diff options
| author | Oto Šťáva <oto.stava@nic.cz> | 2022-02-25 07:46:13 +0100 |
|---|---|---|
| committer | Vladimír Čunát <vladimir.cunat@nic.cz> | 2022-02-28 14:26:38 +0100 |
| commit | 1fc1b9bc2a316898552a1b1e5d0fcf6b126c76c3 (patch) | |
| tree | a3405b3787933ddd55c0e49abccf31f504446e89 /lib/resolve.c | |
| parent | Merge !1256: modules/dnstap: improve UX for common errors (diff) | |
| download | knot-resolver-1fc1b9bc2a316898552a1b1e5d0fcf6b126c76c3.tar.xz knot-resolver-1fc1b9bc2a316898552a1b1e5d0fcf6b126c76c3.zip | |
Fix defects detected by Coverity Scan
Targeted CIDs: 155456, 155962, 346121, 346123, 346124, 346125,
346126, 346127, 346130, 346131, 346132, 346134, 346135, 346138,
346140, 346145, 346146, 346149, 346152, 346154, 346156, 346157
lib/dnssec/nsec3.c change:
apparently cleaning fallout from my (= vcunat's) commit b5cf61325ae
Diffstat (limited to 'lib/resolve.c')
| -rw-r--r-- | lib/resolve.c | 51 |
1 files changed, 24 insertions, 27 deletions
diff --git a/lib/resolve.c b/lib/resolve.c index 4559bc0d..45030fb0 100644 --- a/lib/resolve.c +++ b/lib/resolve.c @@ -548,27 +548,26 @@ static void answer_finalize(struct kr_request *request) /* AD flag. We can only change `secure` from true to false. * Be conservative. Primary approach: check ranks of all RRs in wire. * Only "negative answers" need special handling. */ - bool secure = last != NULL && request->state == KR_STATE_DONE /*< suspicious otherwise */ + bool secure = request->state == KR_STATE_DONE /*< suspicious otherwise */ && knot_pkt_qtype(answer) != KNOT_RRTYPE_RRSIG; - if (last && (last->flags.STUB)) { + if (last->flags.STUB) { secure = false; /* don't trust forwarding for now */ } - if (last && (last->flags.DNSSEC_OPTOUT)) { + if (last->flags.DNSSEC_OPTOUT) { VERBOSE_MSG(last, "insecure because of opt-out\n"); secure = false; /* the last answer is insecure due to opt-out */ } /* Write all RRsets meant for the answer. */ - const uint16_t reorder = last ? last->reorder : 0; bool answ_all_cnames = false/*arbitrary*/; if (knot_pkt_begin(answer, KNOT_ANSWER) - || write_extra_ranked_records(&request->answ_selected, reorder, + || write_extra_ranked_records(&request->answ_selected, last->reorder, answer, &secure, &answ_all_cnames) || knot_pkt_begin(answer, KNOT_AUTHORITY) - || write_extra_ranked_records(&request->auth_selected, reorder, + || write_extra_ranked_records(&request->auth_selected, last->reorder, answer, &secure, NULL) || knot_pkt_begin(answer, KNOT_ADDITIONAL) - || write_extra_ranked_records(&request->add_selected, reorder, + || write_extra_ranked_records(&request->add_selected, last->reorder, answer, NULL/*not relevant to AD*/, NULL) || answer_append_edns(request) ) @@ -577,7 +576,6 @@ static void answer_finalize(struct kr_request *request) return; } - if (!last) secure = false; /*< should be no-op, mostly documentation */ /* AD: "negative answers" need more handling. */ if (kr_response_classify(answer) != PKT_NOERROR /* Additionally check for CNAME chains that "end in NODATA", @@ -812,32 +810,31 @@ int kr_resolve_consume(struct kr_request *request, struct kr_transport **transpo return KR_STATE_FAIL; } bool tried_tcp = (qry->flags.TCP); - if (!packet || packet->size == 0) { + if (!packet || packet->size == 0) return KR_STATE_PRODUCE; + + /* Packet cleared, derandomize QNAME. */ + knot_dname_t *qname_raw = knot_pkt_qname(packet); + if (qname_raw && qry->secret != 0) { + randomized_qname_case(qname_raw, qry->secret); + } + request->state = KR_STATE_CONSUME; + if (qry->flags.CACHED) { + ITERATE_LAYERS(request, qry, consume, packet); } else { - /* Packet cleared, derandomize QNAME. */ - knot_dname_t *qname_raw = knot_pkt_qname(packet); - if (qname_raw && qry->secret != 0) { - randomized_qname_case(qname_raw, qry->secret); - } - request->state = KR_STATE_CONSUME; - if (qry->flags.CACHED) { - ITERATE_LAYERS(request, qry, consume, packet); - } else { - /* Fill in source and latency information. */ - request->upstream.rtt = kr_now() - qry->timestamp_mono; - request->upstream.transport = transport ? *transport : NULL; - ITERATE_LAYERS(request, qry, consume, packet); - /* Clear temporary information */ - request->upstream.transport = NULL; - request->upstream.rtt = 0; - } + /* Fill in source and latency information. */ + request->upstream.rtt = kr_now() - qry->timestamp_mono; + request->upstream.transport = transport ? *transport : NULL; + ITERATE_LAYERS(request, qry, consume, packet); + /* Clear temporary information */ + request->upstream.transport = NULL; + request->upstream.rtt = 0; } if (transport && !qry->flags.CACHED) { if (!(request->state & KR_STATE_FAIL)) { /* Do not complete NS address resolution on soft-fail. */ - const int rcode = packet ? knot_wire_get_rcode(packet->wire) : 0; + const int rcode = knot_wire_get_rcode(packet->wire); if (rcode != KNOT_RCODE_SERVFAIL && rcode != KNOT_RCODE_REFUSED) { qry->flags.AWAIT_IPV6 = false; qry->flags.AWAIT_IPV4 = false; |