Partial backport of:

commit 333221862ecbebde60dd16e7ca17d26444e62f50

Author: Florian Weimer <fweimer@redhat.com>

Date:   Mon Apr 8 11:19:38 2019 +0200

    resolv: Remove RES_INSECURE1, RES_INSECURE2

    Always perform the associated security checks.

The constants and their debug output handling are preserved in this

backport.

diff --git a/resolv/res_send.c b/resolv/res_send.c

index 705ecb7189d215c2..c9b02cca130bc20d 100644

--- a/resolv/res_send.c

+++ b/resolv/res_send.c

@@ -1324,31 +1324,25 @@ send_dg(res_state statp,

 			 */

 			goto wait;

 		}

-		if (!(statp->options & RES_INSECURE1) &&

-		    !res_ourserver_p(statp, &from)) {

-			/*

-			 * response from wrong server? ignore it.

-			 * XXX - potential security hazard could

-			 *	 be detected here.

-			 */

-			goto wait;

-		}

-		if (!(statp->options & RES_INSECURE2)

-		    && (recvresp1 || !res_queriesmatch(buf, buf + buflen,

+

+		/* Paranoia check.  Due to the connected UDP socket,

+		   the kernel has already filtered invalid addresses

+		   for us.  */

+		if (!res_ourserver_p(statp, &from))

+		  goto wait;

+

+		/* Check for the correct header layout and a matching

+		   question.  */

+		if ((recvresp1 || !res_queriesmatch(buf, buf + buflen,

 						       *thisansp,

 						       *thisansp

 						       + *thisanssizp))

 		    && (recvresp2 || !res_queriesmatch(buf2, buf2 + buflen2,

 						       *thisansp,

 						       *thisansp

-						       + *thisanssizp))) {

-			/*

-			 * response contains wrong query? ignore it.

-			 * XXX - potential security hazard could

-			 *	 be detected here.

-			 */

-			goto wait;

-		}

+						       + *thisanssizp)))

+		  goto wait;

+

 		if (anhp->rcode == SERVFAIL ||

 		    anhp->rcode == NOTIMP ||

 		    anhp->rcode == REFUSED) {