X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fdns.c;h=8d9ec4708d6a72a695f346901a3bcae6dfa7fe14;hb=b4a15239139c285af7009b4fcc23e1933b19173b;hp=04cb046f465755967d703d547c10b648bd4e730a;hpb=927e32d4e26593314c5c287b3033ed550d648706;p=exim.git diff --git a/src/src/dns.c b/src/src/dns.c index 04cb046f4..8d9ec4708 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -498,13 +498,13 @@ const HEADER * h = (const HEADER *) dnsa->answer; const uschar * auth_name; const uschar * trusted; +if (dnsa->answerlen < 0) return FALSE; if (h->ad) return TRUE; -/* If the resolver we ask is authoritative for the domain in question, it -* may not set the AD but the AA bit. If we explicitly trust -* the resolver for that domain (via a domainlist in dns_trust_aa), -* we return TRUE to indicate a secure answer. -*/ +/* If the resolver we ask is authoritative for the domain in question, it may +not set the AD but the AA bit. If we explicitly trust the resolver for that +domain (via a domainlist in dns_trust_aa), we return TRUE to indicate a secure +answer. */ if ( !h->aa || !dns_trust_aa @@ -540,12 +540,12 @@ h->aa = h->ad = 0; ************************************************/ BOOL -dns_is_aa(const dns_answer *dnsa) +dns_is_aa(const dns_answer * dnsa) { #ifdef DISABLE_DNSSEC return FALSE; #else -return ((const HEADER*)dnsa->answer)->aa; +return dnsa->answerlen >= 0 && ((const HEADER *)dnsa->answer)->aa; #endif } @@ -616,14 +616,10 @@ Arguments: Returns: the return code */ -/*XXX the derivation of this value needs explaining */ +/* we need: 255 +1 + (max(typetext) == 5) +1 + max(chars_for_long-max) +1 */ #define DNS_FAILTAG_MAX 290 -#define alignment \ - (sizeof(void *) > sizeof(double) ? sizeof(void *) : sizeof(double)) -#define align(n) \ - (((((intptr_t)n) + (alignment-1)) / alignment) * alignment) #define DNS_FAILNODE_SIZE \ - align(sizeof(tree_node) + DNS_FAILTAG_MAX + sizeof(expiring_data)) + (sizeof(expiring_data) + sizeof(tree_node) + DNS_FAILTAG_MAX) static int dns_fail_return(const uschar * name, int type, time_t expiry, int rc) @@ -637,10 +633,9 @@ if ((previous = tree_search(tree_dns_fails, node_name))) e = previous->data.ptr; else { - new = store_get_perm(DNS_FAILNODE_SIZE, is_tainted(name)); - + e = store_get_perm(DNS_FAILNODE_SIZE, is_tainted(name)); + new = (void *)(e+1); dns_fail_tag(new->name, name, type); - e = (expiring_data *) align((char *)new + sizeof(tree_node) + DNS_FAILTAG_MAX); new->data.ptr = e; (void)tree_insertnode(&tree_dns_fails, new); } @@ -793,7 +788,10 @@ caching for successful lookups. */ if ((rc = dns_fail_cache_hit(name, type)) > 0) + { + dnsa->answerlen = -1; return rc; + } #ifdef SUPPORT_I18N /* Convert all names to a-label form before doing lookup */ @@ -823,34 +821,17 @@ regex has substrings that are used - the default uses a conditional. This test is omitted for PTR records. These occur only in calls from the dnsdb lookup, which constructs the names itself, so they should be OK. Besides, -bitstring labels don't conform to normal name syntax. (But the aren't used any -more.) - -For SRV records, we omit the initial _smtp._tcp. components at the start. -The check has been seen to bite on the destination of a SRV lookup that -initiall hit a CNAME, for which the next name had only two components. -RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia -article on SRV says they are not a valid configuration. */ +bitstring labels don't conform to normal name syntax. (But they aren't used any +more.) */ #ifndef STAND_ALONE /* Omit this for stand-alone tests */ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) { - const uschar *checkname = name; int ovector[3*(EXPAND_MAXN+1)]; dns_pattern_init(); - - /* For an SRV lookup, skip over the first two components (the service and - protocol names, which both start with an underscore). */ - - if (type == T_SRV || type == T_TLSA) - { - while (*checkname && *checkname++ != '.') ; - while (*checkname && *checkname++ != '.') ; - } - - if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), + if (pcre_exec(regex_check_dns_names, NULL, CCS name, Ustrlen(name), 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) { DEBUG(D_dns) @@ -879,6 +860,7 @@ if ((type == T_A || type == T_AAAA) && string_is_ip_address(name, NULL) != 0) (res_search), we call fakens_search(), which recognizes certain special domains, and interfaces to a fake nameserver for certain special zones. */ +h_errno = 0; dnsa->answerlen = f.running_in_test_harness ? fakens_search(name, type, dnsa->answer, sizeof(dnsa->answer)) : res_search(CCS name, C_IN, type, dnsa->answer, sizeof(dnsa->answer));