Fix RPZ CIDR tree insertion bug (#43035)

CHANGES

@@ -1,3 +1,8 @@
+4442.	[bug]		Fix RPZ CIDR tree insertion bug that corrupted
+			tree data structure with overlapping networks
+			(longest prefix match was ineffective).
+			[RT #43035]
+
 4441.	[cleanup]	Alphabetize host's help output. [RT #43031]
 
 4440.	[func]		Enable TCP fast open support when available on the

bin/tests/system/rpzrecurse/ns2/db.clientip21

@@ -0,0 +1,12 @@
+; Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+$TTL 60
+@ IN SOA root.ns ns 1996072700 3600 1800 86400 60
+     NS ns
+ns A 127.0.0.1
+32.3.0.53.10.rpz-client-ip A 10.53.0.1
+31.2.0.53.10.rpz-client-ip CNAME .

bin/tests/system/rpzrecurse/ns2/named.clientip2.conf

@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+# common configuration
+include "named.conf.header";
+
+view "recursive" {
+    zone "." {
+	type hint;
+	file "root.hint";
+    };
+
+    servfail-ttl 0;
+
+    # policy configuration to be tested
+    response-policy {
+	zone "clientip21";
+    } qname-wait-recurse no;
+
+    # policy zones to be tested
+    zone "clientip21" { type master; file "db.clientip21"; };
+};

bin/tests/system/rpzrecurse/tests.sh

@@ -237,6 +237,35 @@ grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.2" dig.out.${t} > /dev/null
     status=1
 }
 
+# Check CLIENT-IP behavior #2
+t=`expr $t + 1`
+echo "I:testing CLIENT-IP behavior #2 (${t})"
+run_server clientip2
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.1 > dig.out.${t}.1
+grep "status: SERVFAIL" dig.out.${t}.1 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.2 > dig.out.${t}.2
+grep "status: NXDOMAIN" dig.out.${t}.2 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.3 > dig.out.${t}.3
+grep "status: NOERROR" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+grep "^l2.l1.l0.[ 	]*[0-9]*[ 	]*IN[ 	]*A[ 	]*10.53.0.1" dig.out.${t}.3 > /dev/null 2>&1 || {
+    echo "I:test $t failed: didn't get expected answer"
+    status=1
+}
+$DIG $DIGOPTS l2.l1.l0 a @10.53.0.2 -p 5300 -b 10.53.0.4 > dig.out.${t}.4
+grep "status: SERVFAIL" dig.out.${t}.4 > /dev/null 2>&1 || {
+    echo "I:test $t failed: query failed"
+    status=1
+}
+
 # Check RPZ log clause
 t=`expr $t + 1`
 echo "I:testing RPZ log clause (${t})"

lib/dns/dispatch.c

@@ -2994,7 +2994,7 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 			isc_sockaddr_format(localaddr, addrbuf,
 					    ISC_SOCKADDR_FORMATSIZE);
 			mgr_log(mgr, LVL(90), "dns_dispatch_createudp: Created"
-				" UDP dispatch for %s with socket fd %d\n",
+				" UDP dispatch for %s with socket fd %d",
 				addrbuf, isc_socket_getfd(sock));
 		}
 

lib/dns/rpz.c

@@ -1176,7 +1176,7 @@ search(dns_rpz_zones_t *rpzs,
 				rpzs->cidr = new_parent;
 			else
 				parent->child[cur_num] = new_parent;
-			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
+			child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix);
 			new_parent->child[child_num] = cur;
 			cur->parent = new_parent;
 			new_parent->set = *tgt_set;