X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/a713f76692228165883d92875fbad3bfb89c001e..107077d7fd6736711bf5cd980221723401d37c51:/src/src/dns.c diff --git a/src/src/dns.c b/src/src/dns.c index 7736a2204..a652dcd31 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -2,8 +2,10 @@ * Exim - an Internet mail transport agent * *************************************************/ +/* Copyright (c) The Exim Maintainers 2020 - 2023 */ /* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-or-later */ /* Functions for interfacing with the DNS. */ @@ -60,7 +62,8 @@ if (stat(CS utilname, &statbuf) >= 0) int infd, outfd, rc; uschar *argv[5]; - DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n", name, dns_text_type(type)); + DEBUG(D_dns) debug_printf("DNS lookup of %s (%s) using fakens\n", + name, dns_text_type(type)); argv[0] = utilname; argv[1] = config_main_directory; @@ -68,7 +71,7 @@ if (stat(CS utilname, &statbuf) >= 0) argv[3] = dns_text_type(type); argv[4] = NULL; - pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE); + pid = child_open(argv, NULL, 0000, &infd, &outfd, FALSE, US"fakens-search"); if (pid < 0) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "failed to run fakens: %s", strerror(errno)); @@ -221,16 +224,15 @@ a name that can be used to look up PTR records. Arguments: string the IP address as a string - buffer a suitable buffer, long enough to hold the result -Returns: nothing +Returns: an allocated string */ -void -dns_build_reverse(const uschar *string, uschar *buffer) +uschar * +dns_build_reverse(const uschar * string) { -const uschar *p = string + Ustrlen(string); -uschar *pp = buffer; +const uschar * p = string + Ustrlen(string); +gstring * g = NULL; /* Handle IPv4 address */ @@ -240,14 +242,13 @@ if (Ustrchr(string, ':') == NULL) { for (int i = 0; i < 4; i++) { - const uschar *ppp = p; + const uschar * ppp = p; while (ppp > string && ppp[-1] != '.') ppp--; - Ustrncpy(pp, ppp, p - ppp); - pp += p - ppp; - *pp++ = '.'; + g = string_catn(g, ppp, p - ppp); + g = string_catn(g, US".", 1); p = ppp - 1; } - Ustrcpy(pp, US"in-addr.arpa"); + g = string_catn(g, US"in-addr.arpa", 12); } /* Handle IPv6 address; convert to binary so as to fill out any @@ -257,6 +258,8 @@ abbreviation in the textual form. */ else { int v6[4]; + + g = string_get_tainted(32, string); (void)host_aton(string, v6); /* The original specification for IPv6 reverse lookup was to invert each @@ -265,8 +268,8 @@ else for (int i = 3; i >= 0; i--) for (int j = 0; j < 32; j += 4) - pp += sprintf(CS pp, "%x.", (v6[i] >> j) & 15); - Ustrcpy(pp, US"ip6.arpa."); + g = string_fmt_append(g, "%x.", (v6[i] >> j) & 15); + g = string_catn(g, US"ip6.arpa.", 9); /* Another way of doing IPv6 reverse lookups was proposed in conjunction with A6 records. However, it fell out of favour when they did. The @@ -290,18 +293,29 @@ else } #endif +return string_from_gstring(g); } +/* Check a pointer for being past the end of a dns answer. +Exactly one past the end is defined as ok. +Return TRUE iff bad. +*/ +static BOOL +dnsa_bad_ptr(const dns_answer * dnsa, const uschar * ptr) +{ +return ptr > dnsa->answer + dnsa->answerlen; +} + /* Increment the aptr in dnss, checking against dnsa length. Return: TRUE for a bad result */ static BOOL dnss_inc_aptr(const dns_answer * dnsa, dns_scan * dnss, unsigned delta) { -return (dnss->aptr += delta) >= dnsa->answer + dnsa->answerlen; +return dnsa_bad_ptr(dnsa, dnss->aptr += delta); } /************************************************* @@ -331,7 +345,6 @@ char * trace = NULL; #ifdef rr_trace # define TRACE DEBUG(D_dns) #else -trace = trace; # define TRACE if (FALSE) #endif @@ -382,11 +395,15 @@ if (reset != RESET_NEXT) namelen = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, dnss->aptr, (DN_EXPAND_ARG4_TYPE) &dnss->srr.name, DNS_MAXNAME); if (namelen < 0) goto null_return; + /* skip name, type, class & TTL */ TRACE trace = "A-hdr"; if (dnss_inc_aptr(dnsa, dnss, namelen+8)) goto null_return; + + if (dnsa_bad_ptr(dnsa, dnss->aptr + sizeof(uint16_t))) goto null_return; GETSHORT(dnss->srr.size, dnss->aptr); /* size of data portion */ - /* skip over it */ + + /* skip over it, checking for a bogus size */ TRACE trace = "A-skip"; if (dnss_inc_aptr(dnsa, dnss, dnss->srr.size)) goto null_return; } @@ -419,17 +436,22 @@ from the following bytes. */ TRACE trace = "R-name"; if (dnss_inc_aptr(dnsa, dnss, namelen)) goto null_return; -GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */ +/* Check space for type, class, TTL & data-size-word */ +if (dnsa_bad_ptr(dnsa, dnss->aptr + 3 * sizeof(uint16_t) + sizeof(uint32_t))) + goto null_return; + +GETSHORT(dnss->srr.type, dnss->aptr); /* Record type */ + TRACE trace = "R-class"; -if (dnss_inc_aptr(dnsa, dnss, 2)) goto null_return; /* Don't want class */ -GETLONG(dnss->srr.ttl, dnss->aptr); /* TTL */ -GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */ -dnss->srr.data = dnss->aptr; /* The record's data follows */ +(void) dnss_inc_aptr(dnsa, dnss, sizeof(uint16_t)); /* skip class */ -/* Unchecked increment ok here since no further access on this iteration; -will be checked on next at "R-name". */ +GETLONG(dnss->srr.ttl, dnss->aptr); /* TTL */ +GETSHORT(dnss->srr.size, dnss->aptr); /* Size of data portion */ +dnss->srr.data = dnss->aptr; /* The record's data follows */ -dnss->aptr += dnss->srr.size; /* Advance to next RR */ +/* skip over it, checking for a bogus size */ +if (dnss_inc_aptr(dnsa, dnss, dnss->srr.size)) + goto null_return; /* Return a pointer to the dns_record structure within the dns_answer. This is for convenience so that the scans can use nice-looking for loops. */ @@ -499,6 +521,8 @@ const uschar * auth_name; const uschar * trusted; if (dnsa->answerlen < 0) return FALSE; +/* Beware that newer versions of glibc on Linux will filter out the ad bit +unless their shiny new RES_TRUSTAD bit is set for the resolver. */ if (h->ad) return TRUE; /* If the resolver we ask is authoritative for the domain in question, it may @@ -511,7 +535,7 @@ if ( !h->aa || !(trusted = expand_string(dns_trust_aa)) || !*trusted || !(auth_name = dns_extract_auth_name(dnsa)) - || OK != match_isinlist(auth_name, &trusted, 0, NULL, NULL, + || OK != match_isinlist(auth_name, &trusted, 0, &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL) ) return FALSE; @@ -633,7 +657,7 @@ if ((previous = tree_search(tree_dns_fails, node_name))) e = previous->data.ptr; else { - e = store_get_perm(DNS_FAILNODE_SIZE, is_tainted(name)); + e = store_get_perm(DNS_FAILNODE_SIZE, name); new = (void *)(e+1); dns_fail_tag(new->name, name, type); new->data.ptr = e; @@ -667,13 +691,10 @@ e = previous->data.ptr; val = e->data.val; rc = e->expiry && e->expiry <= time(NULL) ? -1 : val; -DEBUG(D_dns) debug_printf("DNS lookup of %.255s-%s: %scached value %s%s\n", +DEBUG(D_dns) debug_printf("DNS lookup of %.255s (%s): %scached value %s%s\n", name, dns_text_type(type), rc == -1 ? "" : "using ", - val == DNS_NOMATCH ? "DNS_NOMATCH" : - val == DNS_NODATA ? "DNS_NODATA" : - val == DNS_AGAIN ? "DNS_AGAIN" : - val == DNS_FAIL ? "DNS_FAIL" : "??", + dns_rc_names[val], rc == -1 ? " past valid time" : ""); return rc; @@ -690,9 +711,11 @@ packet length has been lost inside libresolv, so we have to guess a replacement value. (The only way to fix this properly would be to re-implement res_search() and res_query() so that they don't muddle their success and packet length return values.) For added safety we only reset -the packet length if the packet header looks plausible. */ +the packet length if the packet header looks plausible. -static void +Return TRUE iff it seemed ok */ + +static BOOL fake_dnsa_len_for_fail(dns_answer * dnsa, int type) { const HEADER * h = (const HEADER *)dnsa->answer; @@ -709,7 +732,11 @@ if ( h->qr == 1 /* a response */ DEBUG(D_dns) debug_printf("faking res_search(%s) response length as %d\n", dns_text_type(type), (int)sizeof(dnsa->answer)); dnsa->answerlen = sizeof(dnsa->answer); + return TRUE; } +DEBUG(D_dns) debug_printf("DNS: couldn't fake dnsa len\n"); +/* Maybe we should just do a second lookup for an SOA? */ +return FALSE; } @@ -723,37 +750,37 @@ dns_expire_from_soa(dns_answer * dnsa, int type) { dns_scan dnss; -fake_dnsa_len_for_fail(dnsa, type); +if (fake_dnsa_len_for_fail(dnsa, type)) + for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY); + rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) + ) if (rr->type == T_SOA) + { + const uschar * p = rr->data; + uschar discard_buf[256]; + int len; + unsigned long ttl; + + /* Skip the mname & rname strings */ + + if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, + p, (DN_EXPAND_ARG4_TYPE)discard_buf, sizeof(discard_buf))) < 0) + break; + p += len; + if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, + p, (DN_EXPAND_ARG4_TYPE)discard_buf, sizeof(discard_buf))) < 0) + break; + p += len; + + /* Skip the SOA serial, refresh, retry & expire. Grab the TTL */ + + if (dnsa_bad_ptr(dnsa, p + 5 * INT32SZ)) + break; + p += 4 * INT32SZ; + GETLONG(ttl, p); + + return time(NULL) + ttl; + } -for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY); - rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) - ) if (rr->type == T_SOA) - { - const uschar * p = rr->data; - uschar discard_buf[256]; - int len; - unsigned long ttl; - - /* Skip the mname & rname strings */ - - if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, - p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0) - break; - p += len; - if ((len = dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, - p, (DN_EXPAND_ARG4_TYPE)discard_buf, 256)) < 0) - break; - p += len; - - /* Skip the SOA serial, refresh, retry & expire. Grab the TTL */ - - if (p > dnsa->answer + dnsa->answerlen - 5 * INT32SZ) - break; - p += 4 * INT32SZ; - GETLONG(ttl, p); - - return time(NULL) + ttl; - } DEBUG(D_dns) debug_printf("DNS: no SOA record found for neg-TTL\n"); return 0; } @@ -794,6 +821,7 @@ dns_basic_lookup(dns_answer * dnsa, const uschar * name, int type) int rc; #ifndef STAND_ALONE const uschar * save_domain; +static BOOL try_again_recursion = FALSE; #endif /* DNS lookup failures of any kind are cached in a tree. This is mainly so that @@ -843,11 +871,8 @@ more.) */ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) { - int ovector[3*(EXPAND_MAXN+1)]; - dns_pattern_init(); - if (pcre_exec(regex_check_dns_names, NULL, CCS name, Ustrlen(name), - 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) + if (!regex_match(regex_check_dns_names, name, -1, NULL)) { DEBUG(D_dns) debug_printf("DNS name syntax check failed: %s (%s)\n", name, @@ -901,11 +926,31 @@ if (dnsa->answerlen < 0) switch (h_errno) /* Cut this out for various test programs */ #ifndef STAND_ALONE - save_domain = deliver_domain; - deliver_domain = string_copy(name); /* set $domain */ - rc = match_isinlist(name, (const uschar **)&dns_again_means_nonexist, 0, NULL, NULL, - MCL_DOMAIN, TRUE, NULL); - deliver_domain = save_domain; + /* Permitting dns_again_means nonexist for TLSA lookups breaks the + doewngrade resistance of dane, so avoid for those. */ + + if (type == T_TLSA) + rc = FAIL; + else + { + if (try_again_recursion) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "dns_again_means_nonexist recursion seen for %s" + " (assuming nonexist)", name); + return dns_fail_return(name, type, dns_expire_from_soa(dnsa, type), + DNS_NOMATCH); + } + + try_again_recursion = TRUE; + save_domain = deliver_domain; + deliver_domain = string_copy(name); /* set $domain */ + rc = match_isinlist(name, CUSS &dns_again_means_nonexist, 0, + &domainlist_anchor, NULL, MCL_DOMAIN, TRUE, NULL); + deliver_domain = save_domain; + try_again_recursion = FALSE; + } + if (rc != OK) { DEBUG(D_dns) debug_printf("returning DNS_AGAIN\n"); @@ -1061,7 +1106,7 @@ for (int i = 0; i <= dns_cname_loops; i++) return DNS_FAIL; /* DNS data comes from the outside, hence tainted */ - data = store_get(256, TRUE); + data = store_get(256, GET_TAINTED); if (dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, cname_rr.data, (DN_EXPAND_ARG4_TYPE)data, 256) < 0) return DNS_FAIL; @@ -1144,7 +1189,7 @@ switch (type) case T_CSA: { uschar *srvname, *namesuff, *tld; - int priority, weight, port; + int priority, dummy_weight, port; int limit, rc, i; BOOL ipv6; dns_record *rr; @@ -1198,18 +1243,7 @@ switch (type) If the TLD and the 2LD exist but the explicit CSA record lookup failed, then the AUTHORITY SOA will be the 2LD's or a subdomain thereof. */ - if (rc == DNS_NOMATCH) - { - fake_dnsa_len_for_fail(dnsa, T_CSA); - - for (rr = dns_next_rr(dnsa, &dnss, RESET_AUTHORITY); - rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) - ) - if (rr->type != T_SOA) continue; - else if (strcmpic(rr->name, US"") == 0 || - strcmpic(rr->name, tld) == 0) return DNS_NOMATCH; - else break; - } + if (rc == DNS_NOMATCH) return DNS_NOMATCH; for (i = 0; i < limit; i++) { @@ -1243,8 +1277,9 @@ switch (type) const uschar * p = rr->data; /* Extract the numerical SRV fields (p is incremented) */ + if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue; GETSHORT(priority, p); - GETSHORT(weight, p); weight = weight; /* compiler quietening */ + GETSHORT(dummy_weight, p); GETSHORT(port, p); /* Check the CSA version number */ @@ -1300,7 +1335,7 @@ if (rr->type == T_A) if (p + 4 <= dnsa_lim) { /* the IP is not regarded as tainted */ - yield = store_get(sizeof(dns_address) + 20, FALSE); + yield = store_get(sizeof(dns_address) + 20, GET_UNTAINTED); (void)sprintf(CS yield->address, "%d.%d.%d.%d", p[0], p[1], p[2], p[3]); yield->next = NULL; } @@ -1314,7 +1349,7 @@ else { struct in6_addr in6; for (int i = 0; i < 16; i++) in6.s6_addr[i] = rr->data[i]; - yield = store_get(sizeof(dns_address) + 50, FALSE); + yield = store_get(sizeof(dns_address) + 50, GET_UNTAINTED); inet_ntop(AF_INET6, &in6, CS yield->address, 50); yield->next = NULL; } @@ -1331,7 +1366,7 @@ dns_pattern_init(void) { if (check_dns_names_pattern[0] != 0 && !regex_check_dns_names) regex_check_dns_names = - regex_must_compile(check_dns_names_pattern, FALSE, TRUE); + regex_must_compile(check_dns_names_pattern, MCS_NOFLAGS, TRUE); } /* vi: aw ai sw=2