)
Simon Kelley572b41e2011-02-18 18:11:18 +0000984 SET_RCODE(header, NXDOMAIN);
Simon Kelley087eb762017-10-30 23:16:54 +0000985 else if (flags == F_SERVFAIL)
Simon Kelley07ed5852018-05-04 21:52:22 +0100986 {
Simon Kelleycc921df2019-01-02 22:48:59 +0000987 union all_addr a;
988 a.log.rcode = SERVFAIL;
Simon Kelley07ed5852018-05-04 21:52:22 +0100989 log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
990 SET_RCODE(header, SERVFAIL);
991 }
Simon Kelleyc346f612018-09-04 21:14:18 +0100992 else if (flags & ( F_IPV4 | F_IPV6))
Simon Kelley9e4abcb2004-01-22 19:47:41 +0000993 {
Simon Kelleyc346f612018-09-04 21:14:18 +0100994 if (flags & F_IPV4)
995 { /* we know the address */
996 SET_RCODE(header, NOERROR);
997 header->ancount = htons(1);
998 header->hb3 |= HB3_AA;
999 add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_A, C_IN, "4", addrp);
1000 }
1001
Simon Kelleyc346f612018-09-04 21:14:18 +01001002 if (flags & F_IPV6)
1003 {
1004 SET_RCODE(header, NOERROR);
1005 header->ancount = htons(ntohs(header->ancount) + 1);
1006 header->hb3 |= HB3_AA;
1007 add_resource_record(header, NULL, NULL, sizeof(struct dns_header), &p, ttl, NULL, T_AAAA, C_IN, "6", addrp);
1008 }
Simon Kelleyc346f612018-09-04 21:14:18 +01001009 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001010 else /* nowhere to forward to */
Simon Kelley07ed5852018-05-04 21:52:22 +01001011 {
Simon Kelleycc921df2019-01-02 22:48:59 +00001012 union all_addr a;
1013 a.log.rcode = REFUSED;
Simon Kelley07ed5852018-05-04 21:52:22 +01001014 log_query(F_CONFIG | F_RCODE, "error", &a, NULL);
1015 SET_RCODE(header, REFUSED);
1016 }
1017
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001018 return p - (unsigned char *)header;
1019}
Simon Kelley36717ee2004-09-20 19:20:58 +01001020
1021/* check if name matches local names ie from /etc/hosts or DHCP or local mx names. */
Simon Kelley5aabfc72007-08-29 11:24:47 +01001022int check_for_local_domain(char *name, time_t now)
Simon Kelley36717ee2004-09-20 19:20:58 +01001023{
Simon Kelley0a852542005-03-23 20:28:59 +00001024 struct mx_srv_record *mx;
1025 struct txt_record *txt;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001026 struct interface_name *intr;
1027 struct ptr_record *ptr;
Simon Kelley7de060b2011-08-26 17:24:52 +01001028 struct naptr *naptr;
1029
Simon Kelley7de060b2011-08-26 17:24:52 +01001030 for (naptr = daemon->naptr; naptr; naptr = naptr->next)
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001031 if (hostname_issubdomain(name, naptr->name))
Simon Kelley7de060b2011-08-26 17:24:52 +01001032 return 1;
1033
1034 for (mx = daemon->mxnames; mx; mx = mx->next)
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001035 if (hostname_issubdomain(name, mx->name))
Simon Kelley36717ee2004-09-20 19:20:58 +01001036 return 1;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001037
Simon Kelley0a852542005-03-23 20:28:59 +00001038 for (txt = daemon->txt; txt; txt = txt->next)
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001039 if (hostname_issubdomain(name, txt->name))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001040 return 1;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001041
1042 for (intr = daemon->int_names; intr; intr = intr->next)
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001043 if (hostname_issubdomain(name, intr->name))
Simon Kelleyf2621c72007-04-29 19:47:21 +01001044 return 1;
1045
1046 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001047 if (hostname_issubdomain(name, ptr->name))
Simon Kelleyf2621c72007-04-29 19:47:21 +01001048 return 1;
Simon Kelleyb6f926f2018-08-21 17:46:52 +01001049
1050 if (cache_find_non_terminal(name, now))
1051 return 1;
1052
Simon Kelley36717ee2004-09-20 19:20:58 +01001053 return 0;
1054}
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001055
1056/* Is the packet a reply with the answer address equal to addr?
1057 If so mung is into an NXDOMAIN reply and also put that information
1058 in the cache. */
Simon Kelley572b41e2011-02-18 18:11:18 +00001059int check_for_bogus_wildcard(struct dns_header *header, size_t qlen, char *name,
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001060 struct bogus_addr *baddr, time_t now)
1061{
1062 unsigned char *p;
1063 int i, qtype, qclass, rdlen;
1064 unsigned long ttl;
1065 struct bogus_addr *baddrp;
1066
1067 /* skip over questions */
1068 if (!(p = skip_questions(header, qlen)))
1069 return 0; /* bad packet */
1070
Simon Kelley5aabfc72007-08-29 11:24:47 +01001071 for (i = ntohs(header->ancount); i != 0; i--)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001072 {
Simon Kelley9009d742008-11-14 20:04:27 +00001073 if (!extract_name(header, qlen, &p, name, 1, 10))
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001074 return 0; /* bad packet */
1075
1076 GETSHORT(qtype, p);
1077 GETSHORT(qclass, p);
1078 GETLONG(ttl, p);
1079 GETSHORT(rdlen, p);
1080
1081 if (qclass == C_IN && qtype == T_A)
Simon Kelley9009d742008-11-14 20:04:27 +00001082 {
1083 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1084 return 0;
1085
1086 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1087 if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
1088 {
1089 /* Found a bogus address. Insert that info here, since there no SOA record
1090 to get the ttl from in the normal processing */
1091 cache_start_insert();
Simon Kelley65a01b72018-12-31 23:56:33 +00001092 cache_insert(name, NULL, C_IN, now, ttl, F_IPV4 | F_FORWARD | F_NEG | F_NXDOMAIN);
Simon Kelley9009d742008-11-14 20:04:27 +00001093 cache_end_insert();
1094
1095 return 1;
1096 }
1097 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001098
Simon Kelley9009d742008-11-14 20:04:27 +00001099 if (!ADD_RDLEN(header, p, qlen, rdlen))
1100 return 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001101 }
1102
1103 return 0;
1104}
1105
Glen Huang32fc6db2014-12-27 15:28:12 +00001106int check_for_ignored_address(struct dns_header *header, size_t qlen, struct bogus_addr *baddr)
1107{
1108 unsigned char *p;
1109 int i, qtype, qclass, rdlen;
1110 struct bogus_addr *baddrp;
1111
1112 /* skip over questions */
1113 if (!(p = skip_questions(header, qlen)))
1114 return 0; /* bad packet */
1115
1116 for (i = ntohs(header->ancount); i != 0; i--)
1117 {
1118 if (!(p = skip_name(p, header, qlen, 10)))
1119 return 0; /* bad packet */
1120
1121 GETSHORT(qtype, p);
1122 GETSHORT(qclass, p);
1123 p += 4; /* TTL */
1124 GETSHORT(rdlen, p);
1125
1126 if (qclass == C_IN && qtype == T_A)
1127 {
1128 if (!CHECK_LEN(header, p, qlen, INADDRSZ))
1129 return 0;
1130
1131 for (baddrp = baddr; baddrp; baddrp = baddrp->next)
1132 if (memcmp(&baddrp->addr, p, INADDRSZ) == 0)
1133 return 1;
1134 }
1135
1136 if (!ADD_RDLEN(header, p, qlen, rdlen))
1137 return 0;
1138 }
1139
1140 return 0;
1141}
1142
Simon Kelley0549c732017-09-25 18:17:11 +01001143
Simon Kelleyb75e9362012-12-07 11:50:41 +00001144int add_resource_record(struct dns_header *header, char *limit, int *truncp, int nameoffset, unsigned char **pp,
Simon Kelleye1ff4192012-12-09 17:08:47 +00001145 unsigned long ttl, int *offset, unsigned short type, unsigned short class, char *format, ...)
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001146{
1147 va_list ap;
1148 unsigned char *sav, *p = *pp;
1149 int j;
1150 unsigned short usval;
1151 long lval;
1152 char *sval;
Simon Kelleyc3667172017-10-13 23:26:29 +01001153
Simon Kelley0549c732017-09-25 18:17:11 +01001154#define CHECK_LIMIT(size) \
Simon Kelleyc3667172017-10-13 23:26:29 +01001155 if (limit && p + (size) > (unsigned char*)limit) goto truncated;
Simon Kelley0549c732017-09-25 18:17:11 +01001156
Simon Kelley4f7b3042012-11-28 21:27:02 +00001157 va_start(ap, format); /* make ap point to 1st unamed argument */
Simon Kelleyc3667172017-10-13 23:26:29 +01001158
1159 if (truncp && *truncp)
1160 goto truncated;
1161
Simon Kelleyb75e9362012-12-07 11:50:41 +00001162 if (nameoffset > 0)
Simon Kelley4f7b3042012-11-28 21:27:02 +00001163 {
Simon Kelley62cb9362017-09-26 22:00:11 +01001164 CHECK_LIMIT(2);
Simon Kelley4f7b3042012-11-28 21:27:02 +00001165 PUTSHORT(nameoffset | 0xc000, p);
1166 }
1167 else
1168 {
Simon Kelleye1ff4192012-12-09 17:08:47 +00001169 char *name = va_arg(ap, char *);
Simon Kelley62cb9362017-09-26 22:00:11 +01001170 if (name && !(p = do_rfc1035_name(p, name, limit)))
Simon Kelleyc3667172017-10-13 23:26:29 +01001171 goto truncated;
Simon Kelley62cb9362017-09-26 22:00:11 +01001172
Simon Kelleyb75e9362012-12-07 11:50:41 +00001173 if (nameoffset < 0)
1174 {
Simon Kelley62cb9362017-09-26 22:00:11 +01001175 CHECK_LIMIT(2);
Simon Kelleyb75e9362012-12-07 11:50:41 +00001176 PUTSHORT(-nameoffset | 0xc000, p);
1177 }
1178 else
Simon Kelley62cb9362017-09-26 22:00:11 +01001179 {
1180 CHECK_LIMIT(1);
1181 *p++ = 0;
1182 }
Simon Kelley4f7b3042012-11-28 21:27:02 +00001183 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001184
Simon Kelley62cb9362017-09-26 22:00:11 +01001185 /* type (2) + class (2) + ttl (4) + rdlen (2) */
1186 CHECK_LIMIT(10);
1187
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001188 PUTSHORT(type, p);
1189 PUTSHORT(class, p);
1190 PUTLONG(ttl, p); /* TTL */
1191
1192 sav = p; /* Save pointer to RDLength field */
1193 PUTSHORT(0, p); /* Placeholder RDLength */
1194
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001195 for (; *format; format++)
1196 switch (*format)
1197 {
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001198 case '6':
Simon Kelley0549c732017-09-25 18:17:11 +01001199 CHECK_LIMIT(IN6ADDRSZ);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001200 sval = va_arg(ap, char *);
1201 memcpy(p, sval, IN6ADDRSZ);
1202 p += IN6ADDRSZ;
1203 break;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001204
1205 case '4':
Simon Kelley0549c732017-09-25 18:17:11 +01001206 CHECK_LIMIT(INADDRSZ);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001207 sval = va_arg(ap, char *);
1208 memcpy(p, sval, INADDRSZ);
1209 p += INADDRSZ;
1210 break;
1211
Simon Kelley51ea3ca2014-01-22 19:31:38 +00001212 case 'b':
Simon Kelley0549c732017-09-25 18:17:11 +01001213 CHECK_LIMIT(1);
Simon Kelley51ea3ca2014-01-22 19:31:38 +00001214 usval = va_arg(ap, int);
1215 *p++ = usval;
1216 break;
1217
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001218 case 's':
Simon Kelley0549c732017-09-25 18:17:11 +01001219 CHECK_LIMIT(2);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001220 usval = va_arg(ap, int);
1221 PUTSHORT(usval, p);
1222 break;
1223
1224 case 'l':
Simon Kelley0549c732017-09-25 18:17:11 +01001225 CHECK_LIMIT(4);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001226 lval = va_arg(ap, long);
1227 PUTLONG(lval, p);
1228 break;
1229
1230 case 'd':
Simon Kelley0549c732017-09-25 18:17:11 +01001231 /* get domain-name answer arg and store it in RDATA field */
1232 if (offset)
1233 *offset = p - (unsigned char *)header;
Simon Kelleyc3667172017-10-13 23:26:29 +01001234 if (!(p = do_rfc1035_name(p, va_arg(ap, char *), limit)))
1235 goto truncated;
1236 CHECK_LIMIT(1);
Simon Kelley0549c732017-09-25 18:17:11 +01001237 *p++ = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001238 break;
Simon Kelley3d8df262005-08-29 12:19:27 +01001239
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001240 case 't':
Simon Kelley0a852542005-03-23 20:28:59 +00001241 usval = va_arg(ap, int);
Simon Kelley0549c732017-09-25 18:17:11 +01001242 CHECK_LIMIT(usval);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001243 sval = va_arg(ap, char *);
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001244 if (usval != 0)
1245 memcpy(p, sval, usval);
Simon Kelley0a852542005-03-23 20:28:59 +00001246 p += usval;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001247 break;
Simon Kelley1a6bca82008-07-11 11:11:42 +01001248
1249 case 'z':
1250 sval = va_arg(ap, char *);
1251 usval = sval ? strlen(sval) : 0;
1252 if (usval > 255)
1253 usval = 255;
Simon Kelley0549c732017-09-25 18:17:11 +01001254 CHECK_LIMIT(usval + 1);
Simon Kelley1a6bca82008-07-11 11:11:42 +01001255 *p++ = (unsigned char)usval;
1256 memcpy(p, sval, usval);
1257 p += usval;
1258 break;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001259 }
1260
1261 va_end(ap); /* clean up variable argument pointer */
1262
Simon Kelleyc3667172017-10-13 23:26:29 +01001263 /* Now, store real RDLength. sav already checked against limit. */
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001264 j = p - sav - 2;
Simon Kelleyc3667172017-10-13 23:26:29 +01001265 PUTSHORT(j, sav);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001266
1267 *pp = p;
1268 return 1;
Simon Kelleyc3667172017-10-13 23:26:29 +01001269
1270 truncated:
1271 va_end(ap);
1272 if (truncp)
1273 *truncp = 1;
1274 return 0;
1275
1276#undef CHECK_LIMIT
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001277}
1278
Simon Kelley9009d742008-11-14 20:04:27 +00001279static unsigned long crec_ttl(struct crec *crecp, time_t now)
1280{
1281 /* Return 0 ttl for DHCP entries, which might change
Simon Kelley7480aef2016-02-26 21:58:20 +00001282 before the lease expires, unless configured otherwise. */
Simon Kelley9009d742008-11-14 20:04:27 +00001283
Simon Kelleydf3d54f2016-02-24 21:03:38 +00001284 if (crecp->flags & F_DHCP)
Simon Kelley7480aef2016-02-26 21:58:20 +00001285 {
1286 int conf_ttl = daemon->use_dhcp_ttl ? daemon->dhcp_ttl : daemon->local_ttl;
1287
1288 /* Apply ceiling of actual lease length to configured TTL. */
1289 if (!(crecp->flags & F_IMMORTAL) && (crecp->ttd - now) < conf_ttl)
1290 return crecp->ttd - now;
1291
1292 return conf_ttl;
1293 }
Simon Kelley9009d742008-11-14 20:04:27 +00001294
Simon Kelleydf3d54f2016-02-24 21:03:38 +00001295 /* Immortal entries other than DHCP are local, and hold TTL in TTD field. */
1296 if (crecp->flags & F_IMMORTAL)
1297 return crecp->ttd;
1298
klemens43517fc2017-02-19 15:53:37 +00001299 /* Return the Max TTL value if it is lower than the actual TTL */
Simon Kelley8ef5ada2010-06-03 19:42:45 +01001300 if (daemon->max_ttl == 0 || ((unsigned)(crecp->ttd - now) < daemon->max_ttl))
1301 return crecp->ttd - now;
1302 else
1303 return daemon->max_ttl;
Simon Kelley9009d742008-11-14 20:04:27 +00001304}
1305
1306
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001307/* return zero if we can't answer from cache, or packet size if we can */
Simon Kelley572b41e2011-02-18 18:11:18 +00001308size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
Simon Kelley83349b82014-02-10 21:02:01 +00001309 struct in_addr local_addr, struct in_addr local_netmask,
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001310 time_t now, int ad_reqd, int do_bit, int have_pseudoheader)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001311{
Simon Kelley3be34542004-09-11 19:12:13 +01001312 char *name = daemon->namebuff;
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001313 unsigned char *p, *ansp;
Simon Kelley3f7483e2014-03-16 22:56:58 +00001314 unsigned int qtype, qclass;
Simon Kelleycc921df2019-01-02 22:48:59 +00001315 union all_addr addr;
Simon Kelleyb75e9362012-12-07 11:50:41 +00001316 int nameoffset;
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001317 unsigned short flag;
Simon Kelley0a852542005-03-23 20:28:59 +00001318 int q, ans, anscount = 0, addncount = 0;
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001319 int dryrun = 0;
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001320 struct crec *crecp;
Vladislav Grishenkocf598432018-10-18 04:55:21 +05001321 int nxdomain = 0, notimp = 0, auth = 1, trunc = 0, sec_data = 1;
Simon Kelley0a852542005-03-23 20:28:59 +00001322 struct mx_srv_record *rec;
Simon Kelleya25720a2014-01-14 23:13:55 +00001323 size_t len;
Simon Kelleyfa785732016-07-22 20:56:01 +01001324
Simon Kelley41392982018-09-19 22:27:11 +01001325 /* never answer queries with RD unset, to avoid cache snooping. */
1326 if (!(header->hb3 & HB3_RD) ||
1327 ntohs(header->ancount) != 0 ||
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001328 ntohs(header->nscount) != 0 ||
1329 ntohs(header->qdcount) == 0 ||
1330 OPCODE(header) != QUERY )
1331 return 0;
Simon Kelley087eb762017-10-30 23:16:54 +00001332
Simon Kelleye243c072014-02-06 18:14:09 +00001333 /* Don't return AD set if checking disabled. */
Simon Kelleya25720a2014-01-14 23:13:55 +00001334 if (header->hb4 & HB4_CD)
1335 sec_data = 0;
Simon Kelley83349b82014-02-10 21:02:01 +00001336
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001337 /* If there is an additional data section then it will be overwritten by
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001338 partial replies, so we have to do a dry run to see if we can answer
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001339 the query. */
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001340 if (ntohs(header->arcount) != 0)
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001341 dryrun = 1;
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001342
Simon Kelley0a852542005-03-23 20:28:59 +00001343 for (rec = daemon->mxnames; rec; rec = rec->next)
1344 rec->offset = 0;
1345
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001346 rerun:
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001347 /* determine end of question section (we put answers there) */
1348 if (!(ansp = skip_questions(header, qlen)))
1349 return 0; /* bad packet */
1350
1351 /* now process each question, answers go in RRs after the question */
1352 p = (unsigned char *)(header+1);
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001353
Simon Kelley5aabfc72007-08-29 11:24:47 +01001354 for (q = ntohs(header->qdcount); q != 0; q--)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001355 {
1356 /* save pointer to name for copying into answers */
1357 nameoffset = p - (unsigned char *)header;
1358
1359 /* now extract name as .-concatenated string into name */
Simon Kelley9009d742008-11-14 20:04:27 +00001360 if (!extract_name(header, qlen, &p, name, 1, 4))
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001361 return 0; /* bad packet */
Simon Kelley832af0b2007-01-21 20:01:28 +00001362
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001363 GETSHORT(qtype, p);
1364 GETSHORT(qclass, p);
1365
1366 ans = 0; /* have we answered this question */
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001367
1368 while ((crecp = cache_find_by_name(NULL, name, now, F_CNAME)))
1369 {
1370 char *cname_target = cache_get_cname_target(crecp);
1371
1372 /* If the client asked for DNSSEC don't use cached data. */
1373 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
1374 !do_bit ||
1375 (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
1376
1377 {
1378 if (crecp->flags & F_CONFIG || qtype == T_CNAME)
1379 ans = 1;
1380
1381 if (!(crecp->flags & F_DNSSECOK))
1382 sec_data = 0;
1383
1384 if (!dryrun)
1385 {
1386 log_query(crecp->flags, name, NULL, record_source(crecp->uid));
1387 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1388 crec_ttl(crecp, now), &nameoffset,
1389 T_CNAME, C_IN, "d", cname_target))
1390 anscount++;
1391 }
1392
1393 strcpy(name, cname_target);
1394 }
1395 }
1396
Simon Kelley0a852542005-03-23 20:28:59 +00001397 if (qtype == T_TXT || qtype == T_ANY)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001398 {
Simon Kelley0a852542005-03-23 20:28:59 +00001399 struct txt_record *t;
1400 for(t = daemon->txt; t ; t = t->next)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001401 {
Simon Kelley0a852542005-03-23 20:28:59 +00001402 if (t->class == qclass && hostname_isequal(name, t->name))
1403 {
Simon Kelley6f7812d2018-10-23 23:54:44 +01001404 ans = 1, sec_data = 0;
Simon Kelleye17fb622006-01-14 20:33:46 +00001405 if (!dryrun)
1406 {
Simon Kelleyfec216d2014-03-27 20:54:34 +00001407 unsigned long ttl = daemon->local_ttl;
1408 int ok = 1;
Kevin Darbyshire-Bryant7ac9ae12016-09-09 20:52:08 +01001409#ifndef NO_ID
Simon Kelleyfec216d2014-03-27 20:54:34 +00001410 /* Dynamically generate stat record */
1411 if (t->stat != 0)
1412 {
1413 ttl = 0;
1414 if (!cache_make_stat(t))
1415 ok = 0;
1416 }
Kevin Darbyshire-Bryant7ac9ae12016-09-09 20:52:08 +01001417#endif
Simon Kelleycbb5b172018-10-23 23:45:57 +01001418 if (ok)
1419 {
1420 log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>");
1421 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1422 ttl, NULL,
1423 T_TXT, t->class, "t", t->len, t->txt))
1424 anscount++;
1425 }
Simon Kelleye17fb622006-01-14 20:33:46 +00001426 }
Simon Kelley0a852542005-03-23 20:28:59 +00001427 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001428 }
Simon Kelley0a852542005-03-23 20:28:59 +00001429 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001430
Vladislav Grishenkocf598432018-10-18 04:55:21 +05001431 if (qclass == C_CHAOS)
1432 {
Simon Kelleycbb5b172018-10-23 23:45:57 +01001433 /* don't forward *.bind and *.server chaos queries - always reply with NOTIMP */
Vladislav Grishenkocf598432018-10-18 04:55:21 +05001434 if (hostname_issubdomain("bind", name) || hostname_issubdomain("server", name))
1435 {
1436 if (!ans)
Simon Kelleycbb5b172018-10-23 23:45:57 +01001437 {
1438 notimp = 1, auth = 0;
1439 if (!dryrun)
1440 {
Simon Kelleycc921df2019-01-02 22:48:59 +00001441 addr.log.rcode = NOTIMP;
Simon Kelleycbb5b172018-10-23 23:45:57 +01001442 log_query(F_CONFIG | F_RCODE, name, &addr, NULL);
1443 }
Simon Kelley6f7812d2018-10-23 23:54:44 +01001444 ans = 1, sec_data = 0;
Simon Kelleycbb5b172018-10-23 23:45:57 +01001445 }
Vladislav Grishenkocf598432018-10-18 04:55:21 +05001446 }
1447 }
1448
Simon Kelley0a852542005-03-23 20:28:59 +00001449 if (qclass == C_IN)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001450 {
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001451 struct txt_record *t;
1452
1453 for (t = daemon->rr; t; t = t->next)
1454 if ((t->class == qtype || qtype == T_ANY) && hostname_isequal(name, t->name))
1455 {
1456 ans = 1;
Simon Kelley93be5b12015-12-15 12:04:40 +00001457 sec_data = 0;
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001458 if (!dryrun)
1459 {
Simon Kelleyb758b672018-08-23 21:41:23 +01001460 log_query(F_CONFIG | F_RRNAME, name, NULL, querystr(NULL, t->class));
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001461 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1462 daemon->local_ttl, NULL,
1463 t->class, C_IN, "t", t->len, t->txt))
Simon Kelley97f876b2018-08-21 22:06:36 +01001464 anscount++;
Simon Kelley9f7f3b12012-05-28 21:39:57 +01001465 }
1466 }
1467
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001468 if (qtype == T_PTR || qtype == T_ANY)
Simon Kelleyc1bb8502004-08-11 18:40:17 +01001469 {
Simon Kelley832af0b2007-01-21 20:01:28 +00001470 /* see if it's w.z.y.z.in-addr.arpa format */
1471 int is_arpa = in_arpa_name_2_addr(name, &addr);
1472 struct ptr_record *ptr;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001473 struct interface_name* intr = NULL;
Simon Kelley832af0b2007-01-21 20:01:28 +00001474
1475 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
1476 if (hostname_isequal(name, ptr->name))
1477 break;
1478
Simon Kelleyf2621c72007-04-29 19:47:21 +01001479 if (is_arpa == F_IPV4)
1480 for (intr = daemon->int_names; intr; intr = intr->next)
Simon Kelley5aabfc72007-08-29 11:24:47 +01001481 {
Simon Kelley115ac3e2013-05-20 11:28:32 +01001482 struct addrlist *addrlist;
1483
Simon Kelley376d48c2013-11-13 13:04:30 +00001484 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
Simon Kelleycc921df2019-01-02 22:48:59 +00001485 if (!(addrlist->flags & ADDRLIST_IPV6) && addr.addr4.s_addr == addrlist->addr.addr4.s_addr)
Simon Kelley115ac3e2013-05-20 11:28:32 +01001486 break;
1487
1488 if (addrlist)
Simon Kelley5aabfc72007-08-29 11:24:47 +01001489 break;
1490 else
1491 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1492 intr = intr->next;
1493 }
Simon Kelley115ac3e2013-05-20 11:28:32 +01001494 else if (is_arpa == F_IPV6)
1495 for (intr = daemon->int_names; intr; intr = intr->next)
1496 {
1497 struct addrlist *addrlist;
1498
Simon Kelley376d48c2013-11-13 13:04:30 +00001499 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
Simon Kelleycc921df2019-01-02 22:48:59 +00001500 if ((addrlist->flags & ADDRLIST_IPV6) && IN6_ARE_ADDR_EQUAL(&addr.addr6, &addrlist->addr.addr6))
Simon Kelley115ac3e2013-05-20 11:28:32 +01001501 break;
1502
1503 if (addrlist)
1504 break;
1505 else
1506 while (intr->next && strcmp(intr->intr, intr->next->intr) == 0)
1507 intr = intr->next;
1508 }
Simon Kelleyf2621c72007-04-29 19:47:21 +01001509
1510 if (intr)
1511 {
Simon Kelley93be5b12015-12-15 12:04:40 +00001512 sec_data = 0;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001513 ans = 1;
1514 if (!dryrun)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001515 {
Simon Kelley115ac3e2013-05-20 11:28:32 +01001516 log_query(is_arpa | F_REVERSE | F_CONFIG, intr->name, &addr, NULL);
Simon Kelleyf2621c72007-04-29 19:47:21 +01001517 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1518 daemon->local_ttl, NULL,
1519 T_PTR, C_IN, "d", intr->name))
1520 anscount++;
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001521 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001522 }
Simon Kelley832af0b2007-01-21 20:01:28 +00001523 else if (ptr)
1524 {
1525 ans = 1;
Simon Kelley93be5b12015-12-15 12:04:40 +00001526 sec_data = 0;
Simon Kelley832af0b2007-01-21 20:01:28 +00001527 if (!dryrun)
1528 {
Simon Kelley28866e92011-02-14 20:19:14 +00001529 log_query(F_CONFIG | F_RRNAME, name, NULL, "<PTR>");
Simon Kelley832af0b2007-01-21 20:01:28 +00001530 for (ptr = daemon->ptr; ptr; ptr = ptr->next)
Simon Kelleyf2621c72007-04-29 19:47:21 +01001531 if (hostname_isequal(name, ptr->name) &&
1532 add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1533 daemon->local_ttl, NULL,
1534 T_PTR, C_IN, "d", ptr->ptr))
1535 anscount++;
1536
Simon Kelley832af0b2007-01-21 20:01:28 +00001537 }
1538 }
Simon Kelleyf2621c72007-04-29 19:47:21 +01001539 else if ((crecp = cache_find_by_addr(NULL, &addr, now, is_arpa)))
Simon Kelley2d33bda2014-01-24 22:37:25 +00001540 {
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001541 /* Don't use cache when DNSSEC data required, unless we know that
1542 the zone is unsigned, which implies that we're doing
1543 validation. */
1544 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001545 !do_bit ||
Simon Kelleydd4ad9a2015-12-17 10:44:58 +00001546 (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
Simon Kelley2d33bda2014-01-24 22:37:25 +00001547 {
1548 do
1549 {
1550 /* don't answer wildcard queries with data not from /etc/hosts or dhcp leases */
1551 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP)))
1552 continue;
1553
1554 if (!(crecp->flags & F_DNSSECOK))
1555 sec_data = 0;
Simon Kelley93be5b12015-12-15 12:04:40 +00001556
1557 ans = 1;
1558
Simon Kelley2d33bda2014-01-24 22:37:25 +00001559 if (crecp->flags & F_NEG)
1560 {
Simon Kelley2d33bda2014-01-24 22:37:25 +00001561 auth = 0;
1562 if (crecp->flags & F_NXDOMAIN)
1563 nxdomain = 1;
1564 if (!dryrun)
1565 log_query(crecp->flags & ~F_FORWARD, name, &addr, NULL);
1566 }
Simon Kelley93be5b12015-12-15 12:04:40 +00001567 else
Simon Kelley2d33bda2014-01-24 22:37:25 +00001568 {
Simon Kelley2d33bda2014-01-24 22:37:25 +00001569 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1570 auth = 0;
1571 if (!dryrun)
1572 {
1573 log_query(crecp->flags & ~F_FORWARD, cache_get_name(crecp), &addr,
1574 record_source(crecp->uid));
1575
1576 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1577 crec_ttl(crecp, now), NULL,
1578 T_PTR, C_IN, "d", cache_get_name(crecp)))
1579 anscount++;
1580 }
1581 }
1582 } while ((crecp = cache_find_by_addr(crecp, &addr, now, is_arpa)));
1583 }
1584 }
Simon Kelley2bb73af2013-04-24 17:38:19 +01001585 else if (is_rev_synth(is_arpa, &addr, name))
1586 {
1587 ans = 1;
Simon Kelley93be5b12015-12-15 12:04:40 +00001588 sec_data = 0;
Simon Kelley2bb73af2013-04-24 17:38:19 +01001589 if (!dryrun)
1590 {
1591 log_query(F_CONFIG | F_REVERSE | is_arpa, name, &addr, NULL);
1592
1593 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1594 daemon->local_ttl, NULL,
1595 T_PTR, C_IN, "d", name))
1596 anscount++;
1597 }
1598 }
Simon Kelleyfca008d2017-02-19 18:50:41 +00001599 else if (option_bool(OPT_BOGUSPRIV) && (
Simon Kelleycc921df2019-01-02 22:48:59 +00001600 (is_arpa == F_IPV6 && private_net6(&addr.addr6)) ||
1601 (is_arpa == F_IPV4 && private_net(addr.addr4, 1))))
Simon Kelleyf2621c72007-04-29 19:47:21 +01001602 {
Vladislav Grishenko5a7212c2017-04-24 22:19:57 +01001603 struct server *serv;
1604 unsigned int namelen = strlen(name);
1605 char *nameend = name + namelen;
1606
1607 /* see if have rev-server set */
1608 for (serv = daemon->servers; serv; serv = serv->next)
1609 {
1610 unsigned int domainlen;
1611 char *matchstart;
1612
1613 if ((serv->flags & (SERV_HAS_DOMAIN | SERV_NO_ADDR)) != SERV_HAS_DOMAIN)
1614 continue;
1615
1616 domainlen = strlen(serv->domain);
1617 if (domainlen == 0 || domainlen > namelen)
1618 continue;
1619
1620 matchstart = nameend - domainlen;
1621 if (hostname_isequal(matchstart, serv->domain) &&
1622 (namelen == domainlen || *(matchstart-1) == '.' ))
1623 break;
1624 }
1625
1626 /* if no configured server, not in cache, enabled and private IPV4 address, return NXDOMAIN */
1627 if (!serv)
1628 {
1629 ans = 1;
1630 sec_data = 0;
1631 nxdomain = 1;
1632 if (!dryrun)
1633 log_query(F_CONFIG | F_REVERSE | is_arpa | F_NEG | F_NXDOMAIN,
1634 name, &addr, NULL);
1635 }
Simon Kelleyf2621c72007-04-29 19:47:21 +01001636 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001637 }
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001638
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001639 for (flag = F_IPV4; flag; flag = (flag == F_IPV4) ? F_IPV6 : 0)
1640 {
Simon Kelleyee875042018-10-23 22:10:17 +01001641 unsigned short type = (flag == F_IPV6) ? T_AAAA : T_A;
Simon Kelley115ac3e2013-05-20 11:28:32 +01001642 struct interface_name *intr;
1643
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001644 if (qtype != type && qtype != T_ANY)
1645 continue;
1646
Simon Kelleyf2621c72007-04-29 19:47:21 +01001647 /* interface name stuff */
Simon Kelley115ac3e2013-05-20 11:28:32 +01001648 for (intr = daemon->int_names; intr; intr = intr->next)
1649 if (hostname_isequal(name, intr->name))
1650 break;
1651
1652 if (intr)
Simon Kelleyf2621c72007-04-29 19:47:21 +01001653 {
Simon Kelley115ac3e2013-05-20 11:28:32 +01001654 struct addrlist *addrlist;
Simon Kelleyd42d4702017-02-02 16:52:06 +00001655 int gotit = 0, localise = 0;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001656
Simon Kelley115ac3e2013-05-20 11:28:32 +01001657 enumerate_interfaces(0);
Simon Kelleyd42d4702017-02-02 16:52:06 +00001658
klemens43517fc2017-02-19 15:53:37 +00001659 /* See if a putative address is on the network from which we received
Simon Kelleyd42d4702017-02-02 16:52:06 +00001660 the query, is so we'll filter other answers. */
1661 if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A)
1662 for (intr = daemon->int_names; intr; intr = intr->next)
1663 if (hostname_isequal(name, intr->name))
1664 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
Simon Kelleyee875042018-10-23 22:10:17 +01001665 if (!(addrlist->flags & ADDRLIST_IPV6) &&
Simon Kelleycc921df2019-01-02 22:48:59 +00001666 is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
Simon Kelleyee875042018-10-23 22:10:17 +01001667 {
1668 localise = 1;
1669 break;
1670 }
Simon Kelleyf2621c72007-04-29 19:47:21 +01001671
Simon Kelleyfb63dd12013-10-21 18:19:35 +01001672 for (intr = daemon->int_names; intr; intr = intr->next)
1673 if (hostname_isequal(name, intr->name))
1674 {
Simon Kelley47669362014-12-17 12:41:56 +00001675 for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
Simon Kelley47669362014-12-17 12:41:56 +00001676 if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
Simon Kelley47669362014-12-17 12:41:56 +00001677 {
Simon Kelleyd42d4702017-02-02 16:52:06 +00001678 if (localise &&
Simon Kelleycc921df2019-01-02 22:48:59 +00001679 !is_same_net(addrlist->addr.addr4, local_addr, local_netmask))
Simon Kelleyd42d4702017-02-02 16:52:06 +00001680 continue;
1681
Simon Kelley47669362014-12-17 12:41:56 +00001682 if (addrlist->flags & ADDRLIST_REVONLY)
1683 continue;
Simon Kelleyee875042018-10-23 22:10:17 +01001684
Simon Kelley47669362014-12-17 12:41:56 +00001685 ans = 1;
Simon Kelley93be5b12015-12-15 12:04:40 +00001686 sec_data = 0;
Simon Kelley47669362014-12-17 12:41:56 +00001687 if (!dryrun)
Simon Kelley376d48c2013-11-13 13:04:30 +00001688 {
1689 gotit = 1;
1690 log_query(F_FORWARD | F_CONFIG | flag, name, &addrlist->addr, NULL);
1691 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1692 daemon->local_ttl, NULL, type, C_IN,
1693 type == T_A ? "4" : "6", &addrlist->addr))
1694 anscount++;
1695 }
Simon Kelley47669362014-12-17 12:41:56 +00001696 }
Simon Kelleyfb63dd12013-10-21 18:19:35 +01001697 }
1698
1699 if (!dryrun && !gotit)
1700 log_query(F_FORWARD | F_CONFIG | flag | F_NEG, name, NULL, NULL);
1701
Simon Kelley115ac3e2013-05-20 11:28:32 +01001702 continue;
Simon Kelleyf2621c72007-04-29 19:47:21 +01001703 }
1704
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001705 if ((crecp = cache_find_by_name(NULL, name, now, flag | (dryrun ? F_NO_RR : 0))))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001706 {
1707 int localise = 0;
1708
Josh Soref730c6742017-02-06 16:14:04 +00001709 /* See if a putative address is on the network from which we received
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001710 the query, is so we'll filter other answers. */
Simon Kelley28866e92011-02-14 20:19:14 +00001711 if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && flag == F_IPV4)
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001712 {
1713 struct crec *save = crecp;
1714 do {
1715 if ((crecp->flags & F_HOSTS) &&
Simon Kelleycc921df2019-01-02 22:48:59 +00001716 is_same_net(crecp->addr.addr4, local_addr, local_netmask))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001717 {
1718 localise = 1;
1719 break;
1720 }
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001721 } while ((crecp = cache_find_by_name(crecp, name, now, flag)));
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001722 crecp = save;
1723 }
Simon Kelley824202e2014-01-23 20:59:46 +00001724
Simon Kelley93be5b12015-12-15 12:04:40 +00001725 /* If the client asked for DNSSEC don't use cached data. */
Simon Kelleya997ca02018-06-29 14:39:41 +01001726 if ((crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) ||
1727 !do_bit ||
1728 (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK)))
Simon Kelley824202e2014-01-23 20:59:46 +00001729 do
1730 {
1731 /* don't answer wildcard queries with data not from /etc/hosts
1732 or DHCP leases */
1733 if (qtype == T_ANY && !(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)))
1734 break;
1735
1736 if (!(crecp->flags & F_DNSSECOK))
1737 sec_data = 0;
1738
Simon Kelley824202e2014-01-23 20:59:46 +00001739 if (crecp->flags & F_NEG)
1740 {
Simon Kelleyfa14bec2015-12-20 17:12:16 +00001741 ans = 1;
1742 auth = 0;
1743 if (crecp->flags & F_NXDOMAIN)
1744 nxdomain = 1;
1745 if (!dryrun)
1746 log_query(crecp->flags, name, NULL, NULL);
Simon Kelley824202e2014-01-23 20:59:46 +00001747 }
1748 else
1749 {
1750 /* If we are returning local answers depending on network,
1751 filter here. */
1752 if (localise &&
1753 (crecp->flags & F_HOSTS) &&
Simon Kelleycc921df2019-01-02 22:48:59 +00001754 !is_same_net(crecp->addr.addr4, local_addr, local_netmask))
Simon Kelley824202e2014-01-23 20:59:46 +00001755 continue;
1756
1757 if (!(crecp->flags & (F_HOSTS | F_DHCP)))
1758 auth = 0;
1759
1760 ans = 1;
1761 if (!dryrun)
1762 {
Simon Kelleycc921df2019-01-02 22:48:59 +00001763 log_query(crecp->flags & ~F_REVERSE, name, &crecp->addr,
Simon Kelley824202e2014-01-23 20:59:46 +00001764 record_source(crecp->uid));
1765
1766 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1767 crec_ttl(crecp, now), NULL, type, C_IN,
1768 type == T_A ? "4" : "6", &crecp->addr))
1769 anscount++;
1770 }
1771 }
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001772 } while ((crecp = cache_find_by_name(crecp, name, now, flag)));
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001773 }
Simon Kelley2bb73af2013-04-24 17:38:19 +01001774 else if (is_name_synthetic(flag, name, &addr))
1775 {
Simon Kelley6f7812d2018-10-23 23:54:44 +01001776 ans = 1, sec_data = 0;
Simon Kelley2bb73af2013-04-24 17:38:19 +01001777 if (!dryrun)
1778 {
1779 log_query(F_FORWARD | F_CONFIG | flag, name, &addr, NULL);
1780 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1781 daemon->local_ttl, NULL, type, C_IN, type == T_A ? "4" : "6", &addr))
1782 anscount++;
1783 }
1784 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001785 }
Simon Kelleyd1c759c2012-04-16 17:26:19 +01001786
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001787 if (qtype == T_MX || qtype == T_ANY)
1788 {
1789 int found = 0;
Simon Kelley0a852542005-03-23 20:28:59 +00001790 for (rec = daemon->mxnames; rec; rec = rec->next)
1791 if (!rec->issrv && hostname_isequal(name, rec->name))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001792 {
Simon Kelley6f7812d2018-10-23 23:54:44 +01001793 ans = found = 1;
1794 sec_data = 0;
1795 if (!dryrun)
1796 {
1797 int offset;
1798 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
1799 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1800 &offset, T_MX, C_IN, "sd", rec->weight, rec->target))
1801 {
1802 anscount++;
1803 if (rec->target)
1804 rec->offset = offset;
1805 }
1806 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001807 }
1808
Simon Kelley28866e92011-02-14 20:19:14 +00001809 if (!found && (option_bool(OPT_SELFMX) || option_bool(OPT_LOCALMX)) &&
Simon Kelley12fae492014-02-04 22:03:06 +00001810 cache_find_by_name(NULL, name, now, F_HOSTS | F_DHCP | F_NO_RR))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001811 {
1812 ans = 1;
Simon Kelley6f7812d2018-10-23 23:54:44 +01001813 sec_data = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001814 if (!dryrun)
1815 {
Simon Kelley28866e92011-02-14 20:19:14 +00001816 log_query(F_CONFIG | F_RRNAME, name, NULL, "<MX>");
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001817 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl, NULL,
1818 T_MX, C_IN, "sd", 1,
Simon Kelley28866e92011-02-14 20:19:14 +00001819 option_bool(OPT_SELFMX) ? name : daemon->mxtarget))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001820 anscount++;
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001821 }
1822 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001823 }
1824
1825 if (qtype == T_SRV || qtype == T_ANY)
1826 {
1827 int found = 0;
Simon Kelley28866e92011-02-14 20:19:14 +00001828 struct mx_srv_record *move = NULL, **up = &daemon->mxnames;
1829
Simon Kelley0a852542005-03-23 20:28:59 +00001830 for (rec = daemon->mxnames; rec; rec = rec->next)
1831 if (rec->issrv && hostname_isequal(name, rec->name))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001832 {
1833 found = ans = 1;
Simon Kelley6f7812d2018-10-23 23:54:44 +01001834 sec_data = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001835 if (!dryrun)
1836 {
Simon Kelleye1ff4192012-12-09 17:08:47 +00001837 int offset;
Simon Kelley28866e92011-02-14 20:19:14 +00001838 log_query(F_CONFIG | F_RRNAME, name, NULL, "<SRV>");
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001839 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
Simon Kelley0a852542005-03-23 20:28:59 +00001840 &offset, T_SRV, C_IN, "sssd",
1841 rec->priority, rec->weight, rec->srvport, rec->target))
1842 {
1843 anscount++;
1844 if (rec->target)
1845 rec->offset = offset;
1846 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001847 }
Simon Kelley28866e92011-02-14 20:19:14 +00001848
1849 /* unlink first SRV record found */
1850 if (!move)
1851 {
1852 move = rec;
1853 *up = rec->next;
1854 }
1855 else
1856 up = &rec->next;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001857 }
Simon Kelley28866e92011-02-14 20:19:14 +00001858 else
1859 up = &rec->next;
1860
1861 /* put first SRV record back at the end. */
1862 if (move)
1863 {
1864 *up = move;
1865 move->next = NULL;
1866 }
Simon Kelley5b99eae2019-01-06 23:09:50 +00001867
1868 if (!found)
1869 {
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001870 if ((crecp = cache_find_by_name(NULL, name, now, F_SRV | (dryrun ? F_NO_RR : 0))) &&
Simon Kelley5b99eae2019-01-06 23:09:50 +00001871 (!do_bit || (option_bool(OPT_DNSSEC_VALID) && !(crecp->flags & F_DNSSECOK))))
1872 {
1873 if (!(crecp->flags & F_DNSSECOK))
1874 sec_data = 0;
1875
1876 auth = 0;
1877 found = ans = 1;
1878
1879 do {
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001880 if (crecp->flags & F_NEG)
Simon Kelley5b99eae2019-01-06 23:09:50 +00001881 {
1882 if (crecp->flags & F_NXDOMAIN)
1883 nxdomain = 1;
1884 if (!dryrun)
1885 log_query(crecp->flags, name, NULL, NULL);
1886 }
Simon Kelley122997d2019-10-25 17:23:56 +01001887 else if (!dryrun)
Simon Kelley5b99eae2019-01-06 23:09:50 +00001888 {
Simon Kelley122997d2019-10-25 17:23:56 +01001889 char *target = blockdata_retrieve(crecp->addr.srv.target, crecp->addr.srv.targetlen, NULL);
1890 log_query(crecp->flags, name, NULL, 0);
Simon Kelley5b99eae2019-01-06 23:09:50 +00001891
Simon Kelley122997d2019-10-25 17:23:56 +01001892 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp,
1893 crec_ttl(crecp, now), NULL, T_SRV, C_IN, "sssd",
1894 crecp->addr.srv.priority, crecp->addr.srv.weight, crecp->addr.srv.srvport,
1895 target))
1896 anscount++;
Simon Kelley5b99eae2019-01-06 23:09:50 +00001897 }
Simon Kelleyb59a5c22019-10-25 16:13:38 +01001898 } while ((crecp = cache_find_by_name(crecp, name, now, F_SRV)));
Simon Kelley5b99eae2019-01-06 23:09:50 +00001899 }
1900 }
1901
Simon Kelley28866e92011-02-14 20:19:14 +00001902 if (!found && option_bool(OPT_FILTER) && (qtype == T_SRV || (qtype == T_ANY && strchr(name, '_'))))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001903 {
1904 ans = 1;
Simon Kelley6f7812d2018-10-23 23:54:44 +01001905 sec_data = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001906 if (!dryrun)
Simon Kelley1a6bca82008-07-11 11:11:42 +01001907 log_query(F_CONFIG | F_NEG, name, NULL, NULL);
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001908 }
1909 }
Simon Kelley1a6bca82008-07-11 11:11:42 +01001910
1911 if (qtype == T_NAPTR || qtype == T_ANY)
1912 {
1913 struct naptr *na;
1914 for (na = daemon->naptr; na; na = na->next)
1915 if (hostname_isequal(name, na->name))
1916 {
1917 ans = 1;
Simon Kelley6f7812d2018-10-23 23:54:44 +01001918 sec_data = 0;
Simon Kelley1a6bca82008-07-11 11:11:42 +01001919 if (!dryrun)
1920 {
Simon Kelley28866e92011-02-14 20:19:14 +00001921 log_query(F_CONFIG | F_RRNAME, name, NULL, "<NAPTR>");
Simon Kelley1a6bca82008-07-11 11:11:42 +01001922 if (add_resource_record(header, limit, &trunc, nameoffset, &ansp, daemon->local_ttl,
1923 NULL, T_NAPTR, C_IN, "sszzzd",
1924 na->order, na->pref, na->flags, na->services, na->regexp, na->replace))
1925 anscount++;
1926 }
1927 }
1928 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001929
1930 if (qtype == T_MAILB)
Simon Kelley6f7812d2018-10-23 23:54:44 +01001931 ans = 1, nxdomain = 1, sec_data = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001932
Simon Kelley28866e92011-02-14 20:19:14 +00001933 if (qtype == T_SOA && option_bool(OPT_FILTER))
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001934 {
Simon Kelley6f7812d2018-10-23 23:54:44 +01001935 ans = 1;
1936 sec_data = 0;
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001937 if (!dryrun)
Simon Kelley1a6bca82008-07-11 11:11:42 +01001938 log_query(F_CONFIG | F_NEG, name, &addr, NULL);
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001939 }
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001940 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001941
1942 if (!ans)
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001943 return 0; /* failed to answer a question */
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001944 }
Simon Kelleyf6b7dc42005-01-23 12:06:08 +00001945
Simon Kelleyfeba5c12004-07-27 20:28:58 +01001946 if (dryrun)
1947 {
1948 dryrun = 0;
1949 goto rerun;
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001950 }
1951
Simon Kelley0a852542005-03-23 20:28:59 +00001952 /* create an additional data section, for stuff in SRV and MX record replies. */
1953 for (rec = daemon->mxnames; rec; rec = rec->next)
1954 if (rec->offset != 0)
1955 {
1956 /* squash dupes */
1957 struct mx_srv_record *tmp;
1958 for (tmp = rec->next; tmp; tmp = tmp->next)
1959 if (tmp->offset != 0 && hostname_isequal(rec->target, tmp->target))
1960 tmp->offset = 0;
1961
1962 crecp = NULL;
1963 while ((crecp = cache_find_by_name(crecp, rec->target, now, F_IPV4 | F_IPV6)))
1964 {
Simon Kelley0a852542005-03-23 20:28:59 +00001965 int type = crecp->flags & F_IPV4 ? T_A : T_AAAA;
Simon Kelleyee875042018-10-23 22:10:17 +01001966
Simon Kelley0a852542005-03-23 20:28:59 +00001967 if (crecp->flags & F_NEG)
1968 continue;
1969
Simon Kelley9009d742008-11-14 20:04:27 +00001970 if (add_resource_record(header, limit, NULL, rec->offset, &ansp,
1971 crec_ttl(crecp, now), NULL, type, C_IN,
Simon Kelley0a852542005-03-23 20:28:59 +00001972 crecp->flags & F_IPV4 ? "4" : "6", &crecp->addr))
1973 addncount++;
1974 }
1975 }
1976
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001977 /* done all questions, set up header and return length of result */
Simon Kelley572b41e2011-02-18 18:11:18 +00001978 /* clear authoritative and truncated flags, set QR flag */
1979 header->hb3 = (header->hb3 & ~(HB3_AA | HB3_TC)) | HB3_QR;
1980 /* set RA flag */
1981 header->hb4 |= HB4_RA;
1982
Josh Soref730c6742017-02-06 16:14:04 +00001983 /* authoritative - only hosts and DHCP derived names. */
Simon Kelley572b41e2011-02-18 18:11:18 +00001984 if (auth)
1985 header->hb3 |= HB3_AA;
1986
1987 /* truncation */
1988 if (trunc)
1989 header->hb3 |= HB3_TC;
Simon Kelley0fc2f312014-01-08 10:26:58 +00001990
Simon Kelley45cca582013-10-15 10:20:13 +01001991 if (nxdomain)
Simon Kelley572b41e2011-02-18 18:11:18 +00001992 SET_RCODE(header, NXDOMAIN);
Vladislav Grishenkocf598432018-10-18 04:55:21 +05001993 else if (notimp)
1994 SET_RCODE(header, NOTIMP);
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001995 else
Simon Kelley572b41e2011-02-18 18:11:18 +00001996 SET_RCODE(header, NOERROR); /* no error */
Simon Kelley9e4abcb2004-01-22 19:47:41 +00001997 header->ancount = htons(anscount);
1998 header->nscount = htons(0);
Simon Kelley0a852542005-03-23 20:28:59 +00001999 header->arcount = htons(addncount);
Simon Kelleye243c072014-02-06 18:14:09 +00002000
Simon Kelleya25720a2014-01-14 23:13:55 +00002001 len = ansp - (unsigned char *)header;
2002
Simon Kelleyfa14bec2015-12-20 17:12:16 +00002003 /* Advertise our packet size limit in our reply */
Simon Kelleya25720a2014-01-14 23:13:55 +00002004 if (have_pseudoheader)
Simon Kelleyc7f3bd22016-02-28 21:48:34 +00002005 len = add_pseudoheader(header, len, (unsigned char *)limit, daemon->edns_pktsz, 0, NULL, 0, do_bit, 0);
Simon Kelleye243c072014-02-06 18:14:09 +00002006
Simon Kelleyfa14bec2015-12-20 17:12:16 +00002007 if (ad_reqd && sec_data)
Simon Kelleye243c072014-02-06 18:14:09 +00002008 header->hb4 |= HB4_AD;
Simon Kelley83349b82014-02-10 21:02:01 +00002009 else
2010 header->hb4 &= ~HB4_AD;
Simon Kelleya25720a2014-01-14 23:13:55 +00002011
Simon Kelley7c286122014-01-27 21:38:11 +00002012 return len;
Simon Kelley9e4abcb2004-01-22 19:47:41 +00002013}