details: http://hg.nginx.org/nginx/rev/9c96782d9d05
branches:
changeset: 5471:9c96782d9d05
user: Ruslan Ermilov <ru@nginx.com>
date: Fri Dec 06 14:30:27 2013 +0400
description:
Resolver: fixes in A processing.

Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.

diffstat:

src/core/ngx_resolver.c | 41 ++++++++++++++++++++++++++---------------
1 files changed, 26 insertions(+), 15 deletions(-)

diffs (142 lines):

diff -r aebdca7e8f8f -r 9c96782d9d05 src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Fri Dec 06 14:30:27 2013 +0400
+++ b/src/core/ngx_resolver.c Fri Dec 06 14:30:27 2013 +0400
@@ -1179,7 +1179,7 @@ ngx_resolver_process_a(ngx_resolver_t *r
uint32_t hash;
in_addr_t addr, *addrs;
ngx_str_t name;
- ngx_uint_t type, qident, naddrs, a, i, n, start;
+ ngx_uint_t type, class, qident, naddrs, a, i, n, start;
ngx_resolver_an_t *an;
ngx_resolver_ctx_t *ctx, *next;
ngx_resolver_node_t *rn;
@@ -1202,6 +1202,7 @@ ngx_resolver_process_a(ngx_resolver_t *r
if (rn == NULL || rn->query == NULL) {
ngx_log_error(r->log_level, r->log, 0,
"unexpected response for %V", &name);
+ ngx_resolver_free(r, name.data);
goto failed;
}

@@ -1211,6 +1212,7 @@ ngx_resolver_process_a(ngx_resolver_t *r
ngx_log_error(r->log_level, r->log, 0,
"wrong ident %ui response for %V, expect %ui",
ident, &name, qident);
+ ngx_resolver_free(r, name.data);
goto failed;
}

@@ -1287,21 +1289,33 @@ ngx_resolver_process_a(ngx_resolver_t *r
an = (ngx_resolver_an_t *) &buf[i];

type = (an->type_hi << 8) + an->type_lo;
+ class = (an->class_hi << 8) + an->class_lo;
len = (an->len_hi << 8) + an->len_lo;
ttl = (an->ttl[0] << 24) + (an->ttl[1] << 16)
+ (an->ttl[2] << 8) + (an->ttl[3]);

+ if (class != 1) {
+ ngx_log_error(r->log_level, r->log, 0,
+ "unexpected RR class %ui", class);
+ goto failed;
+ }
+
if (ttl < 0) {
ttl = 0;
}

+ i += sizeof(ngx_resolver_an_t);
+
switch (type) {

case NGX_RESOLVE_A:

- i += sizeof(ngx_resolver_an_t);
-
- if (i + len > last) {
+ if (len != 4) {
+ err = "invalid A record in DNS response";
+ goto invalid;
+ }
+
+ if (i + 4 > last) {
goto short_response;
}

@@ -1310,21 +1324,16 @@ ngx_resolver_process_a(ngx_resolver_t *r

naddrs++;

- i += len;
-
break;

case NGX_RESOLVE_CNAME:

- cname = &buf[i] + sizeof(ngx_resolver_an_t);
- i += sizeof(ngx_resolver_an_t) + len;
+ cname = &buf[i];

break;

case NGX_RESOLVE_DNAME:

- i += sizeof(ngx_resolver_an_t) + len;
-
break;

default:
@@ -1332,6 +1341,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
ngx_log_error(r->log_level, r->log, 0,
"unexpected RR type %ui", type);
}
+
+ i += len;
}

ngx_log_debug3(NGX_LOG_DEBUG_CORE, r->log, 0,
@@ -1347,7 +1358,7 @@ ngx_resolver_process_a(ngx_resolver_t *r

addrs = ngx_resolver_alloc(r, naddrs * sizeof(in_addr_t));
if (addrs == NULL) {
- return;
+ goto failed;
}

n = 0;
@@ -1395,7 +1406,7 @@ ngx_resolver_process_a(ngx_resolver_t *r
addrs = ngx_resolver_dup(r, rn->u.addrs,
naddrs * sizeof(in_addr_t));
if (addrs == NULL) {
- return;
+ goto failed;
}
}

@@ -1439,7 +1450,7 @@ ngx_resolver_process_a(ngx_resolver_t *r
/* CNAME only */

if (ngx_resolver_copy(r, &name, buf, cname, buf + last) != NGX_OK) {
- return;
+ goto failed;
}

ngx_log_debug1(NGX_LOG_DEBUG_CORE, r->log, 0,
@@ -1467,6 +1478,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
ngx_resolver_free(r, rn->query);
rn->query = NULL;

+ /* unlock name mutex */
+
return;
}

@@ -1490,8 +1503,6 @@ failed:

/* unlock name mutex */

- ngx_resolver_free(r, name.data);
-
return;
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel