{
int len = Ustrlen(domain);
int asize = size; /* Locally modified */
-uschar name[256];
+uschar * name;
uschar utilname[256];
uschar *aptr = answerptr; /* Locally modified */
struct stat statbuf;
/* Remove terminating dot. */
if (domain[len - 1] == '.') len--;
-Ustrncpy(name, domain, len);
-name[len] = 0;
+name = string_copyn(domain, len);
/* Look for the fakens utility, and if it exists, call it. */
if (Ustrchr(string, ':') == NULL)
#endif
{
- int i;
- for (i = 0; i < 4; i++)
+ for (int i = 0; i < 4; i++)
{
const uschar *ppp = p;
while (ppp > string && ppp[-1] != '.') ppp--;
*pp++ = '.';
p = ppp - 1;
}
- Ustrcpy(pp, "in-addr.arpa");
+ Ustrcpy(pp, US"in-addr.arpa");
}
/* Handle IPv6 address; convert to binary so as to fill out any
#if HAVE_IPV6
else
{
- int i;
int v6[4];
(void)host_aton(string, v6);
nibble, and look in the ip6.int domain. The domain was subsequently
changed to ip6.arpa. */
- for (i = 3; i >= 0; i--)
- {
- int j;
- for (j = 0; j < 32; j += 4)
+ for (int i = 3; i >= 0; i--)
+ for (int j = 0; j < 32; j += 4)
pp += sprintf(CS pp, "%x.", (v6[i] >> j) & 15);
- }
- Ustrcpy(pp, "ip6.arpa.");
+ Ustrcpy(pp, US"ip6.arpa.");
/* Another way of doing IPv6 reverse lookups was proposed in conjunction
with A6 records. However, it fell out of favour when they did. The
Ustrcpy(pp, "\\[x");
pp += 3;
- for (i = 0; i < 4; i++)
+ for (int i = 0; i < 4; i++)
{
sprintf(pp, "%08X", v6[i]);
pp += 8;
}
- Ustrcpy(pp, "].ip6.arpa.");
+ Ustrcpy(pp, US"].ip6.arpa.");
**************************************************/
}
/* Return a pointer to the dns_record structure within the dns_answer. This is
for convenience so that the scans can use nice-looking for loops. */
+TRACE debug_printf("%s: return %s\n", __FUNCTION__, dns_text_type(dnss->srr.type));
return &dnss->srr;
null_return:
dns_extract_auth_name(const dns_answer * dnsa) /* FIXME: const dns_answer */
{
dns_scan dnss;
-dns_record * rr;
const HEADER * h = (const HEADER *) dnsa->answer;
if (h->nscount && h->aa)
- for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
if (rr->type == (h->ancount ? T_NS : T_SOA))
return string_copy(rr->name);
dns_fail_tag(uschar * buf, const uschar * name, int dns_type)
{
res_state resp = os_get_dns_resolver_res();
+
+/*XX buf needs to be 255 +1 + (max(typetext) == 5) +1 + max(chars_for_long-max) +1
+We truncate the name here for safety... could use a dynamic string. */
+
sprintf(CS buf, "%.255s-%s-%lx", name, dns_text_type(dns_type),
(unsigned long) resp->options);
}
Arguments:
name the domain name
type the lookup type
+ expiry time TTL expires, or zero for unlimited
rc the return code
Returns: the return code
*/
+/*XXX the derivation of this value needs explaining */
+#define DNS_FAILTAG_MAX 290
+
static int
-dns_return(const uschar * name, int type, int rc)
+dns_fail_return(const uschar * name, int type, time_t expiry, int rc)
{
-tree_node *node = store_get_perm(sizeof(tree_node) + 290);
-dns_fail_tag(node->name, name, type);
-node->data.val = rc;
-(void)tree_insertnode(&tree_dns_fails, node);
+uschar node_name[DNS_FAILTAG_MAX];
+tree_node * previous, * new;
+expiring_data * e;
+
+dns_fail_tag(node_name, name, type);
+if ((previous = tree_search(tree_dns_fails, node_name)))
+ e = previous->data.ptr;
+else
+ {
+ new = store_get_perm(
+ sizeof(tree_node) + DNS_FAILTAG_MAX + sizeof(expiring_data), is_tainted(name));
+
+ dns_fail_tag(new->name, name, type);
+ e = (expiring_data *)((char *)new + sizeof(tree_node) + DNS_FAILTAG_MAX);
+ new->data.ptr = e;
+ (void)tree_insertnode(&tree_dns_fails, new);
+ }
+
+DEBUG(D_dns) debug_printf(" %s neg-cache entry for %s, ttl %d\n",
+ previous ? "update" : "writing",
+ node_name, expiry ? (int)(expiry - time(NULL)) : -1);
+e->expiry = expiry;
+e->data.val = rc;
return rc;
}
+
+/* Return the cached result of a known-bad lookup, or -1.
+*/
+static int
+dns_fail_cache_hit(const uschar * name, int type)
+{
+uschar node_name[DNS_FAILTAG_MAX];
+tree_node * previous;
+expiring_data * e;
+int val, rc;
+
+dns_fail_tag(node_name, name, type);
+if (!(previous = tree_search(tree_dns_fails, node_name)))
+ return -1;
+
+e = previous->data.ptr;
+val = e->data.val;
+rc = e->expiry && e->expiry <= time(NULL) ? -1 : val;
+
+DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: %scached value %s%s\n",
+ name, dns_text_type(type),
+ rc == -1 ? "" : "using ",
+ val == DNS_NOMATCH ? "DNS_NOMATCH" :
+ val == DNS_NODATA ? "DNS_NODATA" :
+ val == DNS_AGAIN ? "DNS_AGAIN" :
+ val == DNS_FAIL ? "DNS_FAIL" : "??",
+ rc == -1 ? " past valid time" : "");
+
+return rc;
+}
+
+
+
+/* Return the TTL suitable for an NXDOMAIN result, which is given
+in the SOA. We hope that one was returned in the lookup, and do not
+bother doing a separate lookup; if not found return a forever TTL.
+*/
+
+static time_t
+dns_expire_from_soa(dns_answer * dnsa)
+{
+const HEADER * h = (const HEADER *)dnsa->answer;
+dns_scan dnss;
+
+/* This is really gross. The successful return value from res_search() is
+the packet length, which is stored in dnsa->answerlen. If we get a
+negative DNS reply then res_search() returns -1, which causes the bounds
+checks for name decompression to fail when it is treated as a packet
+length, which in turn causes the authority search to fail. The correct
+packet length has been lost inside libresolv, so we have to guess a
+replacement value. (The only way to fix this properly would be to
+re-implement res_search() and res_query() so that they don't muddle their
+success and packet length return values.) For added safety we only reset
+the packet length if the packet header looks plausible. */
+
+if ( h->qr == 1 && h->opcode == QUERY && h->tc == 0
+ && (h->rcode == NOERROR || h->rcode == NXDOMAIN)
+ && (ntohs(h->qdcount) == 1 || f.running_in_test_harness)
+ && ntohs(h->ancount) == 0
+ && ntohs(h->nscount) >= 1)
+ dnsa->answerlen = sizeof(dnsa->answer);
+
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
+ rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
+ ) if (rr->type == T_SOA)
+ {
+ const uschar * p = rr->data;
+ uschar discard_buf[256];
+ int len;
+ unsigned long ttl;
+
+ /* Skip the mname & rname strings */
+
+ if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ break;
+ p += len;
+ if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0)
+ break;
+ p += len;
+
+ /* Skip the SOA serial, refresh, retry & expire. Grab the TTL */
+
+ if (p > dnsa->answer + dnsa->answerlen - 5 * NS_INT32SZ)
+ break;
+ p += 4 * NS_INT32SZ;
+ GETLONG(ttl, p);
+
+ return time(NULL) + ttl;
+ }
+DEBUG(D_dns) debug_printf("DNS: no SOA record found for neg-TTL\n");
+return 0;
+}
+
+
/*************************************************
* Do basic DNS lookup *
*************************************************/
providing a list of domains for which this is treated as a non-existent
host.
+The dns_answer structure is pretty big; enough to hold a max-sized DNS message
+- so best allocated from fast-release memory. As of writing, all our callers
+use a stack-auto variable.
+
Arguments:
dnsa pointer to dns_answer structure
name name to look up
*/
int
-dns_basic_lookup(dns_answer *dnsa, const uschar *name, int type)
+dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type)
{
+int rc;
#ifndef STAND_ALONE
-int rc = -1;
-const uschar *save_domain;
+const uschar * save_domain;
#endif
-tree_node *previous;
-uschar node_name[290];
-
/* DNS lookup failures of any kind are cached in a tree. This is mainly so that
a timeout on one domain doesn't happen time and time again for messages that
have many addresses in the same domain. We rely on the resolver and name server
-caching for successful lookups. */
+caching for successful lookups.
+*/
-dns_fail_tag(node_name, name, type);
-if ((previous = tree_search(tree_dns_fails, node_name)))
- {
- DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: using cached value %s\n",
- name, dns_text_type(type),
- previous->data.val == DNS_NOMATCH ? "DNS_NOMATCH" :
- previous->data.val == DNS_NODATA ? "DNS_NODATA" :
- previous->data.val == DNS_AGAIN ? "DNS_AGAIN" :
- previous->data.val == DNS_FAIL ? "DNS_FAIL" : "??");
- return previous->data.val;
- }
+if ((rc = dns_fail_cache_hit(name, type)) > 0)
+ return rc;
#ifdef SUPPORT_I18N
/* Convert all names to a-label form before doing lookup */
DEBUG(D_dns)
debug_printf("DNS name '%s' utf8 conversion to alabel failed: %s\n", name,
errstr);
- host_find_failed_syntax = TRUE;
+ f.host_find_failed_syntax = TRUE;
return DNS_NOMATCH;
}
name = alabel;
bitstring labels don't conform to normal name syntax. (But the aren't used any
more.)
-For SRV records, we omit the initial _smtp._tcp. components at the start. */
+For SRV records, we omit the initial _smtp._tcp. components at the start.
+The check has been seen to bite on the destination of a SRV lookup that
+initiall hit a CNAME, for which the next name had only two components.
+RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
+article on SRV says they are not a valid configuration. */
#ifndef STAND_ALONE /* Omit this for stand-alone tests */
if (type == T_SRV || type == T_TLSA)
{
- while (*checkname++ != '.');
- while (*checkname++ != '.');
+ while (*checkname && *checkname++ != '.') ;
+ while (*checkname && *checkname++ != '.') ;
}
if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
DEBUG(D_dns)
debug_printf("DNS name syntax check failed: %s (%s)\n", name,
dns_text_type(type));
- host_find_failed_syntax = TRUE;
+ f.host_find_failed_syntax = TRUE;
return DNS_NOMATCH;
}
}
(res_search), we call fakens_search(), which recognizes certain special
domains, and interfaces to a fake nameserver for certain special zones. */
-dnsa->answerlen = running_in_test_harness
+dnsa->answerlen = f.running_in_test_harness
? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer))
: res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));
case HOST_NOT_FOUND:
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave HOST_NOT_FOUND\n"
"returning DNS_NOMATCH\n", name, dns_text_type(type));
- return dns_return(name, type, DNS_NOMATCH);
+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa), DNS_NOMATCH);
case TRY_AGAIN:
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave TRY_AGAIN\n",
if (rc != OK)
{
DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n");
- return dns_return(name, type, DNS_AGAIN);
+ return dns_fail_return(name, type, 0, DNS_AGAIN);
}
DEBUG(D_dns) debug_printf("%s is in dns_again_means_nonexist: returning "
"DNS_NOMATCH\n", name);
- return dns_return(name, type, DNS_NOMATCH);
+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa), DNS_NOMATCH);
#else /* For stand-alone tests */
- return dns_return(name, type, DNS_AGAIN);
+ return dns_fail_return(name, type, 0, DNS_AGAIN);
#endif
case NO_RECOVERY:
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_RECOVERY\n"
"returning DNS_FAIL\n", name, dns_text_type(type));
- return dns_return(name, type, DNS_FAIL);
+ return dns_fail_return(name, type, 0, DNS_FAIL);
case NO_DATA:
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave NO_DATA\n"
"returning DNS_NODATA\n", name, dns_text_type(type));
- return dns_return(name, type, DNS_NODATA);
+ return dns_fail_return(name, type, dns_expire_from_soa(dnsa), DNS_NODATA);
default:
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) gave unknown DNS error %d\n"
"returning DNS_FAIL\n", name, dns_text_type(type), h_errno);
- return dns_return(name, type, DNS_FAIL);
+ return dns_fail_return(name, type, 0, DNS_FAIL);
}
DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) succeeded\n",
dns_lookup(dns_answer *dnsa, const uschar *name, int type,
const uschar **fully_qualified_name)
{
-int i;
const uschar *orig_name = name;
BOOL secure_so_far = TRUE;
but no further... The testsuite tests the latter case, mostly assuming that the
former will work. */
-for (i = 0; i <= dns_cname_loops; i++)
+for (int i = 0; i <= dns_cname_loops; i++)
{
uschar * data;
- dns_record *rr, cname_rr, type_rr;
+ dns_record cname_rr, type_rr;
dns_scan dnss;
- int datalen, rc;
+ int rc;
/* DNS lookup failures get passed straight back. */
area in the dnsa block. */
cname_rr.data = type_rr.data = NULL;
- for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
if (rr->type == type)
{
if (!cname_rr.data)
return DNS_FAIL;
- data = store_get(256);
- if ((datalen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
- cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256)) < 0)
+ /* DNS data comes from the outside, hence tainted */
+ data = store_get(256, TRUE);
+ if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen,
+ cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0)
return DNS_FAIL;
name = data;
&& (h->rcode == NOERROR || h->rcode == NXDOMAIN)
&& ntohs(h->qdcount) == 1 && ntohs(h->ancount) == 0
&& ntohs(h->nscount) >= 1)
- dnsa->answerlen = MAXPACKET;
+ dnsa->answerlen = sizeof(dnsa->answer);
for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY);
rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
uschar *p = US rr->data;
if (p + 4 <= dnsa_lim)
{
- yield = store_get(sizeof(dns_address) + 20);
+ /* the IP is not regarded as tainted */
+ yield = store_get(sizeof(dns_address) + 20, FALSE);
(void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]);
yield->next = NULL;
}
if (rr->data + 16 <= dnsa_lim)
{
struct in6_addr in6;
- int i;
- for (i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i];
- yield = store_get(sizeof(dns_address) + 50);
+ for (int i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i];
+ yield = store_get(sizeof(dns_address) + 50, FALSE);
inet_ntop(AF_INET6, &in6, CS yield->address, 50);
yield->next = NULL;
}