mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-21 01:12:26 +08:00
resolv: Remove RES_INSECURE1, RES_INSECURE2
Always perform the associated security checks.
This commit is contained in:
parent
3f8b44be0a
commit
333221862e
@ -1,3 +1,12 @@
|
||||
2019-04-08 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
* resolv/resolv.h (RES_INSECURE1, RES_INSECURE2): Remove
|
||||
definitions.
|
||||
* resolv/res_send.c (send_dg): Always perform RES_INSECURE1 and
|
||||
RES_INSECURE2 security checks.
|
||||
* resolv/res_debug.c (p_option): Remove RES_INSECURE1 and
|
||||
RES_INSECURE2 handling.
|
||||
|
||||
2019-04-08 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
resolv: Remove support for RES_USE_INET6 and the inet6 option.
|
||||
|
3
NEWS
3
NEWS
@ -38,6 +38,9 @@ Deprecated and removed features, and other changes affecting compatibility:
|
||||
* Support for the "inet6" option in /etc/resolv.conf and the RES_USE_INET6
|
||||
resolver flag (deprecated in glibc 2.25) have been removed.
|
||||
|
||||
* The obsolete RES_INSECURE1 and RES_INSECURE2 option flags for the DNS stub
|
||||
resolver have been removed from <resolv.h>.
|
||||
|
||||
Changes to build and runtime requirements:
|
||||
|
||||
* GCC 6.2 or later is required to build the GNU C Library.
|
||||
|
@ -604,8 +604,6 @@ p_option(u_long option) {
|
||||
case RES_DEFNAMES: return "defnam";
|
||||
case RES_STAYOPEN: return "styopn";
|
||||
case RES_DNSRCH: return "dnsrch";
|
||||
case RES_INSECURE1: return "insecure1";
|
||||
case RES_INSECURE2: return "insecure2";
|
||||
case RES_NOALIASES: return "noaliases";
|
||||
case RES_ROTATE: return "rotate";
|
||||
case RES_USE_EDNS0: return "edns0";
|
||||
|
@ -1316,31 +1316,25 @@ send_dg(res_state statp,
|
||||
*/
|
||||
goto wait;
|
||||
}
|
||||
if (!(statp->options & RES_INSECURE1) &&
|
||||
!res_ourserver_p(statp, &from)) {
|
||||
/*
|
||||
* response from wrong server? ignore it.
|
||||
* XXX - potential security hazard could
|
||||
* be detected here.
|
||||
*/
|
||||
goto wait;
|
||||
}
|
||||
if (!(statp->options & RES_INSECURE2)
|
||||
&& (recvresp1 || !res_queriesmatch(buf, buf + buflen,
|
||||
|
||||
/* Paranoia check. Due to the connected UDP socket,
|
||||
the kernel has already filtered invalid addresses
|
||||
for us. */
|
||||
if (!res_ourserver_p(statp, &from))
|
||||
goto wait;
|
||||
|
||||
/* Check for the correct header layout and a matching
|
||||
question. */
|
||||
if ((recvresp1 || !res_queriesmatch(buf, buf + buflen,
|
||||
*thisansp,
|
||||
*thisansp
|
||||
+ *thisanssizp))
|
||||
&& (recvresp2 || !res_queriesmatch(buf2, buf2 + buflen2,
|
||||
*thisansp,
|
||||
*thisansp
|
||||
+ *thisanssizp))) {
|
||||
/*
|
||||
* response contains wrong query? ignore it.
|
||||
* XXX - potential security hazard could
|
||||
* be detected here.
|
||||
*/
|
||||
goto wait;
|
||||
}
|
||||
+ *thisanssizp)))
|
||||
goto wait;
|
||||
|
||||
if (anhp->rcode == SERVFAIL ||
|
||||
anhp->rcode == NOTIMP ||
|
||||
anhp->rcode == REFUSED) {
|
||||
|
@ -115,8 +115,6 @@ struct res_sym {
|
||||
#define RES_DEFNAMES 0x00000080 /* use default domain name */
|
||||
#define RES_STAYOPEN 0x00000100 /* Keep TCP socket open */
|
||||
#define RES_DNSRCH 0x00000200 /* search up local domain tree */
|
||||
#define RES_INSECURE1 0x00000400 /* type 1 security disabled */
|
||||
#define RES_INSECURE2 0x00000800 /* type 2 security disabled */
|
||||
#define RES_NOALIASES 0x00001000 /* shuts off HOSTALIASES feature */
|
||||
#define RES_ROTATE 0x00004000 /* rotate ns list after each query */
|
||||
#define RES_NOCHECKNAME \
|
||||
|
Loading…
Reference in New Issue
Block a user