[master] address rpz bugs

3877. [bug] Inserting and deleting parent and child nodes in response policy zones could trigger an assertion failure. [RT #36272]
2025-08-31 06:25:31 +00:00 · 2014-06-11 20:00:19 -07:00
parent 1208790272
commit 06e0d6bb12
9 changed files with 130 additions and 33 deletions
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -1111,6 +1111,13 @@ add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	if (result != ISC_R_SUCCESS) {
 		char namebuf[DNS_NAME_FORMATSIZE];

+		/*
+		 * Do not worry if the radix tree already exists,
+		 * because diff_apply() likes to add nodes before deleting.
+		 */
+		if (result == ISC_R_EXISTS)
+			return (ISC_R_SUCCESS);
+
 		/*
 		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
 		 */
@@ -1159,18 +1166,8 @@ add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name,
 	if ((nm_data->set.qname & new_data->set.qname) != 0 ||
 	    (nm_data->set.ns & new_data->set.ns) != 0 ||
 	    (nm_data->wild.qname & new_data->wild.qname) != 0 ||
-	    (nm_data->wild.ns & new_data->wild.ns) != 0) {
-		char namebuf[DNS_NAME_FORMATSIZE];
-
-		/*
-		 * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
-		 */
-		dns_name_format(trig_name, namebuf, sizeof(namebuf));
-		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
-			      DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
-			      "rpz add_nm(%s): bits already set", namebuf);
+	    (nm_data->wild.ns & new_data->wild.ns) != 0)
 		return (ISC_R_EXISTS);
-	}

 	nm_data->set.qname |= new_data->set.qname;
 	nm_data->set.ns |= new_data->set.ns;
@@ -1188,11 +1185,26 @@ add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	dns_name_t *trig_name;
 	isc_result_t result;

+	/*
+	 * No need for a summary database of names with only 1 policy zone.
+	 */
+	if (rpzs->p.num_zones <= 1) {
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
+		return (ISC_R_SUCCESS);
+	}
+
 	dns_fixedname_init(&trig_namef);
 	trig_name = dns_fixedname_name(&trig_namef);
 	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data);

 	result = add_nm(rpzs, trig_name, &new_data);
+
+	/*
+	 * Do not worry if the node already exists,
+	 * because diff_apply() likes to add nodes before deleting.
+	 */
+	if (result == ISC_R_EXISTS)
+		return (ISC_R_SUCCESS);
 	if (result == ISC_R_SUCCESS)
 		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
 	return (result);
@@ -1793,10 +1805,6 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	dns_rpz_nm_data_t *nm_data, del_data;
 	isc_result_t result;

-	dns_fixedname_init(&trig_namef);
-	trig_name = dns_fixedname_name(&trig_namef);
-	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
-
 	/*
 	 * No need for a summary database of names with only 1 policy zone.
 	 */
@@ -1805,6 +1813,10 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 		return;
 	}

+	dns_fixedname_init(&trig_namef);
+	trig_name = dns_fixedname_name(&trig_namef);
+	name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
+
 	nmnode = NULL;
 	result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0,
 				  NULL, NULL);
@@ -1815,7 +1827,8 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 		 * that were later added for (often empty) wildcards
 		 * and then to the RBTDB deferred cleanup list.
 		 */
-		if (result == ISC_R_NOTFOUND)
+		if (result == ISC_R_NOTFOUND ||
+		    result == DNS_R_PARTIALMATCH)
 			return;
 		dns_name_format(src_name, namebuf, sizeof(namebuf));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,