From c77480e1596a3d7e0d01bd08569d5e27adbb2ab2 Mon Sep 17 00:00:00 2001 From: liuxueli Date: Mon, 12 Jun 2023 19:35:50 +0800 Subject: [PATCH] =?UTF-8?q?TSG-15436:=20dns=E5=8D=8F=E8=AE=AE=E5=91=BD?= =?UTF-8?q?=E4=B8=ADdeny=E7=AD=96=E7=95=A5=EF=BC=8Cmaster=E6=89=A7?= =?UTF-8?q?=E8=A1=8C=E9=9D=9Eredirect=E7=9A=84=E5=AD=90=E5=8A=A8=E4=BD=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/tsg_dns.cpp | 5 +++++ src/tsg_entry.cpp | 11 ++++++++--- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/src/tsg_dns.cpp b/src/tsg_dns.cpp index cba642f..5accc16 100644 --- a/src/tsg_dns.cpp +++ b/src/tsg_dns.cpp @@ -228,6 +228,11 @@ unsigned char do_action_redirect_dns(const struct streaminfo *a_stream, struct m struct dns_user_region *user_region_record=NULL; struct _dns_info *dns_info=(struct _dns_info *)user_data; + if(dns_info==NULL) + { + return STATE_GIVEME; + } + if(dns_info->hdr_info.qr==1 && g_tsg_para.deploy_mode==DEPLOY_MODE_MIRROR) //mirror { return STATE_GIVEME; diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp index 3c6330e..6902f47 100644 --- a/src/tsg_entry.cpp +++ b/src/tsg_entry.cpp @@ -1793,6 +1793,7 @@ size_t session_app_gather_results_scan(const struct streaminfo *a_stream, struct static unsigned char matched_security_rules_deal(const struct streaminfo *a_stream, struct session_runtime_process_context *srt_process_context, struct maat_rule *security_rules, size_t n_security_rules, const void *a_packet, int thread_seq) { + void *user_data=NULL; unsigned char state=APP_STATE_GIVEME; struct maat_rule *p_rule=matched_rules_decision_criteria(security_rules, n_security_rules); if(p_rule->action==TSG_ACTION_SHUNT) @@ -1807,7 +1808,11 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre case TSG_ACTION_DENY: if(srt_process_context->proto==PROTO_DNS) /* deal action of deny in firewall */ { - break; + user_data=NULL; + } + else + { + user_data=(void *)a_packet; } if(is_deny_application(p_rule)) @@ -1818,11 +1823,11 @@ static unsigned char matched_security_rules_deal(const struct streaminfo *a_stre } srt_action_context_set_hitted_app_id(a_stream, srt_process_context->hited_para.matched_app_id, a_stream->threadnum); - state=tsg_enforing_deny_application(a_stream, p_rule, srt_process_context->proto, srt_process_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_APP, a_packet); + state=tsg_enforing_deny_application(a_stream, p_rule, srt_process_context->proto, srt_process_context->hited_para.matched_app_id, ACTION_RETURN_TYPE_APP, user_data); } else { - state=tsg_enforing_deny(a_stream, p_rule, srt_process_context->proto, ACTION_RETURN_TYPE_APP, a_packet); + state=tsg_enforing_deny(a_stream, p_rule, srt_process_context->proto, ACTION_RETURN_TYPE_APP, user_data); } if(is_deny_after_N_packets(p_rule))