https-github-com-bit
diff --git a/‎src/resolve/resolved-dns-dnssec.c‎
Lines changed: 24 additions & 27 deletions b/‎src/resolve/resolved-dns-dnssec.c‎
Lines changed: 24 additions & 27 deletions
diff --git a/‎src/resolve/resolved-dns-packet.c‎
Lines changed: 20 additions & 20 deletions b/‎src/resolve/resolved-dns-packet.c‎
Lines changed: 20 additions & 20 deletions
diff --git a/‎src/resolve/resolved-dns-packet.h‎
Lines changed: 9 additions & 7 deletions b/‎src/resolve/resolved-dns-packet.h‎
Lines changed: 9 additions & 7 deletions
diff --git a/‎src/resolve/resolved-dns-query.c‎
Lines changed: 6 additions & 2 deletions b/‎src/resolve/resolved-dns-query.c‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎src/resolve/resolved-dns-query.h‎
Lines changed: 21 additions & 18 deletions b/‎src/resolve/resolved-dns-query.h‎
Lines changed: 21 additions & 18 deletions
diff --git a/‎src/resolve/resolved-dns-rr.c‎
Lines changed: 9 additions & 11 deletions b/‎src/resolve/resolved-dns-rr.c‎
Lines changed: 9 additions & 11 deletions
@@ -35,7 +35,6 @@
 uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke) {
         const uint8_t *p;
         uint32_t sum, f;
-        size_t i;
 
         /* The algorithm from RFC 4034, Appendix B. */
 
@@ -51,7 +50,7 @@ uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke) {
 
         p = dnskey->dnskey.key;
 
-        for (i = 0; i < dnskey->dnskey.key_size; i++)
+        for (size_t i = 0; i < dnskey->dnskey.key_size; i++)
                 sum += (i & 1) == 0 ? (uint32_t) p[i] << 8 : (uint32_t) p[i];
 
         sum += (sum >> 16) & UINT32_C(0xFFFF);
@@ -483,14 +482,14 @@ static int dnssec_rrsig_prepare(DnsResourceRecord *rrsig) {
         const char *name;
         int r;
 
-        /* Checks whether the specified RRSIG RR is somewhat valid, and initializes the .n_skip_labels_source and
-         * .n_skip_labels_signer fields so that we can use them later on. */
+        /* Checks whether the specified RRSIG RR is somewhat valid, and initializes the .n_skip_labels_source
+         * and .n_skip_labels_signer fields so that we can use them later on. */
 
         assert(rrsig);
         assert(rrsig->key->type == DNS_TYPE_RRSIG);
 
         /* Check if this RRSIG RR is already prepared */
-        if (rrsig->n_skip_labels_source != UINT_MAX)
+        if (rrsig->n_skip_labels_source != UINT8_MAX)
                 return 0;
 
         if (rrsig->rrsig.inception > rrsig->rrsig.expiration)
@@ -523,6 +522,7 @@ static int dnssec_rrsig_prepare(DnsResourceRecord *rrsig) {
         if (r == 0)
                 return -EINVAL;
 
+        assert(n_key_labels < UINT8_MAX); /* UINT8_MAX/-1 means unsigned. */
         rrsig->n_skip_labels_source = n_key_labels - rrsig->rrsig.labels;
         rrsig->n_skip_labels_signer = n_key_labels - n_signer_labels;
 
@@ -604,13 +604,11 @@ static void dnssec_fix_rrset_ttl(
                 DnsResourceRecord *rrsig,
                 usec_t realtime) {
 
-        unsigned k;
-
         assert(list);
         assert(n > 0);
         assert(rrsig);
 
-        for (k = 0; k < n; k++) {
+        for (unsigned k = 0; k < n; k++) {
                 DnsResourceRecord *rr = list[k];
 
                 /* Pick the TTL as the minimum of the RR's TTL, the
@@ -640,7 +638,7 @@ int dnssec_verify_rrset(
         const char *source, *name;
         _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
         int r, md_algorithm;
-        size_t k, n = 0;
+        size_t n = 0;
         size_t sig_size = 0;
         _cleanup_free_ char *sig_data = NULL;
         _cleanup_fclose_ FILE *f = NULL;
@@ -770,7 +768,7 @@ int dnssec_verify_rrset(
         if (r < 0)
                 return r;
 
-        for (k = 0; k < n; k++) {
+        for (size_t k = 0; k < n; k++) {
                 size_t l;
 
                 rr = list[k];
@@ -1210,7 +1208,6 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
         size_t hash_size;
         int algorithm;
         void *result;
-        unsigned k;
         int r;
 
         assert(nsec3);
@@ -1252,7 +1249,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) {
         if (!result)
                 return -EIO;
 
-        for (k = 0; k < nsec3->nsec3.iterations; k++) {
+        for (unsigned k = 0; k < nsec3->nsec3.iterations; k++) {
                 uint8_t tmp[hash_size];
                 memcpy(tmp, result, hash_size);
 
@@ -1291,10 +1288,10 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) {
 
         /* Ignore NSEC3 RRs generated from wildcards. If these NSEC3 RRs weren't correctly signed we can't make this
          * check (since rr->n_skip_labels_source is -1), but that's OK, as we won't trust them anyway in that case. */
-        if (!IN_SET(rr->n_skip_labels_source, 0, UINT_MAX))
+        if (!IN_SET(rr->n_skip_labels_source, 0, UINT8_MAX))
                 return 0;
         /* Ignore NSEC3 RRs that are located anywhere else than one label below the zone */
-        if (!IN_SET(rr->n_skip_labels_signer, 1, UINT_MAX))
+        if (!IN_SET(rr->n_skip_labels_signer, 1, UINT8_MAX))
                 return 0;
 
         if (!nsec3)
@@ -2234,24 +2231,24 @@ int dnssec_test_positive_wildcard(
 #endif
 
 static const char* const dnssec_result_table[_DNSSEC_RESULT_MAX] = {
-        [DNSSEC_VALIDATED] = "validated",
-        [DNSSEC_VALIDATED_WILDCARD] = "validated-wildcard",
-        [DNSSEC_INVALID] = "invalid",
-        [DNSSEC_SIGNATURE_EXPIRED] = "signature-expired",
+        [DNSSEC_VALIDATED]             = "validated",
+        [DNSSEC_VALIDATED_WILDCARD]    = "validated-wildcard",
+        [DNSSEC_INVALID]               = "invalid",
+        [DNSSEC_SIGNATURE_EXPIRED]     = "signature-expired",
         [DNSSEC_UNSUPPORTED_ALGORITHM] = "unsupported-algorithm",
-        [DNSSEC_NO_SIGNATURE] = "no-signature",
-        [DNSSEC_MISSING_KEY] = "missing-key",
-        [DNSSEC_UNSIGNED] = "unsigned",
-        [DNSSEC_FAILED_AUXILIARY] = "failed-auxiliary",
-        [DNSSEC_NSEC_MISMATCH] = "nsec-mismatch",
-        [DNSSEC_INCOMPATIBLE_SERVER] = "incompatible-server",
+        [DNSSEC_NO_SIGNATURE]          = "no-signature",
+        [DNSSEC_MISSING_KEY]           = "missing-key",
+        [DNSSEC_UNSIGNED]              = "unsigned",
+        [DNSSEC_FAILED_AUXILIARY]      = "failed-auxiliary",
+        [DNSSEC_NSEC_MISMATCH]         = "nsec-mismatch",
+        [DNSSEC_INCOMPATIBLE_SERVER]   = "incompatible-server",
 };
 DEFINE_STRING_TABLE_LOOKUP(dnssec_result, DnssecResult);
 
 static const char* const dnssec_verdict_table[_DNSSEC_VERDICT_MAX] = {
-        [DNSSEC_SECURE] = "secure",
-        [DNSSEC_INSECURE] = "insecure",
-        [DNSSEC_BOGUS] = "bogus",
+        [DNSSEC_SECURE]        = "secure",
+        [DNSSEC_INSECURE]      = "insecure",
+        [DNSSEC_BOGUS]         = "bogus",
         [DNSSEC_INDETERMINATE] = "indeterminate",
 };
 DEFINE_STRING_TABLE_LOOKUP(dnssec_verdict, DnssecVerdict);
@@ -2635,31 +2635,31 @@ size_t dns_packet_size_unfragmented(DnsPacket *p) {
 }
 
 static const char* const dns_rcode_table[_DNS_RCODE_MAX_DEFINED] = {
-        [DNS_RCODE_SUCCESS] = "SUCCESS",
-        [DNS_RCODE_FORMERR] = "FORMERR",
-        [DNS_RCODE_SERVFAIL] = "SERVFAIL",
-        [DNS_RCODE_NXDOMAIN] = "NXDOMAIN",
-        [DNS_RCODE_NOTIMP] = "NOTIMP",
-        [DNS_RCODE_REFUSED] = "REFUSED",
-        [DNS_RCODE_YXDOMAIN] = "YXDOMAIN",
-        [DNS_RCODE_YXRRSET] = "YRRSET",
-        [DNS_RCODE_NXRRSET] = "NXRRSET",
-        [DNS_RCODE_NOTAUTH] = "NOTAUTH",
-        [DNS_RCODE_NOTZONE] = "NOTZONE",
-        [DNS_RCODE_BADVERS] = "BADVERS",
-        [DNS_RCODE_BADKEY] = "BADKEY",
-        [DNS_RCODE_BADTIME] = "BADTIME",
-        [DNS_RCODE_BADMODE] = "BADMODE",
-        [DNS_RCODE_BADNAME] = "BADNAME",
-        [DNS_RCODE_BADALG] = "BADALG",
-        [DNS_RCODE_BADTRUNC] = "BADTRUNC",
+        [DNS_RCODE_SUCCESS]   = "SUCCESS",
+        [DNS_RCODE_FORMERR]   = "FORMERR",
+        [DNS_RCODE_SERVFAIL]  = "SERVFAIL",
+        [DNS_RCODE_NXDOMAIN]  = "NXDOMAIN",
+        [DNS_RCODE_NOTIMP]    = "NOTIMP",
+        [DNS_RCODE_REFUSED]   = "REFUSED",
+        [DNS_RCODE_YXDOMAIN]  = "YXDOMAIN",
+        [DNS_RCODE_YXRRSET]   = "YRRSET",
+        [DNS_RCODE_NXRRSET]   = "NXRRSET",
+        [DNS_RCODE_NOTAUTH]   = "NOTAUTH",
+        [DNS_RCODE_NOTZONE]   = "NOTZONE",
+        [DNS_RCODE_BADVERS]   = "BADVERS",
+        [DNS_RCODE_BADKEY]    = "BADKEY",
+        [DNS_RCODE_BADTIME]   = "BADTIME",
+        [DNS_RCODE_BADMODE]   = "BADMODE",
+        [DNS_RCODE_BADNAME]   = "BADNAME",
+        [DNS_RCODE_BADALG]    = "BADALG",
+        [DNS_RCODE_BADTRUNC]  = "BADTRUNC",
         [DNS_RCODE_BADCOOKIE] = "BADCOOKIE",
 };
 DEFINE_STRING_TABLE_LOOKUP(dns_rcode, int);
 
 static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
-        [DNS_PROTOCOL_DNS] = "dns",
-        [DNS_PROTOCOL_MDNS] = "mdns",
+        [DNS_PROTOCOL_DNS]   = "dns",
+        [DNS_PROTOCOL_MDNS]  = "mdns",
         [DNS_PROTOCOL_LLMNR] = "llmnr",
 };
 DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol);
@@ -71,21 +71,23 @@ struct DnsPacket {
         DnsAnswer *answer;
         DnsResourceRecord *opt;
 
+        /* For support of truncated packets */
+        DnsPacket *more;
+
         /* Packet reception metadata */
+        usec_t timestamp; /* CLOCK_BOOTTIME (or CLOCK_MONOTONIC if the former doesn't exist) */
         int ifindex;
         int family, ipproto;
         union in_addr_union sender, destination;
         uint16_t sender_port, destination_port;
         uint32_t ttl;
-        usec_t timestamp; /* CLOCK_BOOTTIME (or CLOCK_MONOTONIC if the former doesn't exist) */
 
-        /* For support of truncated packets */
-        DnsPacket *more;
+        bool on_stack;
+        bool extracted;
+        bool refuse_compression;
+        bool canonical_form;
 
-        bool on_stack:1;
-        bool extracted:1;
-        bool refuse_compression:1;
-        bool canonical_form:1;
+        /* Note: fields should be ordered to minimize alignment gaps. Use pahole! */
 };
 
 static inline uint8_t* DNS_PACKET_DATA(const DnsPacket *p) {
 
@@ -12,6 +12,10 @@
 
 #define QUERIES_MAX 2048
 #define AUXILIARY_QUERIES_MAX 64
+#define CNAME_REDIRECTS_MAX 16
+
+assert_cc(AUXILIARY_QUERIES_MAX < UINT8_MAX);
+assert_cc(CNAME_REDIRECTS_MAX < UINT8_MAX);
 
 static int dns_query_candidate_new(DnsQueryCandidate **ret, DnsQuery *q, DnsScope *s) {
         DnsQueryCandidate *c;
@@ -1004,9 +1008,9 @@ static int dns_query_cname_redirect(DnsQuery *q, const DnsResourceRecord *cname)
 
         assert(q);
 
-        q->n_cname_redirects++;
-        if (q->n_cname_redirects > CNAME_REDIRECT_MAX)
+        if (q->n_cname_redirects >= CNAME_REDIRECTS_MAX)
                 return -ELOOP;
+        q->n_cname_redirects++;
 
         r = dns_question_cname_redirect(q->question_idna, cname, &nq_idna);
         if (r < 0)
 
@@ -33,14 +33,6 @@ struct DnsQueryCandidate {
 struct DnsQuery {
         Manager *manager;
 
-        /* When resolving a service, we first create a TXT+SRV query, and then for the hostnames we discover
-         * auxiliary A+AAAA queries. This pointer always points from the auxiliary queries back to the
-         * TXT+SRV query. */
-        DnsQuery *auxiliary_for;
-        LIST_HEAD(DnsQuery, auxiliary_queries);
-        unsigned n_auxiliary_queries;
-        int auxiliary_result;
-
         /* The question, formatted in IDNA for use on classic DNS, and as UTF8 for use in LLMNR or mDNS. Note
          * that even on classic DNS some labels might use UTF8 encoding. Specifically, DNS-SD service names
          * (in contrast to their domain suffixes) use UTF-8 encoding even on DNS. Thus, the difference
@@ -63,8 +55,12 @@ struct DnsQuery {
         uint64_t flags;
         int ifindex;
 
-        DnsTransactionState state;
-        unsigned n_cname_redirects;
+        /* When resolving a service, we first create a TXT+SRV query, and then for the hostnames we discover
+         * auxiliary A+AAAA queries. This pointer always points from the auxiliary queries back to the
+         * TXT+SRV query. */
+        int auxiliary_result;
+        DnsQuery *auxiliary_for;
+        LIST_HEAD(DnsQuery, auxiliary_queries);
 
         LIST_HEAD(DnsQueryCandidate, candidates);
         sd_event_source *timeout_event_source;
@@ -76,18 +72,26 @@ struct DnsQuery {
         uint64_t answer_query_flags;
         DnsProtocol answer_protocol;
         int answer_family;
+        DnsPacket *answer_full_packet;
         DnsSearchDomain *answer_search_domain;
+
+        DnsTransactionState state;
         int answer_errno; /* if state is DNS_TRANSACTION_ERRNO */
-        bool previous_redirect_unauthenticated;
-        bool previous_redirect_non_confidential;
-        bool previous_redirect_non_synthetic;
-        DnsPacket *answer_full_packet;
+
+        unsigned block_ready;
+
+        uint8_t n_auxiliary_queries;
+        uint8_t n_cname_redirects;
+
+        bool previous_redirect_unauthenticated:1;
+        bool previous_redirect_non_confidential:1;
+        bool previous_redirect_non_synthetic:1;
+        bool request_address_valid:1;
 
         /* Bus + Varlink client information */
         sd_bus_message *bus_request;
         Varlink *varlink_request;
         int request_family;
-        bool request_address_valid;
         union in_addr_union request_address;
         unsigned block_all_complete;
         char *request_address_string;
@@ -102,12 +106,13 @@ struct DnsQuery {
 
         /* Completion callback */
         void (*complete)(DnsQuery* q);
-        unsigned block_ready;
 
         sd_bus_track *bus_track;
 
         LIST_FIELDS(DnsQuery, queries);
         LIST_FIELDS(DnsQuery, auxiliary_queries);
+
+        /* Note: fields should be ordered to minimize alignment gaps. Use pahole! */
 };
 
 enum {
@@ -154,5 +159,3 @@ static inline uint64_t dns_query_reply_flags_make(DnsQuery *q) {
                                       dns_query_fully_confidential(q)) |
                 (q->answer_query_flags & (SD_RESOLVED_FROM_MASK|SD_RESOLVED_SYNTHETIC));
 }
-
-#define CNAME_REDIRECT_MAX 16
 
@@ -381,8 +381,8 @@ DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key) {
                 .n_ref = 1,
                 .key = dns_resource_key_ref(key),
                 .expiry = USEC_INFINITY,
-                .n_skip_labels_signer = UINT_MAX,
-                .n_skip_labels_source = UINT_MAX,
+                .n_skip_labels_signer = UINT8_MAX,
+                .n_skip_labels_source = UINT8_MAX,
         };
 
         return rr;
@@ -795,14 +795,12 @@ static char *format_txt(DnsTxtItem *first) {
                 return NULL;
 
         LIST_FOREACH(items, i, first) {
-                size_t j;
-
                 if (i != first)
                         *(p++) = ' ';
 
                 *(p++) = '"';
 
-                for (j = 0; j < i->length; j++) {
+                for (size_t j = 0; j < i->length; j++) {
                         if (i->data[j] < ' ' || i->data[j] == '"' || i->data[j] >= 127) {
                                 *(p++) = '\\';
                                 *(p++) = '0' + (i->data[j] / 100);
@@ -1258,7 +1256,7 @@ int dns_resource_record_signer(DnsResourceRecord *rr, const char **ret) {
 
         /* Returns the RRset's signer, if it is known. */
 
-        if (rr->n_skip_labels_signer == UINT_MAX)
+        if (rr->n_skip_labels_signer == UINT8_MAX)
                 return -ENODATA;
 
         n = dns_resource_key_name(rr->key);
@@ -1281,7 +1279,7 @@ int dns_resource_record_source(DnsResourceRecord *rr, const char **ret) {
 
         /* Returns the RRset's synthesizing source, if it is known. */
 
-        if (rr->n_skip_labels_source == UINT_MAX)
+        if (rr->n_skip_labels_source == UINT8_MAX)
                 return -ENODATA;
 
         n = dns_resource_key_name(rr->key);
@@ -1315,7 +1313,7 @@ int dns_resource_record_is_synthetic(DnsResourceRecord *rr) {
 
         /* Returns > 0 if the RR is generated from a wildcard, and is not the asterisk name itself */
 
-        if (rr->n_skip_labels_source == UINT_MAX)
+        if (rr->n_skip_labels_source == UINT8_MAX)
                 return -ENODATA;
 
         if (rr->n_skip_labels_source == 0)
@@ -1868,9 +1866,9 @@ DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(dnssec_algorithm, int, 255);
 
 static const char* const dnssec_digest_table[_DNSSEC_DIGEST_MAX_DEFINED] = {
         /* Names as listed on https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
-        [DNSSEC_DIGEST_SHA1] = "SHA-1",
-        [DNSSEC_DIGEST_SHA256] = "SHA-256",
+        [DNSSEC_DIGEST_SHA1]            = "SHA-1",
+        [DNSSEC_DIGEST_SHA256]          = "SHA-256",
         [DNSSEC_DIGEST_GOST_R_34_11_94] = "GOST_R_34.11-94",
-        [DNSSEC_DIGEST_SHA384] = "SHA-384",
+        [DNSSEC_DIGEST_SHA384]          = "SHA-384",
 };
 DEFINE_STRING_TABLE_LOOKUP_WITH_FALLBACK(dnssec_digest, int, 255);