446cf2
Partial backport of:
446cf2
446cf2
commit 333221862ecbebde60dd16e7ca17d26444e62f50
446cf2
Author: Florian Weimer <fweimer@redhat.com>
446cf2
Date:   Mon Apr 8 11:19:38 2019 +0200
446cf2
446cf2
    resolv: Remove RES_INSECURE1, RES_INSECURE2
446cf2
    
446cf2
    Always perform the associated security checks.
446cf2
446cf2
The constants and their debug output handling are preserve in this
446cf2
backport.
446cf2
446cf2
diff --git a/resolv/res_send.c b/resolv/res_send.c
446cf2
index 705ecb7189d215c2..c9b02cca130bc20d 100644
446cf2
--- a/resolv/res_send.c
446cf2
+++ b/resolv/res_send.c
446cf2
@@ -1324,31 +1324,25 @@ send_dg(res_state statp,
446cf2
 			 */
446cf2
 			goto wait;
446cf2
 		}
446cf2
-		if (!(statp->options & RES_INSECURE1) &&
446cf2
-		    !res_ourserver_p(statp, &from)) {
446cf2
-			/*
446cf2
-			 * response from wrong server? ignore it.
446cf2
-			 * XXX - potential security hazard could
446cf2
-			 *	 be detected here.
446cf2
-			 */
446cf2
-			goto wait;
446cf2
-		}
446cf2
-		if (!(statp->options & RES_INSECURE2)
446cf2
-		    && (recvresp1 || !res_queriesmatch(buf, buf + buflen,
446cf2
+
446cf2
+		/* Paranoia check.  Due to the connected UDP socket,
446cf2
+		   the kernel has already filtered invalid addresses
446cf2
+		   for us.  */
446cf2
+		if (!res_ourserver_p(statp, &from))
446cf2
+		  goto wait;
446cf2
+
446cf2
+		/* Check for the correct header layout and a matching
446cf2
+		   question.  */
446cf2
+		if ((recvresp1 || !res_queriesmatch(buf, buf + buflen,
446cf2
 						       *thisansp,
446cf2
 						       *thisansp
446cf2
 						       + *thisanssizp))
446cf2
 		    && (recvresp2 || !res_queriesmatch(buf2, buf2 + buflen2,
446cf2
 						       *thisansp,
446cf2
 						       *thisansp
446cf2
-						       + *thisanssizp))) {
446cf2
-			/*
446cf2
-			 * response contains wrong query? ignore it.
446cf2
-			 * XXX - potential security hazard could
446cf2
-			 *	 be detected here.
446cf2
-			 */
446cf2
-			goto wait;
446cf2
-		}
446cf2
+						       + *thisanssizp)))
446cf2
+		  goto wait;
446cf2
+
446cf2
 		if (anhp->rcode == SERVFAIL ||
446cf2
 		    anhp->rcode == NOTIMP ||
446cf2
 		    anhp->rcode == REFUSED) {