From d29958261a3df80f5cf0e98b1cd307790a92b13b Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 5 Mar 2021 17:48:43 +0100 Subject: [PATCH] resolved: tighten checks in dns_resource_record_get_cname_target() Let's refuse to consider CNAME/DNAME replies matching for RR types where that is not really conceptually allow (i.e. on CNAME/DNAME lookups themselves). (And add a similar check to dns_resource_key_match_cname_or_dname() too, which implements a smilar match) --- src/resolve/resolved-dns-rr.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c index 823117e5c9..7e76e0c6cc 100644 --- a/src/resolve/resolved-dns-rr.c +++ b/src/resolve/resolved-dns-rr.c @@ -244,6 +244,9 @@ int dns_resource_key_match_cname_or_dname(const DnsResourceKey *key, const DnsRe if (cname->class != key->class && key->class != DNS_CLASS_ANY) return 0; + if (!dns_type_may_redirect(key->type)) + return 0; + if (cname->type == DNS_TYPE_CNAME) r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname)); else if (cname->type == DNS_TYPE_DNAME) @@ -1743,9 +1746,16 @@ int dns_resource_record_get_cname_target(DnsResourceKey *key, DnsResourceRecord assert(key); assert(cname); + /* Checks if the RR `cname` is a CNAME/DNAME RR that matches the specified `key`. If so, returns the + * target domain. If not, returns -EUNATCH */ + if (key->class != cname->key->class && key->class != DNS_CLASS_ANY) return -EUNATCH; + if (!dns_type_may_redirect(key->type)) /* This key type is not subject to CNAME/DNAME redirection? + * Then let's refuse right-away */ + return -EUNATCH; + if (cname->key->type == DNS_TYPE_CNAME) { r = dns_name_equal(dns_resource_key_name(key), dns_resource_key_name(cname->key)); -- 2.25.1