* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2016 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* Functions for interfacing with the DNS. */
{
int len = Ustrlen(domain);
int asize = size; /* Locally modified */
-uschar name[256];
+uschar * name;
uschar utilname[256];
uschar *aptr = answerptr; /* Locally modified */
struct stat statbuf;
/* Remove terminating dot. */
if (domain[len - 1] == '.') len--;
-Ustrncpy(name, domain, len);
-name[len] = 0;
+name = string_copyn(domain, len);
/* Look for the fakens utility, and if it exists, call it. */
if (Ustrchr(string, ':') == NULL)
#endif
{
- int i;
- for (i = 0; i < 4; i++)
+ for (int i = 0; i < 4; i++)
{
const uschar *ppp = p;
while (ppp > string && ppp[-1] != '.') ppp--;
*pp++ = '.';
p = ppp - 1;
}
- Ustrcpy(pp, "in-addr.arpa");
+ Ustrcpy(pp, US"in-addr.arpa");
}
/* Handle IPv6 address; convert to binary so as to fill out any
#if HAVE_IPV6
else
{
- int i;
int v6[4];
(void)host_aton(string, v6);
nibble, and look in the ip6.int domain. The domain was subsequently
changed to ip6.arpa. */
- for (i = 3; i >= 0; i--)
- {
- int j;
- for (j = 0; j < 32; j += 4)
- {
- sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
- pp += 2;
- }
- }
- Ustrcpy(pp, "ip6.arpa.");
+ for (int i = 3; i >= 0; i--)
+ for (int j = 0; j < 32; j += 4)
+ pp += sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
+ Ustrcpy(pp, US"ip6.arpa.");
/* Another way of doing IPv6 reverse lookups was proposed in conjunction
with A6 records. However, it fell out of favour when they did. The
Ustrcpy(pp, "\\[x");
pp += 3;
- for (i = 0; i < 4; i++)
+ for (int i = 0; i < 4; i++)
{
sprintf(pp, "%08X", v6[i]);
pp += 8;
}
- Ustrcpy(pp, "].ip6.arpa.");
+ Ustrcpy(pp, US"].ip6.arpa.");
**************************************************/
}
if (reset != RESET_NEXT)
{
- TRACE debug_printf("%s: reset\n", __FUNCTION__);
dnss->rrcount = ntohs(h->qdcount);
+ TRACE debug_printf("%s: reset (Q rrcount %d)\n", __FUNCTION__, dnss->rrcount);
dnss->aptr = dnsa->answer + sizeof(HEADER);
/* Skip over questions; failure to expand the name just gives up */
/* Get the number of answer records. */
dnss->rrcount = ntohs(h->ancount);
+ TRACE debug_printf("%s: reset (A rrcount %d)\n", __FUNCTION__, dnss->rrcount);
/* Skip over answers if we want to look at the authority section. Also skip
the NS records (i.e. authority section) if wanting to look at the additional
{
TRACE debug_printf("%s: additional\n", __FUNCTION__);
dnss->rrcount += ntohs(h->nscount);
+ TRACE debug_printf("%s: reset (NS rrcount %d)\n", __FUNCTION__, dnss->rrcount);
}
if (reset == RESET_AUTHORITY || reset == RESET_ADDITIONAL)
}
dnss->rrcount = reset == RESET_AUTHORITY
? ntohs(h->nscount) : ntohs(h->arcount);
+ TRACE debug_printf("%s: reset (%s rrcount %d)\n", __FUNCTION__,
+ reset == RESET_AUTHORITY ? "NS" : "AR", dnss->rrcount);
}
TRACE debug_printf("%s: %d RRs to read\n", __FUNCTION__, dnss->rrcount);
}
return &dnss->srr;
null_return:
- TRACE debug_printf("%s: terminate (%d RRs left). Last op: %s\n",
- __FUNCTION__, dnss->rrcount, trace);
+ TRACE debug_printf("%s: terminate (%d RRs left). Last op: %s; errno %d %s\n",
+ __FUNCTION__, dnss->rrcount, trace, errno, strerror(errno));
dnss->rrcount = 0;
return NULL;
}
dns_extract_auth_name(const dns_answer * dnsa) /* FIXME: const dns_answer */
{
dns_scan dnss;
-dns_record * rr;
const HEADER * h = (const HEADER *) dnsa->answer;
if (h->nscount && h->aa)
- for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
if (rr->type == (h->ancount ? T_NS : T_SOA))
return string_copy(rr->name);
* Cache a failed DNS lookup result *
*************************************************/
+static void
+dns_fail_tag(uschar * buf, const uschar * name, int dns_type)
+{
+res_state resp = os_get_dns_resolver_res();
+sprintf(CS buf, "%.255s-%s-%lx", name, dns_text_type(dns_type),
+ (unsigned long) resp->options);
+}
+
+
/* We cache failed lookup results so as not to experience timeouts many
times for the same domain. We need to retain the resolver options because they
may change. For successful lookups, we rely on resolver and/or name server
static int
dns_return(const uschar * name, int type, int rc)
{
-res_state resp = os_get_dns_resolver_res();
-tree_node *node = store_get_perm(sizeof(tree_node) + 290);
-sprintf(CS node->name, "%.255s-%s-%lx", name, dns_text_type(type),
- (unsigned long) resp->options);
+tree_node *node = store_get_perm(sizeof(tree_node) + 290, TRUE);
+dns_fail_tag(node->name, name, type);
node->data.val = rc;
(void)tree_insertnode(&tree_dns_fails, node);
return rc;
providing a list of domains for which this is treated as a non-existent
host.
+The dns_answer structure is pretty big; enough to hold a max-sized DNS message
+- so best allocated from fast-release memory. As of writing, all our callers
+use a stack-auto variable.
+
Arguments:
dnsa pointer to dns_answer structure
name name to look up
int rc = -1;
const uschar *save_domain;
#endif
-res_state resp = os_get_dns_resolver_res();
tree_node *previous;
uschar node_name[290];
have many addresses in the same domain. We rely on the resolver and name server
caching for successful lookups. */
-sprintf(CS node_name, "%.255s-%s-%lx", name, dns_text_type(type),
- (unsigned long) resp->options);
+dns_fail_tag(node_name, name, type);
if ((previous = tree_search(tree_dns_fails, node_name)))
{
DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
name, dns_text_type(type),
- (previous->data.val == DNS_NOMATCH)? "DNS_NOMATCH" :
- (previous->data.val == DNS_NODATA)? "DNS_NODATA" :
- (previous->data.val == DNS_AGAIN)? "DNS_AGAIN" :
- (previous->data.val == DNS_FAIL)? "DNS_FAIL" : "??");
+ previous->data.val == DNS_NOMATCH ? "DNS_NOMATCH" :
+ previous->data.val == DNS_NODATA ? "DNS_NODATA" :
+ previous->data.val == DNS_AGAIN ? "DNS_AGAIN" :
+ previous->data.val == DNS_FAIL ? "DNS_FAIL" : "??");
return previous->data.val;
}
DEBUG(D_dns)
debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
errstr);
- host_find_failed_syntax = TRUE;
+ f.host_find_failed_syntax = TRUE;
return DNS_NOMATCH;
}
name = alabel;
bitstring labels don't conform to normal name syntax. (But the aren't used any
more.)
-For SRV records, we omit the initial _smtp._tcp. components at the start. */
+For SRV records, we omit the initial _smtp._tcp. components at the start.
+The check has been seen to bite on the destination of a SRV lookup that
+initiall hit a CNAME, for which the next name had only two components.
+RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
+article on SRV says they are not a valid configuration. */
#ifndef STAND_ALONE /* Omit this for stand-alone tests */
if (type == T_SRV || type == T_TLSA)
{
- while (*checkname++ != '.');
- while (*checkname++ != '.');
+ while (*checkname && *checkname++ != '.') ;
+ while (*checkname && *checkname++ != '.') ;
}
if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
- 0, PCRE_EOPT, ovector, sizeof(ovector)/sizeof(int)) < 0)
+ 0, PCRE_EOPT, ovector, nelem(ovector)) < 0)
{
DEBUG(D_dns)
debug_printf("DNS name syntax check failed: %s (%s)\n", name,
dns_text_type(type));
- host_find_failed_syntax = TRUE;
+ f.host_find_failed_syntax = TRUE;
return DNS_NOMATCH;
}
}
(res_search), we call fakens_search(), which recognizes certain special
domains, and interfaces to a fake nameserver for certain special zones. */
-dnsa->answerlen = running_in_test_harness
- ? fakens_search(name, type, dnsa->answer, MAXPACKET)
- : res_search(CCS name, C_IN, type, dnsa->answer, MAXPACKET);
+dnsa->answerlen = f.running_in_test_harness
+ ? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer))
+ : res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));
-if (dnsa->answerlen > MAXPACKET)
+if (dnsa->answerlen > (int) sizeof(dnsa->answer))
{
- DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet (size %d), truncating to %d.\n",
- name, dns_text_type(type), dnsa->answerlen, MAXPACKET);
- dnsa->answerlen = MAXPACKET;
+ DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) resulted in overlong packet"
+ " (size %d), truncating to %u.\n",
+ name, dns_text_type(type), dnsa->answerlen, (unsigned int) sizeof(dnsa->answer));
+ dnsa->answerlen = sizeof(dnsa->answer);
}
if (dnsa->answerlen < 0) switch (h_errno)
/* Look up the given domain name, using the given type. Follow CNAMEs if
necessary, but only so many times. There aren't supposed to be CNAME chains in
the DNS, but you are supposed to cope with them if you find them.
+By default, follow one CNAME since a resolver has been seen, faced with
+an MX request and a CNAME (to an A) but no MX present, returning the CNAME.
The assumption is made that if the resolver gives back records of the
requested type *and* a CNAME, we don't need to make another call to look up
dns_lookup(dns_answer *dnsa, const uschar *name, int type,
const uschar **fully_qualified_name)
{
-int i;
const uschar *orig_name = name;
BOOL secure_so_far = TRUE;
-/* Loop to follow CNAME chains so far, but no further... */
+/* By default, assume the resolver follows CNAME chains (and returns NODATA for
+an unterminated one). If it also does that for a CNAME loop, fine; if it returns
+a CNAME (maybe the last?) whine about it. However, retain the coding for dumb
+resolvers hiding behind a config variable. Loop to follow CNAME chains so far,
+but no further... The testsuite tests the latter case, mostly assuming that the
+former will work. */
-for (i = 0; i < 10; i++)
+for (int i = 0; i <= dns_cname_loops; i++)
{
uschar * data;
- dns_record *rr, cname_rr, type_rr;
+ dns_record cname_rr, type_rr;
dns_scan dnss;
- int datalen, rc;
+ int rc;
/* DNS lookup failures get passed straight back. */
area in the dnsa block. */
cname_rr.data = type_rr.data = NULL;
- for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
if (rr->type == type)
{
if (!cname_rr.data)
return DNS_FAIL;
- data = store_get(256);
- if ((datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
- cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256)) < 0)
+ /* DNS data comes from the outside, hence tainted */
+ data = store_get(256, TRUE);
+ if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0)
return DNS_FAIL;
name = data;
assertion field. */
case T_CSA:
{
- uschar *srvname, *namesuff, *tld, *p;
+ uschar *srvname, *namesuff, *tld;
int priority, weight, port;
int limit, rc, i;
BOOL ipv6;
&& (h->rcode == NOERROR || h->rcode == NXDOMAIN)
&& ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
&& ntohs(h->nscount) >= 1)
- dnsa->answerlen = MAXPACKET;
+ dnsa->answerlen = sizeof(dnsa->answer);
for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
uschar *p = US rr->data;
if (p + 4 <= dnsa_lim)
{
- yield = store_get(sizeof(dns_address) + 20);
+ /* the IP is not regarded as tainted */
+ yield = store_get(sizeof(dns_address) + 20, FALSE);
(void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
yield->next = NULL;
}
if (rr->data + 16 <= dnsa_lim)
{
struct in6_addr in6;
- int i;
- for (i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i];
- yield = store_get(sizeof(dns_address) + 50);
+ for (int i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i];
+ yield = store_get(sizeof(dns_address) + 50, FALSE);
inet_ntop(AF_INET6, &in6, CS yield->address, 50);
yield->next = NULL;
}
git://git.exim.org / exim.git / blobdiff