Fix panic when parsing resolv.conf

vendor/github.com/miekg/dns/xfr.go

@@ -1,6 +1,7 @@
 package dns
 
 import (
+	"fmt"
 	"time"
 )
 
@@ -16,7 +17,7 @@ type Transfer struct {
 	DialTimeout    time.Duration     // net.DialTimeout, defaults to 2 seconds
 	ReadTimeout    time.Duration     // net.Conn.SetReadTimeout value for connections, defaults to 2 seconds
 	WriteTimeout   time.Duration     // net.Conn.SetWriteTimeout value for connections, defaults to 2 seconds
-	TsigSecret     map[string]string // Secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be fully qualified
+	TsigSecret     map[string]string // Secret(s) for Tsig map[<zonename>]<base64 secret>, zonename must be in canonical form (lowercase, fqdn, see RFC 4034 Section 6.2)
 	tsigTimersOnly bool
 }
 
@@ -50,18 +51,18 @@ func (t *Transfer) In(q *Msg, a string) (env chan *Envelope, err error) {
 	env = make(chan *Envelope)
 	go func() {
 		if q.Question[0].Qtype == TypeAXFR {
-			go t.inAxfr(q.Id, env)
+			go t.inAxfr(q, env)
 			return
 		}
 		if q.Question[0].Qtype == TypeIXFR {
-			go t.inIxfr(q.Id, env)
+			go t.inIxfr(q, env)
 			return
 		}
 	}()
 	return env, nil
 }
 
-func (t *Transfer) inAxfr(id uint16, c chan *Envelope) {
+func (t *Transfer) inAxfr(q *Msg, c chan *Envelope) {
 	first := true
 	defer t.Close()
 	defer close(c)
@@ -76,11 +77,15 @@ func (t *Transfer) inAxfr(id uint16, c chan *Envelope) {
 			c <- &Envelope{nil, err}
 			return
 		}
-		if id != in.Id {
+		if q.Id != in.Id {
 			c <- &Envelope{in.Answer, ErrId}
 			return
 		}
 		if first {
+			if in.Rcode != RcodeSuccess {
+				c <- &Envelope{in.Answer, &Error{err: fmt.Sprintf(errXFR, in.Rcode)}}
+				return
+			}
 			if !isSOAFirst(in) {
 				c <- &Envelope{in.Answer, ErrSoa}
 				return
@@ -105,9 +110,11 @@ func (t *Transfer) inAxfr(id uint16, c chan *Envelope) {
 	}
 }
 
-func (t *Transfer) inIxfr(id uint16, c chan *Envelope) {
+func (t *Transfer) inIxfr(q *Msg, c chan *Envelope) {
 	serial := uint32(0) // The first serial seen is the current server serial
-	first := true
+	axfr := true
+	n := 0
+	qser := q.Ns[0].(*SOA).Serial
 	defer t.Close()
 	defer close(c)
 	timeout := dnsTimeout
@@ -121,17 +128,15 @@ func (t *Transfer) inIxfr(id uint16, c chan *Envelope) {
 			c <- &Envelope{nil, err}
 			return
 		}
-		if id != in.Id {
+		if q.Id != in.Id {
 			c <- &Envelope{in.Answer, ErrId}
 			return
 		}
-		if first {
-			// A single SOA RR signals "no changes"
-			if len(in.Answer) == 1 && isSOAFirst(in) {
-				c <- &Envelope{in.Answer, nil}
-				return
-			}
-
+		if in.Rcode != RcodeSuccess {
+			c <- &Envelope{in.Answer, &Error{err: fmt.Sprintf(errXFR, in.Rcode)}}
+			return
+		}
+		if n == 0 {
 			// Check if the returned answer is ok
 			if !isSOAFirst(in) {
 				c <- &Envelope{in.Answer, ErrSoa}
@@ -139,21 +144,30 @@ func (t *Transfer) inIxfr(id uint16, c chan *Envelope) {
 			}
 			// This serial is important
 			serial = in.Answer[0].(*SOA).Serial
-			first = !first
+			// Check if there are no changes in zone
+			if qser >= serial {
+				c <- &Envelope{in.Answer, nil}
+				return
+			}
 		}
-
 		// Now we need to check each message for SOA records, to see what we need to do
-		if !first {
-			t.tsigTimersOnly = true
-			// If the last record in the IXFR contains the servers' SOA,  we should quit
-			if v, ok := in.Answer[len(in.Answer)-1].(*SOA); ok {
+		t.tsigTimersOnly = true
+		for _, rr := range in.Answer {
+			if v, ok := rr.(*SOA); ok {
 				if v.Serial == serial {
-					c <- &Envelope{in.Answer, nil}
-					return
+					n++
+					// quit if it's a full axfr or the the servers' SOA is repeated the third time
+					if axfr && n == 2 || n == 3 {
+						c <- &Envelope{in.Answer, nil}
+						return
+					}
+				} else if axfr {
+					// it's an ixfr
+					axfr = false
 				}
 			}
-			c <- &Envelope{in.Answer, nil}
 		}
+		c <- &Envelope{in.Answer, nil}
 	}
 }
 
@@ -242,3 +256,5 @@ func isSOALast(in *Msg) bool {
 	}
 	return false
 }
+
+const errXFR = "bad xfr rcode: %d"