Fix parsing of EDNS rcode

The EDNS rcode was incorrectly calculated. The extended rcode is formed by taking the upper 8 bits of the extended rcode field, plus the lower 4 bits of the existing rcode. This also adds a new trace with an extended rcode, and a testcase parsing it. Reported by dwhitemv25. Fixes GH-4656
2025-10-02 14:48:21 +00:00 · 2025-07-24 08:39:49 +01:00 · 2025-07-24 08:39:49 +01:00 · 383dce9343
commit 383dce9343
parent 4399f171ae
4 changed files with 16 additions and 1 deletions
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@ -1737,7 +1737,7 @@ RecordValPtr DNS_MsgInfo::BuildEDNS_Val() {
    // unsigned int DO = ttl & 0x8000;	// "DNSSEC OK" - RFC 3225
    unsigned int z = ttl & 0xffff;

-    unsigned int return_error = (ercode << 8) | rcode;
+    unsigned int return_error = (ercode << 4) | rcode;

    r->Assign(4, return_error);
    r->Assign(5, version);
--- a/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.edns-rcode/output
@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+16
--- a/testing/btest/Traces/dns/dns_extended_rcode.pcap
+++ b/testing/btest/Traces/dns/dns_extended_rcode.pcap
--- a/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
+++ b/testing/btest/scripts/base/protocols/dns/edns-rcode.zeek
@ -0,0 +1,13 @@
+# @TEST-DOC: Tests that the correct extended rcode is returned for EDNS packets. Regression test for #4656.
+# @TEST-EXEC: zeek -b -C -r $TRACES/dns/dns_extended_rcode.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load base/protocols/dns
+
+redef dns_skip_all_addl=F;
+
+event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional)
+	{
+	if ( c$dns?$rcode && ans?$extended_rcode )
+		print ans$extended_rcode;
+	}