git.samba.org / obnox / samba / samba-obnox.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1c8d127)
s4/dns_server: prepare sending correct error responses for dns_verify_tsig() errors
authorRalph Boehme <slow@samba.org>
Mon, 30 May 2016 14:42:14 +0000 (16:42 +0200)
committerKarolin Seeger <kseeger@samba.org>
Thu, 23 Jun 2016 10:10:22 +0000 (12:10 +0200)
Call dns_verify_tsig() after updating state.flags and assign and use
out_packet for dns_verify_tsig().

We will need the updated flags when sending TSIG error responses when
TSIG request MAC verification fails and dns_verify_tsig() uses the
passed in packet as response, so we have to make sure we copy in_packet
to out_packet before calling out and pass out_packet.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11520

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
(cherry picked from commit ba683d459e1b1550d0a4de3a0f576c857ee595c8)

source4/dns_server/dns_server.c patch | blob | history

diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index a2dc15195bf7e8ddd6d6703b7bd34900e789289b..2bc2174bcc748c3f2221026045da4779a07983da 100644 (file)
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -152,14 +152,6 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
                NDR_PRINT_DEBUGC(DBGC_DNS, dns_name_packet, &state->in_packet);
        }
 
-       ret = dns_verify_tsig(dns, state, &state->state, &state->in_packet, in);
-       if (!W_ERROR_IS_OK(ret)) {
-               DEBUG(1, ("Failed to verify TSIG!\n"));
-               state->dns_err = werr_to_dns_err(ret);
-               tevent_req_done(req);
-               return tevent_req_post(req, ev);
-       }
-
        if (state->in_packet.operation & DNS_FLAG_REPLY) {
                DEBUG(1, ("Won't reply to replies.\n"));
                tevent_req_werror(req, WERR_INVALID_PARAM);
@@ -176,6 +168,13 @@ static struct tevent_req *dns_process_send(TALLOC_CTX *mem_ctx,
 
        state->out_packet = state->in_packet;
 
+       ret = dns_verify_tsig(dns, state, &state->state, &state->out_packet, in);
+       if (!W_ERROR_IS_OK(ret)) {
+               state->dns_err = werr_to_dns_err(ret);
+               tevent_req_done(req);
+               return tevent_req_post(req, ev);
+       }
+
        switch (state->in_packet.operation & DNS_OPCODE) {
        case DNS_OPCODE_QUERY:
                subreq = dns_server_process_query_send(
Michael's Samba GIT