projects / platform / upstream / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: afc58cc) | patch
resolved: ignore invalid OPT RRs in incoming packets
authorLennart Poettering <lennart@poettering.net>
Fri, 15 Jan 2016 17:18:54 +0000 (18:18 +0100)
committerLennart Poettering <lennart@poettering.net>
Sun, 17 Jan 2016 19:47:46 +0000 (20:47 +0100)
commitc3f7000e611b2c08052aca6db47245e77c008ae6
tree64094689b3d4b2264d59bc67715e0b943d3560d0tree | snapshot
parentafc58cc2fb5841154fe036ee7a6e1c8a06bc5d29commit | diff
resolved: ignore invalid OPT RRs in incoming packets

This validates OPT RRs more rigorously, before honouring them: if we any of the following condition holds, we'll ignore
them:

a) Multiple OPT RRs in the same message
b) OPT RR not owned by the root domain
c) OPT RR in the wrong section (Belkin routers do this)
d) OPT RR contain rfc6975 algorithm data (Belkin routers do this)
e) OPT version is not 0
f) OPT payload doesn't add up with the lengths

Note that d) may be an indication that the server just blindly copied OPT data from the response into the reply.
RFC6975 data is only supposed to be included in queries, and we do so. It's not supposed to be included in responses
(and the RFC is very clear on that). Hence if we get it back in a reply, then the server probably just copied the OPT
RR.
src/resolve/resolved-dns-packet.c diff | blob | history
Domain: System / System Framework;