diff options
author | Bertie, Taylor <bertiet@amazon.com> | 2022-07-31 17:20:21 +0100 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2022-07-31 17:20:21 +0100 |
commit | 5586934da01f1d802606459829235e87ab12aae0 (patch) | |
tree | 1fc775e8244fca8686933027b6802e932b6891de | |
parent | 6134b94c021afa3e90258fff13b301a058503df7 (diff) | |
download | dnsmasq-5586934da01f1d802606459829235e87ab12aae0.tar.gz |
Bound the value of UDP packet size in the EDNS0 header of
forwarded queries to the configured or default value of
edns-packet-max. There's no point letting a client set a larger
value if we're unable to return the answer.
-rw-r--r-- | CHANGELOG | 6 | ||||
-rw-r--r-- | src/forward.c | 8 |
2 files changed, 12 insertions, 2 deletions
@@ -65,6 +65,12 @@ version 2.87 The new feature allows configuration to provide bug-for-bug compatibility, if required. Thanks to Damian Kaczkowski for the feature suggestion. + + Bound the value of UDP packet size in the EDNS0 header of + forwarded queries to the configured or default value of + edns-packet-max. There's no point letting a client set a larger + value if we're unable to return the answer. Thanks to Bertie + Taylor for pointing out the problem and supplying the patch. version 2.86 diff --git a/src/forward.c b/src/forward.c index b522c1f..0291986 100644 --- a/src/forward.c +++ b/src/forward.c @@ -1619,13 +1619,17 @@ void receive_query(struct listener *listen, time_t now) /* If the client provides an EDNS0 UDP size, use that to limit our reply. (bounded by the maximum configured). If no EDNS0, then it - defaults to 512 */ + defaults to 512. We write this value into the query packet too, so that + if it's forwarded, we don't specify a maximum size greater than we can handle. */ if (udp_size > daemon->edns_pktsz) udp_size = daemon->edns_pktsz; else if (udp_size < PACKETSZ) udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */ - } + pheader -= 6; /* ext_class */ + PUTSHORT(udp_size, pheader); /* Bounding forwarded queries to maximum configured */ + } + #ifdef HAVE_CONNTRACK #ifdef HAVE_AUTH if (!auth_dns || local_auth) |