* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2015 */
+/* Copyright (c) The Exim Maintainers 2020 - 2024 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
#include "../exim.h"
#include "lf_functions.h"
header files. */
#ifndef T_TXT
-#define T_TXT 16
+# define T_TXT 16
#endif
/* Many systems do not have T_SPF. */
#ifndef T_SPF
-#define T_SPF 99
+# define T_SPF 99
#endif
/* New TLSA record for DANE */
#ifndef T_TLSA
-#define T_TLSA 52
+# define T_TLSA 52
#endif
/* Table of recognized DNS record types and their integer values. */
/* See local README for interface description. */
static void *
-dnsdb_open(uschar *filename, uschar **errmsg)
+dnsdb_open(const uschar * filename, uschar **errmsg)
{
-filename = filename; /* Keep picky compilers happy */
-errmsg = errmsg; /* Ditto */
return (void *)(-1); /* Any non-0 value */
}
causes the whole lookup to defer only if none of the DNS queries succeeds; and
'never', where all defers are as if the lookup failed. The default is 'lax'.
-- 'dnssec_FOO', with 'strict', 'lax' and 'never' (default). The meanings are
+- 'dnssec_FOO', with 'strict', 'lax' (default), and 'never'. The meanings are
require, try and don't-try dnssec respectively.
- 'retrans_VAL', set the timeout value. VAL is an Exim time specification
separator, as always, is colon. */
static int
-dnsdb_find(void *handle, uschar *filename, const uschar *keystring, int length,
- uschar **result, uschar **errmsg, uint *do_cache)
+dnsdb_find(void * handle, const uschar * filename, const uschar * keystring,
+ int length, uschar ** result, uschar ** errmsg, uint * do_cache,
+ const uschar * opts)
{
int rc;
-int size = 256;
-int ptr = 0;
int sep = 0;
-int defer_mode = PASS;
-int dnssec_mode = OK;
-int save_retrans = dns_retrans;
-int save_retry = dns_retry;
+int defer_mode = PASS, dnssec_mode = PASS;
+int save_retrans = dns_retrans, save_retry = dns_retry;
int type;
int failrc = FAIL;
-const uschar *outsep = CUS"\n";
-const uschar *outsep2 = NULL;
-uschar *equals, *domain, *found;
+const uschar * outsep = CUS"\n", * outsep2 = NULL;
+uschar * equals, * domain, * found;
-/* Because we're the working in the search pool, we try to reclaim as much
-store as possible later, so we preallocate the result here */
-
-uschar *yield = store_get(size);
-
-dns_record *rr;
-dns_answer dnsa;
+dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
-handle = handle; /* Keep picky compilers happy */
-filename = filename;
-length = length;
-do_cache = do_cache;
+/* Because we're working in the search pool, we try to reclaim as much
+store as possible later, so we preallocate the result here */
+
+gstring * yield = string_get(256);
/* If the string starts with '>' we change the output separator.
If it's followed by ';' or ',' we set the TXT output separator. */
-while (isspace(*keystring)) keystring++;
-if (*keystring == '>')
+if (Uskip_whitespace(&keystring) == '>')
{
outsep = keystring + 1;
keystring += 2;
outsep2 = US"";
keystring++;
}
- while (isspace(*keystring)) keystring++;
+ Uskip_whitespace(&keystring);
}
/* Check for a modifier keyword. */
else
{
*errmsg = US"unsupported dnsdb defer behaviour";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
}
else if (strncmpic(keystring, US"dnssec_", 7) == 0)
else
{
*errmsg = US"unsupported dnsdb dnssec behaviour";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
}
else if (strncmpic(keystring, US"retrans_", 8) == 0)
if ((timeout_sec = readconf_readtime(keystring += 8, ',', FALSE)) <= 0)
{
*errmsg = US"unsupported dnsdb timeout value";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
dns_retrans = timeout_sec;
while (*keystring != ',') keystring++;
if ((retries = (int)strtol(CCS keystring + 6, CSS &keystring, 0)) < 0)
{
*errmsg = US"unsupported dnsdb retry count";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
dns_retry = retries;
}
else
break;
- while (isspace(*keystring)) keystring++;
+ Uskip_whitespace(&keystring);
if (*keystring++ != ',')
{
*errmsg = US"dnsdb modifier syntax error";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
- while (isspace(*keystring)) keystring++;
+ Uskip_whitespace(&keystring);
}
/* Figure out the "type" value if it is not T_TXT.
while (tend > keystring && isspace(tend[-1])) tend--;
len = tend - keystring;
- for (i = 0; i < sizeof(type_names)/sizeof(uschar *); i++)
- {
+ for (i = 0; i < nelem(type_names); i++)
if (len == Ustrlen(type_names[i]) &&
strncmpic(keystring, US type_names[i], len) == 0)
{
type = type_values[i];
break;
}
- }
- if (i >= sizeof(type_names)/sizeof(uschar *))
+ if (i >= nelem(type_names))
{
*errmsg = US"unsupported DNS record type";
- return DEFER;
+ rc = DEFER;
+ goto out;
}
keystring = equals + 1;
- while (isspace(*keystring)) keystring++;
+ Uskip_whitespace(&keystring);
}
/* Initialize the resolver in case this is the first time it has been used. */
while ((domain = string_nextinlist(&keystring, &sep, NULL, 0)))
{
- uschar rbuffer[256];
- int searchtype = (type == T_CSA)? T_SRV : /* record type we want */
- (type == T_MXH)? T_MX :
- (type == T_ZNS)? T_NS : type;
+ int searchtype = type == T_CSA ? T_SRV : /* record type we want */
+ type == T_MXH ? T_MX :
+ type == T_ZNS ? T_NS : type;
/* If the type is PTR or CSA, we have to construct the relevant magic lookup
key if the original is an IP address (some experimental protocols are using
if ((type == T_PTR || type == T_CSA) &&
string_is_ip_address(domain, NULL) != 0)
- {
- dns_build_reverse(domain, rbuffer);
- domain = rbuffer;
- }
+ domain = dns_build_reverse(domain);
do
{
- DEBUG(D_lookup) debug_printf("dnsdb key: %s\n", domain);
+ DEBUG(D_lookup) debug_printf_indent("dnsdb key: %s\n", domain);
/* Do the lookup and sort out the result. There are four special types that
are handled specially: T_CSA, T_ZNS, T_ADDRESSES and T_MXH.
{
if (searchtype == T_ADDRESSES) searchtype = T_AAAA;
else if (searchtype == T_AAAA) searchtype = T_A;
- rc = dns_special_lookup(&dnsa, domain, searchtype, CUSS &found);
+ rc = dns_special_lookup(dnsa, domain, searchtype, CUSS &found);
}
else
#endif
- rc = dns_special_lookup(&dnsa, domain, type, CUSS &found);
+ rc = dns_special_lookup(dnsa, domain, type, CUSS &found);
lookup_dnssec_authenticated = dnssec_mode==OK ? NULL
- : dns_is_secure(&dnsa) ? US"yes" : US"no";
+ : dns_is_secure(dnsa) ? US"yes" : US"no";
if (rc == DNS_NOMATCH || rc == DNS_NODATA) continue;
if ( rc != DNS_SUCCEED
- || (dnssec_mode == DEFER && !dns_is_secure(&dnsa))
+ || (dnssec_mode == DEFER && !dns_is_secure(dnsa))
)
{
if (defer_mode == DEFER)
dns_retrans = save_retrans;
dns_retry = save_retry;
dns_init(FALSE, FALSE, FALSE); /* clr dnssec bit */
- return DEFER; /* always defer */
+ rc = DEFER; /* always defer */
+ goto out;
}
if (defer_mode == PASS) failrc = DEFER; /* defer only if all do */
continue; /* treat defer as fail */
/* Search the returned records */
- for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
- rr != NULL;
- rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+ rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) if (rr->type == searchtype)
{
- if (rr->type != searchtype) continue;
-
if (*do_cache > rr->ttl)
*do_cache = rr->ttl;
if (type == T_A || type == T_AAAA || type == T_ADDRESSES)
{
- dns_address *da;
- for (da = dns_address_from_rr(&dnsa, rr); da; da = da->next)
- {
- if (ptr != 0) yield = string_catn(yield, &size, &ptr, outsep, 1);
- yield = string_cat(yield, &size, &ptr, da->address);
- }
+ for (dns_address * da = dns_address_from_rr(dnsa, rr); da; da = da->next)
+ yield = string_append_listele(yield, *outsep, da->address);
continue;
}
/* Other kinds of record just have one piece of data each, but there may be
- several of them, of course. */
+ several of them, of course. TXT & SPF can have data in multiple chunks. */
- if (ptr != 0) yield = string_catn(yield, &size, &ptr, outsep, 1);
+ if (yield->ptr) yield = string_catn(yield, outsep, 1);
if (type == T_TXT || type == T_SPF)
- {
- if (outsep2 == NULL)
- {
- /* output only the first item of data */
- yield = string_catn(yield, &size, &ptr, (uschar *)(rr->data+1),
- (rr->data)[0]);
- }
- else
- {
- /* output all items */
- int data_offset = 0;
- while (data_offset < rr->size)
- {
- uschar chunk_len = (rr->data)[data_offset++];
- if (outsep2[0] != '\0' && data_offset != 1)
- yield = string_catn(yield, &size, &ptr, outsep2, 1);
- yield = string_catn(yield, &size, &ptr,
- US ((rr->data)+data_offset), chunk_len);
- data_offset += chunk_len;
- }
- }
- }
- else if (type == T_TLSA)
- {
- uint8_t usage, selector, matching_type;
- uint16_t i, payload_length;
- uschar s[MAX_TLSA_EXPANDED_SIZE];
- uschar * sp = s;
- uschar * p = US rr->data;
+ for (unsigned data_offset = 0; data_offset + 1 < rr->size; )
+ {
+ uschar chunk_len = (rr->data)[data_offset];
+ int remain;
- usage = *p++;
- selector = *p++;
- matching_type = *p++;
- /* What's left after removing the first 3 bytes above */
- payload_length = rr->size - 3;
- sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
- selector, *outsep2, matching_type, *outsep2);
- /* Now append the cert/identifier, one hex char at a time */
- for (i=0;
- i < payload_length && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4);
- i++)
- sp += sprintf(CS sp, "%02x", (unsigned char)p[i]);
-
- yield = string_cat(yield, &size, &ptr, s);
- }
+ if (outsep2 && *outsep2 && data_offset != 0)
+ yield = string_catn(yield, outsep2, 1);
+
+ /* Apparently there are resolvers that do not check RRs before passing
+ them on, and glibc fails to do so. So every application must...
+ Check for chunk len exceeding RR */
+
+ remain = rr->size - ++data_offset;
+ if (chunk_len > remain)
+ chunk_len = remain;
+ yield = string_catn(yield, US ((rr->data) + data_offset), chunk_len);
+ data_offset += chunk_len;
+
+ if (!outsep2) break; /* output only the first chunk of the RR */
+ }
+ else if (type == T_TLSA)
+ if (rr->size < 3)
+ continue;
+ else
+ {
+ uint8_t usage, selector, matching_type;
+ uint16_t payload_length;
+ uschar s[MAX_TLSA_EXPANDED_SIZE];
+ uschar * sp = s;
+ uschar * p = US rr->data;
+
+ usage = *p++;
+ selector = *p++;
+ matching_type = *p++;
+ /* What's left after removing the first 3 bytes above */
+ payload_length = rr->size - 3;
+ sp += sprintf(CS s, "%d%c%d%c%d%c", usage, *outsep2,
+ selector, *outsep2, matching_type, *outsep2);
+ /* Now append the cert/identifier, one hex char at a time */
+ while (payload_length-- > 0 && sp-s < (MAX_TLSA_EXPANDED_SIZE - 4))
+ sp += sprintf(CS sp, "%02x", *p++);
+
+ yield = string_cat(yield, s);
+ }
else /* T_CNAME, T_CSA, T_MX, T_MXH, T_NS, T_PTR, T_SOA, T_SRV */
{
int priority, weight, port;
switch (type)
{
case T_MXH:
+ if (rr_bad_size(rr, sizeof(uint16_t))) continue;
/* mxh ignores the priority number and includes only the hostnames */
GETSHORT(priority, p);
break;
case T_MX:
+ if (rr_bad_size(rr, sizeof(uint16_t))) continue;
GETSHORT(priority, p);
sprintf(CS s, "%d%c", priority, *outsep2);
- yield = string_cat(yield, &size, &ptr, s);
+ yield = string_cat(yield, s);
break;
case T_SRV:
+ if (rr_bad_size(rr, 3*sizeof(uint16_t))) continue;
GETSHORT(priority, p);
GETSHORT(weight, p);
GETSHORT(port, p);
sprintf(CS s, "%d%c%d%c%d%c", priority, *outsep2,
weight, *outsep2, port, *outsep2);
- yield = string_cat(yield, &size, &ptr, s);
+ yield = string_cat(yield, s);
break;
case T_CSA:
+ if (rr_bad_size(rr, 3*sizeof(uint16_t))) continue;
/* See acl_verify_csa() for more comments about CSA. */
GETSHORT(priority, p);
GETSHORT(weight, p);
}
s[1] = ' ';
- yield = string_catn(yield, &size, &ptr, s, 2);
+ yield = string_catn(yield, s, 2);
break;
default:
/* GETSHORT() has advanced the pointer to the target domain. */
- rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
+ rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
(DN_EXPAND_ARG4_TYPE)s, sizeof(s));
/* If an overlong response was received, the data will have been
"domain=%s", dns_text_type(type), domain);
break;
}
- else yield = string_cat(yield, &size, &ptr, s);
+ else yield = string_cat(yield, s);
if (type == T_SOA && outsep2 != NULL)
{
- unsigned long serial, refresh, retry, expire, minimum;
+ unsigned long serial = 0, refresh = 0, retry = 0, expire = 0, minimum = 0;
p += rc;
- yield = string_catn(yield, &size, &ptr, outsep2, 1);
+ yield = string_catn(yield, outsep2, 1);
- rc = dn_expand(dnsa.answer, dnsa.answer + dnsa.answerlen, p,
+ rc = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, p,
(DN_EXPAND_ARG4_TYPE)s, sizeof(s));
if (rc < 0)
{
"domain=%s", dns_text_type(type), domain);
break;
}
- else yield = string_cat(yield, &size, &ptr, s);
+ else yield = string_cat(yield, s);
p += rc;
- GETLONG(serial, p); GETLONG(refresh, p);
- GETLONG(retry, p); GETLONG(expire, p); GETLONG(minimum, p);
+ if (!rr_bad_increment(rr, p, 5 * sizeof(u_int32_t)))
+ {
+ GETLONG(serial, p); GETLONG(refresh, p);
+ GETLONG(retry, p); GETLONG(expire, p); GETLONG(minimum, p);
+ }
sprintf(CS s, "%c%lu%c%lu%c%lu%c%lu%c%lu",
*outsep2, serial, *outsep2, refresh,
*outsep2, retry, *outsep2, expire, *outsep2, minimum);
- yield = string_cat(yield, &size, &ptr, s);
+ yield = string_cat(yield, s);
}
}
} /* Loop for list of returned records */
- /* Loop for set of A-lookupu types */
+ /* Loop for set of A-lookup types */
} while (type == T_ADDRESSES && searchtype != T_A);
} /* Loop for list of domains */
/* Reclaim unused memory */
-store_reset(yield + ptr + 1);
+gstring_release_unused(yield);
-/* If ptr == 0 we have not found anything. Otherwise, insert the terminating
+/* If yield NULL we have not found anything. Otherwise, insert the terminating
zero and return the result. */
dns_retrans = save_retrans;
dns_retry = save_retry;
dns_init(FALSE, FALSE, FALSE); /* clear the dnssec bit for getaddrbyname */
-if (ptr == 0) return failrc;
-yield[ptr] = 0;
-*result = yield;
-return OK;
+if (!yield || !yield->ptr)
+ rc = failrc;
+else
+ {
+ *result = string_from_gstring(yield);
+ rc = OK;
+ }
+
+out:
+
+store_free_dns_answer(dnsa);
+return rc;
}
#include "../version.h"
-void
-dnsdb_version_report(FILE *f)
+gstring *
+dnsdb_version_report(gstring * g)
{
#ifdef DYNLOOKUP
-fprintf(f, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
+g = string_fmt_append(g, "Library version: DNSDB: Exim version %s\n", EXIM_VERSION_STR);
#endif
+return g;
}
static lookup_info _lookup_info = {
- US"dnsdb", /* lookup name */
- lookup_querystyle, /* query style */
- dnsdb_open, /* open function */
- NULL, /* check function */
- dnsdb_find, /* find function */
- NULL, /* no close function */
- NULL, /* no tidy function */
- NULL, /* no quoting function */
- dnsdb_version_report /* version reporting */
+ .name = US"dnsdb", /* lookup name */
+ .type = lookup_querystyle, /* query style */
+ .open = dnsdb_open, /* open function */
+ .check = NULL, /* check function */
+ .find = dnsdb_find, /* find function */
+ .close = NULL, /* no close function */
+ .tidy = NULL, /* no tidy function */
+ .quote = NULL, /* no quoting function */
+ .version_report = dnsdb_version_report /* version reporting */
};
#ifdef DYNLOOKUP
git://git.exim.org / exim.git / blobdiff