From 0d07de9228531557990282deb7226d17f74daef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Fri, 15 Jun 2018 09:59:20 +0200 Subject: [PATCH] Do not call exit() upon match_nsec3() errors Make match_nsec3() return the verification result through a separate pointer, thus making it possible to signal errors using function return value. Replace all check_result() and fprintf() calls inside match_nsec3() with zoneverify_log_error() calls and error handling code. Modify all call sites of match_nsec3() so that its errors are properly handled. --- lib/dns/zoneverify.c | 50 ++++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 16 deletions(-) diff --git a/lib/dns/zoneverify.c b/lib/dns/zoneverify.c index f06dd062d3..67e8bf787b 100644 --- a/lib/dns/zoneverify.c +++ b/lib/dns/zoneverify.c @@ -444,7 +444,7 @@ static isc_result_t match_nsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_nsec3param_t *nsec3param, dns_rdataset_t *rdataset, unsigned char types[8192], unsigned int maxtype, - unsigned char *rawhash, size_t rhsize) + unsigned char *rawhash, size_t rhsize, isc_result_t *vresult) { unsigned char cbm[8244]; char namebuf[DNS_NAME_FORMATSIZE]; @@ -472,8 +472,10 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name, } if (result != ISC_R_SUCCESS) { dns_name_format(name, namebuf, sizeof(namebuf)); - fprintf(stderr, "Missing NSEC3 record for %s\n", namebuf); - return (result); + zoneverify_log_error(vctx, "Missing NSEC3 record for %s", + namebuf); + *vresult = result; + return (ISC_R_SUCCESS); } /* @@ -482,9 +484,12 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name, len = dns_nsec_compressbitmap(cbm, types, maxtype); if (nsec3.len != len || memcmp(cbm, nsec3.typebits, len) != 0) { dns_name_format(name, namebuf, sizeof(namebuf)); - fprintf(stderr, "Bad NSEC3 record for %s, bit map " - "mismatch\n", namebuf); - return (ISC_R_FAILURE); + zoneverify_log_error(vctx, + "Bad NSEC3 record for %s, bit map " + "mismatch", + namebuf); + *vresult = ISC_R_FAILURE; + return (ISC_R_SUCCESS); } /* @@ -492,7 +497,11 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name, */ result = record_nsec3(rawhash, &nsec3, vctx->mctx, vctx->expected_chains); - check_result(result, "record_nsec3()"); + if (result != ISC_R_SUCCESS) { + zoneverify_log_error(vctx, "record_nsec3(): %s", + isc_result_totext(result)); + return (result); + } /* * Make sure there is only one NSEC3 record with this set of @@ -511,17 +520,20 @@ match_nsec3(const vctx_t *vctx, dns_name_t *name, memcmp(nsec3.salt, nsec3param->salt, nsec3.salt_length) == 0) { dns_name_format(name, namebuf, sizeof(namebuf)); - fprintf(stderr, "Multiple NSEC3 records with the " - "same parameter set for %s", namebuf); - result = DNS_R_DUPLICATE; - break; + zoneverify_log_error(vctx, + "Multiple NSEC3 records with the " + "same parameter set for %s", + namebuf); + *vresult = DNS_R_DUPLICATE; + return (ISC_R_SUCCESS); } } if (result != ISC_R_NOMORE) return (result); - result = ISC_R_SUCCESS; - return (result); + *vresult = ISC_R_SUCCESS; + + return (ISC_R_SUCCESS); } static isc_boolean_t @@ -679,7 +691,7 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata, dns_rdata_nsec3param_t nsec3param; dns_fixedname_t fixed; dns_name_t *hashname; - isc_result_t result; + isc_result_t result, tvresult; dns_dbnode_t *node = NULL; unsigned char rawhash[NSEC3_MAX_HASH_LENGTH]; size_t rhsize = sizeof(rawhash); @@ -737,17 +749,23 @@ verifynsec3(const vctx_t *vctx, dns_name_t *name, dns_rdata_t *rdata, result = ISC_R_SUCCESS; } else if (result == ISC_R_SUCCESS) { result = match_nsec3(vctx, name, &nsec3param, &rdataset, types, - maxtype, rawhash, rhsize); + maxtype, rawhash, rhsize, &tvresult); + if (result != ISC_R_SUCCESS) { + goto done; + } + result = tvresult; } *vresult = result; + result = ISC_R_SUCCESS; + done: if (dns_rdataset_isassociated(&rdataset)) dns_rdataset_disassociate(&rdataset); if (node != NULL) dns_db_detachnode(vctx->db, &node); - return (ISC_R_SUCCESS); + return (result); } static isc_result_t