From 835a7e7a4dd68819f7610dafdf9277d3852aef6a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@FreeBSD.org>
Date: Sat, 12 Dec 2015 22:17:01 +0000
Subject: [PATCH] import unbound 1.5.6

---
 configure                  |  25 ++++-----
 configure.ac               |   5 +-
 dns64/dns64.c              |   6 ++-
 doc/Changelog              |  22 ++++++++
 doc/README                 |   2 +-
 doc/example.conf.in        |   4 +-
 doc/libunbound.3.in        |   4 +-
 doc/unbound-anchor.8.in    |   2 +-
 doc/unbound-checkconf.8.in |   2 +-
 doc/unbound-control.8.in   |   2 +-
 doc/unbound-host.1.in      |   2 +-
 doc/unbound.8.in           |   4 +-
 doc/unbound.conf.5.in      |   6 +--
 services/cache/dns.c       |   5 +-
 sldns/wire2str.c           |   3 ++
 testdata/dns64_lookup.rpl  | 101 +++++++++++++++++++++++++++++++++++--
 util/config_file.c         |   2 +-
 util/iana_ports.inc        |   1 +
 18 files changed, 163 insertions(+), 35 deletions(-)

diff --git a/configure b/configure
index 7b0a7e61622c..6f9d442111d9 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.5.5.
+# Generated by GNU Autoconf 2.69 for unbound 1.5.6.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.5.5'
-PACKAGE_STRING='unbound 1.5.5'
+PACKAGE_VERSION='1.5.6'
+PACKAGE_STRING='unbound 1.5.6'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -1391,7 +1391,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.5.5 to adapt to many kinds of systems.
+\`configure' configures unbound 1.5.6 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1456,7 +1456,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.5.5:";;
+     short | recursive ) echo "Configuration of unbound 1.5.6:";;
    esac
   cat <<\_ACEOF
 
@@ -1635,7 +1635,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.5.5
+unbound configure 1.5.6
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2344,7 +2344,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.5.5, which was
+It was created by unbound $as_me 1.5.6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2696,11 +2696,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=5
 
-UNBOUND_VERSION_MICRO=5
+UNBOUND_VERSION_MICRO=6
 
 
 LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=9
 LIBUNBOUND_AGE=3
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2745,6 +2745,7 @@ LIBUNBOUND_AGE=3
 # 1.5.3 had 5:6:3
 # 1.5.4 had 5:7:3
 # 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -19017,7 +19018,7 @@ _ACEOF
 
 
 
-version=1.5.5
+version=1.5.6
 
 date=`date +'%b %e, %Y'`
 
@@ -19532,7 +19533,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.5.5, which was
+This file was extended by unbound $as_me 1.5.6, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -19598,7 +19599,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.5.5
+unbound config.status 1.5.6
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/configure.ac b/configure.ac
index 871ea7c993f9..c555a2a623cc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -10,14 +10,14 @@ sinclude(dnstap/dnstap.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[5])
-m4_define([VERSION_MICRO],[5])
+m4_define([VERSION_MICRO],[6])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=5
-LIBUNBOUND_REVISION=8
+LIBUNBOUND_REVISION=9
 LIBUNBOUND_AGE=3
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -62,6 +62,7 @@ LIBUNBOUND_AGE=3
 # 1.5.3 had 5:6:3
 # 1.5.4 had 5:7:3
 # 1.5.5 had 5:8:3
+# 1.5.6 had 5:9:3
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
diff --git a/dns64/dns64.c b/dns64/dns64.c
index 63cc8084e35f..0de3f6643341 100644
--- a/dns64/dns64.c
+++ b/dns64/dns64.c
@@ -618,8 +618,10 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 	dd->rr_ttl = (time_t*)&dd->rr_data[dd->count];
 	for(i = 0; i < fd->count; ++i) {
 		if (fd->rr_len[i] != 6 || fd->rr_data[i][0] != 0
-		    || fd->rr_data[i][1] != 4)
+		    || fd->rr_data[i][1] != 4) {
+			*dd_out = NULL;
 			return;
+		}
 		dd->rr_len[i] = 18;
 		dd->rr_data[i] =
 		    (uint8_t*)&dd->rr_ttl[dd->count] + 18*i;
@@ -638,6 +640,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 	 */
 	if(!dk) {
 		log_err("no key");
+		*dd_out = NULL;
 		return;
 	}
 
@@ -646,6 +649,7 @@ dns64_synth_aaaa_data(const struct ub_packed_rrset_key* fk,
 
 	if(!dk->rk.dname) {
 		log_err("out of memory");
+		*dd_out = NULL;
 		return;
 	}
 
diff --git a/doc/Changelog b/doc/Changelog
index 3f3b245940bd..afac05f7cbf8 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,25 @@
+15 October 2015: Wouter
+	- Fix segfault in the dns64 module in the formaterror error path.
+	- Fix sldns_wire2str_rdata_scan for malformed RRs.
+	- tag for 1.5.6rc1 release.
+
+14 October 2015: Wouter
+	- ANY responses include DNAME records if present, as per Evan Hunt's
+	  remark in dnsop.
+	- Fix manpage to suggest using SIGTERM to terminate the server.
+
+9 October 2015: Wouter
+	- Default for ssl-port is port 853, the temporary port assignment
+	  for secure domain name system traffic.
+	  If you used to rely on the older default of port 443, you have
+	  to put a clause in unbound.conf for that.  The new value is likely
+	  going to be the standardised port number for this traffic.
+	- iana portlist update.
+
+6 October 2015: Wouter
+	- 1.5.5 release.
+	- trunk tracks the development of 1.5.6.
+
 28 September 2015: Wouter
 	- MAX_TARGET_COUNT increased to 64, to fix up sporadic resolution
 	  failures.
diff --git a/doc/README b/doc/README
index c8bddcccf838..e8dd9ada2e49 100644
--- a/doc/README
+++ b/doc/README
@@ -1,4 +1,4 @@
-README for Unbound 1.5.5
+README for Unbound 1.5.6
 Copyright 2007 NLnet Labs
 http://unbound.net
 
diff --git a/doc/example.conf.in b/doc/example.conf.in
index 399aa8048e79..a96ccd3faf73 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.5.5.
+# See unbound.conf(5) man page, version 1.5.6.
 #
 # this is a comment.
 
@@ -552,7 +552,7 @@ server:
 	# default is "" (disabled).  requires restart to take effect.
 	# ssl-service-key: "path/to/privatekeyfile.key"
 	# ssl-service-pem: "path/to/publiccertfile.pem"
-	# ssl-port: 443
+	# ssl-port: 853
 
 	# request upstream over SSL (with plain DNS inside the SSL stream).
 	# Default is no.  Can be turned on and off with unbound-control.
diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in
index 9ef367fdda4b..8d1c6ce7206a 100644
--- a/doc/libunbound.3.in
+++ b/doc/libunbound.3.in
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "libunbound" "3" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -42,7 +42,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.5.5 functions.
+\- Unbound DNS validating resolver 1.5.6 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP
diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in
index e89be5b44ff1..56edd21afc3a 100644
--- a/doc/unbound-anchor.8.in
+++ b/doc/unbound-anchor.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-anchor" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"
diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in
index 234a04a48e84..b68da38fdb76 100644
--- a/doc/unbound-checkconf.8.in
+++ b/doc/unbound-checkconf.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-checkconf" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"
diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in
index eefd207df834..5d37478a477d 100644
--- a/doc/unbound-control.8.in
+++ b/doc/unbound-control.8.in
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound-control" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"
diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in
index a4742d7f5ad9..3acf31819cb0 100644
--- a/doc/unbound-host.1.in
+++ b/doc/unbound-host.1.in
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound\-host" "1" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"
diff --git a/doc/unbound.8.in b/doc/unbound.8.in
index df9baa04e20a..db6f3110a407 100644
--- a/doc/unbound.8.in
+++ b/doc/unbound.8.in
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound" "8" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.5.5.
+\- Unbound DNS validating resolver 1.5.6.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index c497eeebf33f..621e01911917 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Oct  6, 2015" "NLnet Labs" "unbound 1.5.5"
+.TH "unbound.conf" "5" "Oct 20, 2015" "NLnet Labs" "unbound 1.5.6"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -362,7 +362,7 @@ The public key certificate pem file for the ssl service.  Default is "",
 turned off.
 .TP
 .B ssl\-port: \fI<number>
-The port number on which to provide TCP SSL service, default 443, only
+The port number on which to provide TCP SSL service, default 853, only
 interfaces configured with that port number as @number get the SSL service.
 .TP
 .B do\-daemonize: \fI<yes or no>
@@ -481,7 +481,7 @@ kill \-HUP `cat @UNBOUND_PIDFILE@`
 .fi
 triggers a reload,
 .nf
-kill \-QUIT `cat @UNBOUND_PIDFILE@` 
+kill \-TERM `cat @UNBOUND_PIDFILE@` 
 .fi
 gracefully terminates.
 .TP
diff --git a/services/cache/dns.c b/services/cache/dns.c
index ba81afde4fda..e14e636dbfd0 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -656,8 +656,9 @@ fill_any(struct module_env* env,
 	time_t now = *env->now;
 	struct dns_msg* msg = NULL;
 	uint16_t lookup[] = {LDNS_RR_TYPE_A, LDNS_RR_TYPE_AAAA,
-		LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS, 0};
-	int i, num=5; /* number of RR types to look up */
+		LDNS_RR_TYPE_MX, LDNS_RR_TYPE_SOA, LDNS_RR_TYPE_NS,
+		LDNS_RR_TYPE_DNAME, 0};
+	int i, num=6; /* number of RR types to look up */
 	log_assert(lookup[num] == 0);
 
 	for(i=0; i<num; i++) {
diff --git a/sldns/wire2str.c b/sldns/wire2str.c
index cec3bc7b08da..5cbd78eedb29 100644
--- a/sldns/wire2str.c
+++ b/sldns/wire2str.c
@@ -697,6 +697,9 @@ int sldns_wire2str_rdata_scan(uint8_t** d, size_t* dlen, char** s,
 		}
 		w += n;
 	}
+	if(*dlen != 0) {
+		goto failed;
+	}
 	return w;
 }
 
diff --git a/testdata/dns64_lookup.rpl b/testdata/dns64_lookup.rpl
index 5d4a63b3e73c..49f26db89c7c 100644
--- a/testdata/dns64_lookup.rpl
+++ b/testdata/dns64_lookup.rpl
@@ -15,7 +15,7 @@ SCENARIO_BEGIN Test dns64 lookup and synthesis.
 ; AAAA if present, is passed through unchanged.
 
 ; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 200
 	ADDRESS 193.0.14.129 
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -40,10 +40,23 @@ com.	IN NS	a.gtld-servers.net.
 SECTION ADDITIONAL
 a.gtld-servers.net.	IN 	A	192.5.6.30
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+7.6.5.in-addr.arpa. IN A
+SECTION AUTHORITY
+7.6.5.in-addr.arpa. IN NS ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN	A	1.2.3.4
+ENTRY_END
+
 RANGE_END
 
 ; a.gtld-servers.net.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 200
 	ADDRESS 192.5.6.30
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -71,7 +84,7 @@ ENTRY_END
 RANGE_END
 
 ; ns.example.com.
-RANGE_BEGIN 0 100
+RANGE_BEGIN 0 200
 	ADDRESS 1.2.3.4
 ENTRY_BEGIN
 MATCH opcode qtype qname
@@ -125,6 +138,33 @@ SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+broken.example.com. IN AAAA
+SECTION ANSWER
+; NO AAAA present
+SECTION AUTHORITY
+example.com.	IN SOA	a. b. 1 2 3 4 5
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+broken.example.com. IN A
+SECTION ANSWER
+broken.example.com. IN A	5.6.7.8
+broken.example.com. IN A \# 3 030405
+SECTION AUTHORITY
+example.com.	IN NS	ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.		IN 	A	1.2.3.4
+ENTRY_END
+
 ENTRY_BEGIN
 MATCH opcode qtype qname
 ADJUST copy_id
@@ -138,6 +178,19 @@ example.com.	IN NS	ns.example.com.
 SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+8.7.6.5.in-addr.arpa. IN PTR
+SECTION ANSWER
+8.7.6.5.in-addr.arpa. PTR ip4.example.com.
+SECTION AUTHORITY
+7.6.5.in-addr.arpa. IN NS ns.example.com.
+ENTRY_END
+
 RANGE_END
 
 STEP 1 QUERY
@@ -208,4 +261,46 @@ SECTION ADDITIONAL
 ns.example.com.		IN 	A	1.2.3.4
 ENTRY_END
 
+; test ptr lookup
+STEP 60 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+8.0.7.0.6.0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa. IN PTR
+ENTRY_END
+
+; recursion happens here.
+STEP 70 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+8.0.7.0.6.0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa. IN PTR
+SECTION ANSWER
+8.0.7.0.6.0.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.9.f.f.4.6.0.0.ip6.arpa. IN PTR ip4.example.com.
+SECTION AUTHORITY
+7.6.5.in-addr.arpa. IN NS ns.example.com.
+ENTRY_END
+
+; synthesize from broken, malformed A records 
+STEP 80 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+broken.example.com. IN AAAA
+ENTRY_END
+
+; recursion happens here.
+STEP 90 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+broken.example.com. IN AAAA
+SECTION ANSWER
+SECTION AUTHORITY
+example.com.	IN SOA	a. b. 1 2 3 4 5
+SECTION ADDITIONAL
+ENTRY_END
+
 SCENARIO_END
diff --git a/util/config_file.c b/util/config_file.c
index 211fffba4b88..db328f3307ba 100644
--- a/util/config_file.c
+++ b/util/config_file.c
@@ -100,7 +100,7 @@ config_create(void)
 	cfg->tcp_upstream = 0;
 	cfg->ssl_service_key = NULL;
 	cfg->ssl_service_pem = NULL;
-	cfg->ssl_port = 443;
+	cfg->ssl_port = 853;
 	cfg->ssl_upstream = 0;
 	cfg->use_syslog = 1;
 	cfg->log_time_ascii = 0;
diff --git a/util/iana_ports.inc b/util/iana_ports.inc
index 64edf0b02ec7..47496fc8d2f3 100644
--- a/util/iana_ports.inc
+++ b/util/iana_ports.inc
@@ -660,6 +660,7 @@
 833,
 847,
 848,
+853,
 860,
 861,
 862,