From 2a50fc324bb67cae677f8bfb3705afd1ffac83bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 5 Mar 2018 14:13:50 +0100 Subject: [PATCH 1/3] Add a release note about dropping support for non-dotted-quad IPv4 addresses in master files Support for non-dotted-quad IPv4 addresses in master files was dropped when the inet_aton() call inside getquad() got replaced with a call to inet_pton(), so a release note should have been added back then to inform users that such syntax will no longer work. --- doc/arm/notes.xml | 6 ++++++ lib/dns/tests/rdata_test.c | 16 +++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml index dae01a0442..599a29148b 100644 --- a/doc/arm/notes.xml +++ b/doc/arm/notes.xml @@ -88,6 +88,12 @@ been removed. [GL #93] + + + IPv4 addresses in forms other than dotted-quad are no longer + accepted in master files. [GL #13] [GL #56] + + diff --git a/lib/dns/tests/rdata_test.c b/lib/dns/tests/rdata_test.c index 02200a47f5..0a9b94b2d6 100644 --- a/lib/dns/tests/rdata_test.c +++ b/lib/dns/tests/rdata_test.c @@ -1137,6 +1137,20 @@ ATF_TC_HEAD(wks, tc) { atf_tc_set_md_var(tc, "descr", "WKS RDATA manipulations"); } ATF_TC_BODY(wks, tc) { + text_ok_t text_ok[] = { + /* + * Valid, IPv4 address in dotted-quad form. + */ + TEXT_VALID("127.0.0.1 6"), + /* + * Invalid, IPv4 address not in dotted-quad form. + */ + TEXT_INVALID("127.1 6"), + /* + * Sentinel. + */ + TEXT_SENTINEL() + }; wire_ok_t wire_ok[] = { /* * Too short. @@ -1162,7 +1176,7 @@ ATF_TC_BODY(wks, tc) { UNUSED(tc); - check_rdata(NULL, wire_ok, ISC_FALSE, dns_rdataclass_in, + check_rdata(text_ok, wire_ok, ISC_FALSE, dns_rdataclass_in, dns_rdatatype_wks, sizeof(dns_rdata_in_wks_t)); } From 4f96cebce3400f65f3963208657051f11ec75cc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 5 Mar 2018 14:13:52 +0100 Subject: [PATCH 2/3] Replace getquad() with inet_pton() getquad() was implemented back in 2001 to warn about IPv4 addresses in non-dotted-quad form being used. As change 4900 (GL #13) removed all uses of inet_aton(), which allowed such forms, with inet_pton(), which does not allow them, there is no point in keeping getquad() around as it now only prints an extra warning when the parser comes across an IP address in a form which is not acceptable anyway. Replace all uses of getquad() with inet_pton(AF_INET, ...). --- lib/dns/rdata.c | 18 ------------------ lib/dns/rdata/generic/ipseckey_45.c | 2 +- lib/dns/rdata/generic/l32_105.c | 2 +- lib/dns/rdata/hs_4/a_1.c | 3 ++- lib/dns/rdata/in_1/a_1.c | 3 ++- lib/dns/rdata/in_1/wks_11.c | 3 ++- 6 files changed, 8 insertions(+), 23 deletions(-) diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c index e72b49909a..3788c6ce19 100644 --- a/lib/dns/rdata.c +++ b/lib/dns/rdata.c @@ -378,24 +378,6 @@ locator_pton(const char *src, unsigned char *dst) { return (1); } -static inline int -getquad(const void *src, struct in_addr *dst, - isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks) -{ - int result; - - result = inet_pton(AF_INET, src, dst); - if (result != 1 && callbacks != NULL) { - const char *name = isc_lex_getsourcename(lexer); - if (name == NULL) - name = "UNKNOWN"; - (*callbacks->warn)(callbacks, "%s:%lu: \"%s\" " - "is not a decimal dotted quad", name, - isc_lex_getsourceline(lexer), src); - } - return (result); -} - static inline isc_result_t name_duporclone(const dns_name_t *source, isc_mem_t *mctx, dns_name_t *target) { diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c index 1f5acd4c25..040299d2f6 100644 --- a/lib/dns/rdata/generic/ipseckey_45.c +++ b/lib/dns/rdata/generic/ipseckey_45.c @@ -77,7 +77,7 @@ fromtext_ipseckey(ARGS_FROMTEXT) { break; case 1: - if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) + if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) RETTOK(DNS_R_BADDOTTEDQUAD); isc_buffer_availableregion(target, ®ion); if (region.length < 4) diff --git a/lib/dns/rdata/generic/l32_105.c b/lib/dns/rdata/generic/l32_105.c index 9ae90c4395..6332131e59 100644 --- a/lib/dns/rdata/generic/l32_105.c +++ b/lib/dns/rdata/generic/l32_105.c @@ -41,7 +41,7 @@ fromtext_l32(ARGS_FROMTEXT) { RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string, ISC_FALSE)); - if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) + if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) RETTOK(DNS_R_BADDOTTEDQUAD); isc_buffer_availableregion(target, ®ion); if (region.length < 4) diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c index 6887c81e49..358992249b 100644 --- a/lib/dns/rdata/hs_4/a_1.c +++ b/lib/dns/rdata/hs_4/a_1.c @@ -33,11 +33,12 @@ fromtext_hs_a(ARGS_FROMTEXT) { UNUSED(origin); UNUSED(options); UNUSED(rdclass); + UNUSED(callbacks); RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string, ISC_FALSE)); - if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) + if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) RETTOK(DNS_R_BADDOTTEDQUAD); isc_buffer_availableregion(target, ®ion); if (region.length < 4) diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c index 89de196054..6c2356ffe3 100644 --- a/lib/dns/rdata/in_1/a_1.c +++ b/lib/dns/rdata/in_1/a_1.c @@ -35,11 +35,12 @@ fromtext_in_a(ARGS_FROMTEXT) { UNUSED(origin); UNUSED(options); UNUSED(rdclass); + UNUSED(callbacks); RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string, ISC_FALSE)); - if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) + if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) RETTOK(DNS_R_BADDOTTEDQUAD); isc_buffer_availableregion(target, ®ion); if (region.length < 4) diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c index ac24711811..cb3abd00c2 100644 --- a/lib/dns/rdata/in_1/wks_11.c +++ b/lib/dns/rdata/in_1/wks_11.c @@ -93,6 +93,7 @@ fromtext_in_wks(ARGS_FROMTEXT) { UNUSED(origin); UNUSED(options); UNUSED(rdclass); + UNUSED(callbacks); RUNTIME_CHECK(isc_once_do(&once, init_lock) == ISC_R_SUCCESS); @@ -117,7 +118,7 @@ fromtext_in_wks(ARGS_FROMTEXT) { ISC_FALSE)); isc_buffer_availableregion(target, ®ion); - if (getquad(DNS_AS_STR(token), &addr, lexer, callbacks) != 1) + if (inet_pton(AF_INET, DNS_AS_STR(token), &addr) != 1) CHECKTOK(DNS_R_BADDOTTEDQUAD); if (region.length < 4) return (ISC_R_NOSPACE); From 4528b887b029d3fc89542a5784ec578a4f943137 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Mon, 5 Mar 2018 14:13:53 +0100 Subject: [PATCH 3/3] Add CHANGES entry for GL #56, revise CHANGES entry for GL #13 4906. [func] Replace getquad() with inet_pton(), completing change #4900. [GL #56] 4900. [func] Remove all uses of inet_aton(). As a result of this change, IPv4 addresses are now only accepted in dotted-quad format. [GL #13] --- CHANGES | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index ffec9afc73..b595926746 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4906. [func] Replace getquad() with inet_pton(), completing + change #4900. [GL #56] + 4905. [bug] irs_resconf_load() ignored resolv.conf syntax errors when "domain" or "search" options were present in that file. [GL #110] @@ -15,7 +18,9 @@ for a domain that time out, as well as the servers that respond. [GL #64] -4900. [cleanup] Remove all uses of inet_aton(). [GL #13] +4900. [func] Remove all uses of inet_aton(). As a result of this + change, IPv4 addresses are now only accepted in + dotted-quad format. [GL #13] 4899. [test] Convert most of the remaining system tests to be able to run in parallel, continuing the work from change @@ -151,11 +156,11 @@ 4860. [bug] isc_int8_t should be signed char. [RT #46973] -4859. [bug] A loop was possible when attempting to validate - unsigned CNAME responses from secure zones; - this caused a delay in returning SERVFAIL and - also increased the chances of encountering - CVE-2017-3145. [RT #46839] +4859. [bug] A loop was possible when attempting to validate + unsigned CNAME responses from secure zones; + this caused a delay in returning SERVFAIL and + also increased the chances of encountering + CVE-2017-3145. [RT #46839] 4858. [security] Addresses could be referenced after being freed in resolver.c, causing an assertion failure.