| Age | Commit message (Collapse) | Author |
|---|
|
The NSEC type itself must at least be in the bitmap, so NSEC records with empty
bitmaps must be bogus.
|
|
We were tracking the bit offset inside each byte, rather than inside the whole bitmap.
|
|
We were counting the number of bits set rather than the number of bytes they occupied.
|
|
A size_t was being accessed as a char* due to the order of arguments being inverted.
|
|
|
|
We were appending rather than reading the bitmap.
|
|
We can never read past the end of the packet, so this seems impossible
to exploit, but let's error out early as reading past the end of the
current RR is clearly an error.
Found by Lennart, based on patch by Daniel.
|
|
Rename the field to make this clearer.
|
|
Most blobs (keys, signatures, ...) should have a specific size given by
the relevant algorithm. However, as we don't use/verify the algorithms
yet, let's just ensure that we don't read out zero-length data in cases
where this does not make sense.
The only exceptions, where zero-length data is allowed are in the NSEC3
salt field, and the generic data (which we don't know anything about,
so better not make any assumptions).
|
|
resolve: unify memdup() code when parsing RRs
|
|
dns_packet_append_type_window()
|
|
Let's make dns_packet_read_public_key() more generic by renaming it to
dns_packet_read_memdup() (which more accurately describes what it
does...). Then, patch all cases where we memdup() RR data to use this
new call.
This specifically checks for zero-length objects, and handles them
gracefully. It will set zero length payload fields as a result.
Special care should be taken to ensure that any code using this call
can handle the returned allocated field to be NULL if the size is
specified as 0!
|
|
Reuse the Iterator object from hashmap.h and expose a similar API.
This allows us to do
{
Iterator i;
unsigned n;
BITMAP_FOREACH(n, b, i) {
Iterator j;
unsigned m;
BITMAP_FOREACH(m, b, j) {
...
}
}
}
without getting confused. Requested by David.
|
|
Needed for DNSSEC.
|
|
Needed for DNSSEC.
|
|
resolved: minor improvements to RR handling
|
|
Needed for DNSSEC.
|
|
Currently we only make sure our links can handle the size of the payload witohut
taking the headers into account.
|
|
Make all LLMNR related packet inspections conditional to p->protocol.
Use switch-case statements while at it, which will make future additions
more readable.
|
|
The key tag is 16, not 8 bits.
|
|
|
|
https://github.com/vlajos/misspell_fixer
https://github.com/torstehu/systemd/commit/b6fdeb618cf2f3ce1645b3315f15f482710c7ffa
Thanks to Torstein Husebo <torstein@huseboe.net>.
|
|
section 6.1
The RFC says to encode an single empty TXT string instead of an empty
TXT array. It also says to treat a zero-length TXT RR as a TXT array
with a single zero-length string.
|
|
TXT records should have at least one character, so enforce this.
Before 0f84a72 parser SIGSEGV'd on ->txt.strings being NULL, but
even if this is fixed we should reject invalid TXT records.
|
|
Set the error code in case of incorrect name. This prevents continuing
and failing an assert(name) later on.
|
|
Loops in RR compression were only detected for the first entry.
Multiple redirections should be allowed, each one checking for an
infinite loop on its own starting point.
Also update the pointer on each redirection to avoid longer loops of
labels and redirections, in names like:
(start) [len=1] "A", [ptr to start]
(David: rename variable to "jump_barrier" and add reference to RFC)
|
|
|
|
It is redundant to store 'hash' and 'compare' function pointers in
struct Hashmap separately. The functions always comprise a pair.
Store a single pointer to struct hash_ops instead.
systemd keeps hundreds of hashmaps, so this saves a little bit of
memory.
|
|
|
|
|
|
|
|
|
|
|
|
Make sure we format UTF-8 labels as IDNA when writing them to DNS
packets, and as native UTF-8 when writing them to mDNS or LLMNR packets.
When comparing or processing labels always consider native UTF-8 and
IDNA formats equivalent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
LOC records have a version field. So far only version 0 has been
published, but if a record with a different version was encountered,
our only recourse is to treat it as an unknown type. This is
implemented with the 'unparseable' flag, which causes the
serialization/deserialization and printing function to cause the
record as a blob. The flag can be used if other packet types cannot be
parsed for whatever reason.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Name defending is still missing.
|
|
|
