From 383dce9343d6af011ccc2924108effe1d58cbcba Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 24 Jul 2025 08:39:49 +0100
Subject: [PATCH] Fix parsing of EDNS rcode

The EDNS rcode was incorrectly calculated. The extended rcode is formed
by taking the upper 8 bits of the extended rcode field, plus the lower 4
bits of the existing rcode.

This also adds a new trace with an extended rcode, and a testcase
parsing it.

Reported by dwhitemv25.

Fixes GH-4656
---
 src/analyzer/protocol/dns/DNS.cc                  |   2 +-
 .../scripts.base.protocols.dns.edns-rcode/output  |   2 ++
 testing/btest/Traces/dns/dns_extended_rcode.pcap  | Bin 0 -> 202 bytes
 .../scripts/base/protocols/dns/edns-rcode.zeek    |  13 +++++++++++++
 4 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
 create mode 100644 testing/btest/Traces/dns/dns_extended_rcode.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dns/edns-rcode.zeek

diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 9ef6a1fc79..f90ce0c393 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1737,7 +1737,7 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val() {
     // unsigned int DO = ttl & 0x8000;	// "DNSSEC OK" - RFC 3225
     unsigned int z = ttl & 0xffff;
 
-    unsigned int return_error = (ercode << 8) | rcode;
+    unsigned int return_error = (ercode << 4) | rcode;
 
     r->Assign(4, return_error);
     r->Assign(5, version);
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output b/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
new file mode 100644
index 0000000000..e5d92ee495
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+16
diff --git a/testing/btest/Traces/dns/dns_extended_rcode.pcap b/testing/btest/Traces/dns/dns_extended_rcode.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..e431330c0953ba2a55ece3e110d63c93f08f0234
GIT binary patch
literal 202
zcmca|c+)~A1{MYw`2U}Q;R%p)>p^427bXS<PaqqFT|pEh1A~L$x19%8Fs1;pX;mhJ
zDT8SbCxaGH0*HWsk)<THxP(2mA~ClhCzUxlKNlnel+zRd%R>wf0NRJcU{jFc3}B<#
PB^b0?2^-A72(cOfErTin

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek b/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
new file mode 100644
index 0000000000..93c91f421d
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
@@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that the correct extended rcode is returned for EDNS packets. Regression test for #4656.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns_extended_rcode.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/dns
+
+redef dns_skip_all_addl=F;
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	if ( c$dns?$rcode && ans?$extended_rcode )
+		print ans$extended_rcode;
+	}