Merge remote-tracking branch 'origin/topic/johanna/gh-4656'

* origin/topic/johanna/gh-4656:
  Fix parsing of EDNS rcode

CHANGES

@@ -1,3 +1,18 @@
+8.0.0-dev.768 | 2025-07-28 14:16:16 -0700
+
+  * Fix parsing of EDNS rcode (Johanna Amann, Corelight)
+
+    The EDNS rcode was incorrectly calculated. The extended rcode is formed
+    by taking the upper 8 bits of the extended rcode field, plus the lower 4
+    bits of the existing rcode.
+
+    This also adds a new trace with an extended rcode, and a testcase
+    parsing it.
+
+    Reported by dwhitemv25.
+
+    Fixes GH-4656
+
 8.0.0-dev.766 | 2025-07-28 14:15:19 -0700
 
   * Expand coverage of IRC analyzer with more commands (Tim Wojtulewicz, Corelight)

VERSION

@@ -1 +1 @@
-8.0.0-dev.766
+8.0.0-dev.768

src/analyzer/protocol/dns/DNS.cc

@@ -1737,7 +1737,7 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val() {
     // unsigned int DO = ttl & 0x8000;	// "DNSSEC OK" - RFC 3225
     unsigned int z = ttl & 0xffff;
 
-    unsigned int return_error = (ercode << 8) | rcode;
+    unsigned int return_error = (ercode << 4) | rcode;
 
     r->Assign(4, return_error);
     r->Assign(5, version);

testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output

@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+16

testing/btest/scripts/base/protocols/dns/edns-rcode.zeek

@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that the correct extended rcode is returned for EDNS packets. Regression test for #4656.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns_extended_rcode.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/dns
+
+redef dns_skip_all_addl=F;
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	if ( c$dns?$rcode && ans?$extended_rcode )
+		print ans$extended_rcode;
+	}