When following a CNAME chain, if any lookup is insecure the whole must be too

author Jeremy Harris <jgh146exb@wizmail.org>

Thu, 20 Nov 2014 20:17:32 +0000 (20:17 +0000)

committer Jeremy Harris <jgh146exb@wizmail.org>

Sat, 29 Nov 2014 17:46:49 +0000 (17:46 +0000)
author Jeremy Harris <jgh146exb@wizmail.org>
Thu, 20 Nov 2014 20:17:32 +0000 (20:17 +0000)
committer Jeremy Harris <jgh146exb@wizmail.org>
Sat, 29 Nov 2014 17:46:49 +0000 (17:46 +0000)
diff --git a/src/src/dns.c b/src/src/dns.c

index ac52e56218809d1af990056842eb9024c724a6c6..542354db394e0c41a28583c5831450661a9ee52e 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -455,6 +455,14 @@ return h->ad ? TRUE : FALSE;
  #endif
  }
  
+static void
+dns_set_insecure(dns_answer * dnsa)
+{
+HEADER * h = (HEADER *)dnsa->answer;
+h->ad = 0;
+}
+
+
  
  
  
@@ -752,7 +760,8 @@ int
  dns_lookup(dns_answer *dnsa, uschar *name, int type, uschar **fully_qualified_name)
  {
  int i;
-uschar *orig_name = name;
+const uschar *orig_name = name;
+BOOL secure_so_far = TRUE;
  
  /* Loop to follow CNAME chains so far, but no further... */
  
@@ -825,6 +834,9 @@ for (i = 0; i < 10; i++)
    if (datalen < 0) return DNS_FAIL;
    name = data;
  
+  if (!dns_is_secure(dnsa))
+    secure_so_far = FALSE;
+
    DEBUG(D_dns) debug_printf("CNAME found: change to %s\n", name);
    }       /* Loop back to do another lookup */
author	Jeremy Harris <jgh146exb@wizmail.org>
	Thu, 20 Nov 2014 20:17:32 +0000 (20:17 +0000)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Sat, 29 Nov 2014 17:46:49 +0000 (17:46 +0000)