1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #include "DnsProxyListener.h" 18 19 #include <arpa/inet.h> 20 #include <dirent.h> 21 #include <errno.h> 22 #include <linux/if.h> 23 #include <math.h> 24 #include <net/if.h> 25 #include <netdb.h> 26 #include <netinet/in.h> 27 #include <resolv.h> // b64_pton() 28 #include <stdlib.h> 29 #include <string.h> 30 #include <sys/socket.h> 31 32 #define LOG_TAG "resolv" 33 34 #include <algorithm> 35 #include <vector> 36 37 #include <android-base/stringprintf.h> 38 #include <android/multinetwork.h> // ResNsendFlags 39 #include <cutils/misc.h> // FIRST_APPLICATION_UID 40 #include <cutils/multiuser.h> 41 #include <netdutils/InternetAddresses.h> 42 #include <netdutils/ResponseCode.h> 43 #include <netdutils/Slice.h> 44 #include <netdutils/Stopwatch.h> 45 #include <netdutils/ThreadUtil.h> 46 #include <private/android_filesystem_config.h> // AID_SYSTEM 47 #include <statslog_resolv.h> 48 #include <sysutils/SocketClient.h> 49 50 #include "DnsResolver.h" 51 #include "NetdPermissions.h" 52 #include "OperationLimiter.h" 53 #include "PrivateDnsConfiguration.h" 54 #include "ResolverEventReporter.h" 55 #include "dnsproxyd_protocol/DnsProxydProtocol.h" // NETID_USE_LOCAL_NAMESERVERS 56 #include "getaddrinfo.h" 57 #include "gethnamaddr.h" 58 #include "res_send.h" 59 #include "resolv_cache.h" 60 #include "resolv_private.h" 61 #include "stats.h" // RCODE_TIMEOUT 62 #include "stats.pb.h" 63 64 using aidl::android::net::metrics::INetdEventListener; 65 using aidl::android::net::resolv::aidl::DnsHealthEventParcel; 66 using aidl::android::net::resolv::aidl::IDnsResolverUnsolicitedEventListener; 67 using android::net::NetworkDnsEventReported; 68 69 namespace android { 70 71 using netdutils::ResponseCode; 72 using netdutils::Stopwatch; 73 74 namespace net { 75 namespace { 76 77 // Limits the number of outstanding DNS queries by client UID. 78 constexpr int MAX_QUERIES_PER_UID = 256; 79 80 android::netdutils::OperationLimiter<uid_t> queryLimiter(MAX_QUERIES_PER_UID); 81 82 void logArguments(int argc, char** argv) { 83 if (!WOULD_LOG(VERBOSE)) return; 84 for (int i = 0; i < argc; i++) { 85 LOG(VERBOSE) << __func__ << ": argv[" << i << "]=" << (argv[i] ? argv[i] : "null"); 86 } 87 } 88 89 bool checkAndClearUseLocalNameserversFlag(unsigned* netid) { 90 if (netid == nullptr || ((*netid) & NETID_USE_LOCAL_NAMESERVERS) == 0) { 91 return false; 92 } 93 *netid = (*netid) & ~NETID_USE_LOCAL_NAMESERVERS; 94 return true; 95 } 96 97 constexpr bool requestingUseLocalNameservers(unsigned flags) { 98 return (flags & NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS) != 0; 99 } 100 101 bool queryingViaTls(unsigned dns_netid) { 102 const auto privateDnsStatus = PrivateDnsConfiguration::getInstance().getStatus(dns_netid); 103 switch (privateDnsStatus.mode) { 104 case PrivateDnsMode::OPPORTUNISTIC: 105 return !privateDnsStatus.validatedServers().empty(); 106 case PrivateDnsMode::STRICT: 107 return true; 108 default: 109 return false; 110 } 111 } 112 113 bool hasPermissionToBypassPrivateDns(uid_t uid) { 114 static_assert(AID_SYSTEM >= 0 && AID_SYSTEM < FIRST_APPLICATION_UID, 115 "Calls from AID_SYSTEM must not result in a permission check to avoid deadlock."); 116 if (uid >= 0 && uid < FIRST_APPLICATION_UID) { 117 return true; 118 } 119 120 for (const char* const permission : 121 {PERM_CONNECTIVITY_USE_RESTRICTED_NETWORKS, PERM_NETWORK_BYPASS_PRIVATE_DNS, 122 PERM_MAINLINE_NETWORK_STACK}) { 123 if (gResNetdCallbacks.check_calling_permission(permission)) { 124 return true; 125 } 126 } 127 return false; 128 } 129 130 void maybeFixupNetContext(android_net_context* ctx, pid_t pid) { 131 if (requestingUseLocalNameservers(ctx->flags) && !hasPermissionToBypassPrivateDns(ctx->uid)) { 132 // Not permitted; clear the flag. 133 ctx->flags &= ~NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; 134 } 135 136 if (!requestingUseLocalNameservers(ctx->flags)) { 137 // If we're not explicitly bypassing DNS-over-TLS servers, check whether 138 // DNS-over-TLS is in use as an indicator for when to use more modern 139 // DNS resolution mechanics. 140 if (queryingViaTls(ctx->dns_netid)) { 141 ctx->flags |= NET_CONTEXT_FLAG_USE_DNS_OVER_TLS | NET_CONTEXT_FLAG_USE_EDNS; 142 } 143 } 144 ctx->pid = pid; 145 } 146 147 void addIpAddrWithinLimit(std::vector<std::string>* ip_addrs, const sockaddr* addr, 148 socklen_t addrlen); 149 150 int extractResNsendAnswers(const uint8_t* answer, size_t anslen, int ipType, 151 std::vector<std::string>* ip_addrs) { 152 int total_ip_addr_count = 0; 153 ns_msg handle; 154 if (ns_initparse((const uint8_t*)answer, anslen, &handle) < 0) { 155 return 0; 156 } 157 int ancount = ns_msg_count(handle, ns_s_an); 158 ns_rr rr; 159 for (int i = 0; i < ancount; i++) { 160 if (ns_parserr(&handle, ns_s_an, i, &rr) < 0) { 161 continue; 162 } 163 const uint8_t* rdata = ns_rr_rdata(rr); 164 if (ipType == ns_t_a) { 165 sockaddr_in sin = {.sin_family = AF_INET}; 166 memcpy(&sin.sin_addr, rdata, sizeof(sin.sin_addr)); 167 addIpAddrWithinLimit(ip_addrs, (sockaddr*)&sin, sizeof(sin)); 168 total_ip_addr_count++; 169 } else if (ipType == ns_t_aaaa) { 170 sockaddr_in6 sin6 = {.sin6_family = AF_INET6}; 171 memcpy(&sin6.sin6_addr, rdata, sizeof(sin6.sin6_addr)); 172 addIpAddrWithinLimit(ip_addrs, (sockaddr*)&sin6, sizeof(sin6)); 173 total_ip_addr_count++; 174 } 175 } 176 177 return total_ip_addr_count; 178 } 179 180 int extractGetAddrInfoAnswers(const addrinfo* result, std::vector<std::string>* ip_addrs) { 181 int total_ip_addr_count = 0; 182 if (result == nullptr) { 183 return 0; 184 } 185 for (const addrinfo* ai = result; ai; ai = ai->ai_next) { 186 sockaddr* ai_addr = ai->ai_addr; 187 if (ai_addr) { 188 addIpAddrWithinLimit(ip_addrs, ai_addr, ai->ai_addrlen); 189 total_ip_addr_count++; 190 } 191 } 192 return total_ip_addr_count; 193 } 194 195 int extractGetHostByNameAnswers(const hostent* hp, std::vector<std::string>* ip_addrs) { 196 int total_ip_addr_count = 0; 197 if (hp == nullptr) { 198 return 0; 199 } 200 if (hp->h_addrtype == AF_INET) { 201 in_addr** list = (in_addr**)hp->h_addr_list; 202 for (int i = 0; list[i] != nullptr; i++) { 203 sockaddr_in sin = {.sin_family = AF_INET, .sin_addr = *list[i]}; 204 addIpAddrWithinLimit(ip_addrs, (sockaddr*)&sin, sizeof(sin)); 205 total_ip_addr_count++; 206 } 207 } else if (hp->h_addrtype == AF_INET6) { 208 in6_addr** list = (in6_addr**)hp->h_addr_list; 209 for (int i = 0; list[i] != nullptr; i++) { 210 sockaddr_in6 sin6 = {.sin6_family = AF_INET6, .sin6_addr = *list[i]}; 211 addIpAddrWithinLimit(ip_addrs, (sockaddr*)&sin6, sizeof(sin6)); 212 total_ip_addr_count++; 213 } 214 } 215 return total_ip_addr_count; 216 } 217 218 int rcodeToAiError(int rcode) { 219 switch (rcode) { 220 case NOERROR: 221 return 0; 222 case RCODE_TIMEOUT: 223 return NETD_RESOLV_TIMEOUT; 224 default: 225 return EAI_NODATA; 226 } 227 } 228 229 int resNSendToAiError(int err, int rcode) { 230 if (err > 0) { 231 return rcodeToAiError(rcode); 232 } 233 if (err == -ETIMEDOUT) { 234 return NETD_RESOLV_TIMEOUT; 235 } 236 return EAI_SYSTEM; 237 } 238 239 template <typename IntegralType> 240 bool simpleStrtoul(const char* input, IntegralType* output, int base = 10) { 241 char* endPtr; 242 errno = 0; 243 auto result = strtoul(input, &endPtr, base); 244 // Check the length in order to ensure there is no "-" sign 245 if (!*input || *endPtr || (endPtr - input) != static_cast<ptrdiff_t>(strlen(input)) || 246 (errno == ERANGE && (result == ULONG_MAX))) { 247 return false; 248 } 249 *output = result; 250 return true; 251 } 252 253 bool setQueryId(uint8_t* msg, size_t msgLen, uint16_t query_id) { 254 if (msgLen < sizeof(HEADER)) { 255 errno = EINVAL; 256 return false; 257 } 258 auto hp = reinterpret_cast<HEADER*>(msg); 259 hp->id = htons(query_id); 260 return true; 261 } 262 263 bool parseQuery(const uint8_t* msg, size_t msgLen, uint16_t* query_id, int* rr_type, 264 std::string* rr_name) { 265 ns_msg handle; 266 ns_rr rr; 267 if (ns_initparse((const uint8_t*)msg, msgLen, &handle) < 0 || 268 ns_parserr(&handle, ns_s_qd, 0, &rr) < 0) { 269 return false; 270 } 271 *query_id = ns_msg_id(handle); 272 *rr_name = ns_rr_name(rr); 273 *rr_type = ns_rr_type(rr); 274 return true; 275 } 276 277 // Note: Even if it returns PDM_OFF, it doesn't mean there's no DoT stats in the message 278 // because Private DNS mode can change at any time. 279 PrivateDnsModes getPrivateDnsModeForMetrics(uint32_t netId) { 280 switch (PrivateDnsConfiguration::getInstance().getStatus(netId).mode) { 281 case PrivateDnsMode::OFF: 282 // It can also be due to netId not found. 283 return PrivateDnsModes::PDM_OFF; 284 case PrivateDnsMode::OPPORTUNISTIC: 285 return PrivateDnsModes::PDM_OPPORTUNISTIC; 286 case PrivateDnsMode::STRICT: 287 return PrivateDnsModes::PDM_STRICT; 288 default: 289 return PrivateDnsModes::PDM_UNKNOWN; 290 } 291 } 292 293 void initDnsEvent(NetworkDnsEventReported* event, const android_net_context& netContext) { 294 // The value 0 has the special meaning of unset/unknown in Statsd atoms. So, we set both 295 // flags to -1 as default value. 296 // 1. The hints flag is only used in resolv_getaddrinfo. When user set it to -1 in 297 // resolv_getaddrinfo, the flag will cause validation (validateHints) failure in 298 // getaddrinfo, so it will not do DNS query and will upload DNS stats log with 299 // return_code = RC_EAI_BADFLAGS. 300 // 2. The res_nsend flags are only used in resolv_res_nsend. When user set it to -1 in 301 // resolv_res_nsend,res_nsend will do nothing special by the setting. 302 event->set_hints_ai_flags(-1); 303 event->set_res_nsend_flags(-1); 304 event->set_private_dns_modes(getPrivateDnsModeForMetrics(netContext.dns_netid)); 305 } 306 307 // Return 0 if the event should not be logged. 308 // Otherwise, return subsampling_denom 309 uint32_t getDnsEventSubsamplingRate(int netid, int returnCode) { 310 uint32_t subsampling_denom = resolv_cache_get_subsampling_denom(netid, returnCode); 311 if (subsampling_denom == 0) return 0; 312 // Sample the event with a chance of 1 / denom. 313 return (arc4random_uniform(subsampling_denom) == 0) ? subsampling_denom : 0; 314 } 315 316 void maybeLogQuery(int eventType, const android_net_context& netContext, 317 const NetworkDnsEventReported& event, const std::string& query_name, 318 const std::vector<std::string>& ip_addrs) { 319 // Skip reverse queries. 320 if (eventType == INetdEventListener::EVENT_GETHOSTBYADDR) return; 321 322 for (const auto& query : event.dns_query_events().dns_query_event()) { 323 // Log it when the cache misses. 324 if (query.cache_hit() != CS_FOUND) { 325 const int timeTakenMs = event.latency_micros() / 1000; 326 DnsQueryLog::Record record(netContext.dns_netid, netContext.uid, netContext.pid, 327 query_name, ip_addrs, timeTakenMs); 328 gDnsResolv->dnsQueryLog().push(std::move(record)); 329 return; 330 } 331 } 332 } 333 334 void reportDnsEvent(int eventType, const android_net_context& netContext, int latencyUs, 335 int returnCode, NetworkDnsEventReported& event, const std::string& query_name, 336 const std::vector<std::string>& ip_addrs = {}, int total_ip_addr_count = 0) { 337 if (uint32_t rate = getDnsEventSubsamplingRate(netContext.dns_netid, returnCode)) { 338 const std::string& dnsQueryStats = event.dns_query_events().SerializeAsString(); 339 stats::BytesField dnsQueryBytesField{dnsQueryStats.c_str(), dnsQueryStats.size()}; 340 event.set_return_code(static_cast<ReturnCode>(returnCode)); 341 event.set_network_type(resolv_get_network_types_for_net(netContext.dns_netid)); 342 android::net::stats::stats_write(android::net::stats::NETWORK_DNS_EVENT_REPORTED, 343 event.event_type(), event.return_code(), 344 event.latency_micros(), event.hints_ai_flags(), 345 event.res_nsend_flags(), event.network_type(), 346 event.private_dns_modes(), dnsQueryBytesField, rate); 347 } 348 349 maybeLogQuery(eventType, netContext, event, query_name, ip_addrs); 350 351 const auto& listeners = ResolverEventReporter::getInstance().getListeners(); 352 if (listeners.empty()) { 353 LOG(ERROR) << __func__ 354 << ": DNS event not sent since no INetdEventListener receiver is available."; 355 } 356 const int latencyMs = latencyUs / 1000; 357 for (const auto& it : listeners) { 358 it->onDnsEvent(netContext.dns_netid, eventType, returnCode, latencyMs, query_name, ip_addrs, 359 total_ip_addr_count, netContext.uid); 360 } 361 362 const auto& unsolEventListeners = ResolverEventReporter::getInstance().getUnsolEventListeners(); 363 364 if (returnCode == NETD_RESOLV_TIMEOUT) { 365 const DnsHealthEventParcel dnsHealthEvent = { 366 .netId = static_cast<int32_t>(netContext.dns_netid), 367 .healthResult = IDnsResolverUnsolicitedEventListener::DNS_HEALTH_RESULT_TIMEOUT, 368 }; 369 for (const auto& it : unsolEventListeners) { 370 it->onDnsHealthEvent(dnsHealthEvent); 371 } 372 } else if (returnCode == NOERROR) { 373 DnsHealthEventParcel dnsHealthEvent = { 374 .netId = static_cast<int32_t>(netContext.dns_netid), 375 .healthResult = IDnsResolverUnsolicitedEventListener::DNS_HEALTH_RESULT_OK, 376 }; 377 for (const auto& query : event.dns_query_events().dns_query_event()) { 378 if (query.cache_hit() != CS_FOUND && query.rcode() == NS_R_NO_ERROR) { 379 dnsHealthEvent.successRttMicros.push_back(query.latency_micros()); 380 } 381 } 382 383 if (!dnsHealthEvent.successRttMicros.empty()) { 384 for (const auto& it : unsolEventListeners) { 385 it->onDnsHealthEvent(dnsHealthEvent); 386 } 387 } 388 } 389 } 390 391 bool onlyIPv4Answers(const addrinfo* res) { 392 // Null addrinfo pointer isn't checked because the caller doesn't pass null pointer. 393 394 for (const addrinfo* ai = res; ai; ai = ai->ai_next) 395 if (ai->ai_family != AF_INET) return false; 396 397 return true; 398 } 399 400 bool isSpecialUseIPv4Address(const struct in_addr& ia) { 401 const uint32_t addr = ntohl(ia.s_addr); 402 403 // Only check necessary IP ranges in RFC 5735 section 4 404 return ((addr & 0xff000000) == 0x00000000) || // "This" Network 405 ((addr & 0xff000000) == 0x7f000000) || // Loopback 406 ((addr & 0xffff0000) == 0xa9fe0000) || // Link Local 407 ((addr & 0xf0000000) == 0xe0000000) || // Multicast 408 (addr == INADDR_BROADCAST); // Limited Broadcast 409 } 410 411 bool isSpecialUseIPv4Address(const struct sockaddr* sa) { 412 if (sa->sa_family != AF_INET) return false; 413 414 return isSpecialUseIPv4Address(((struct sockaddr_in*)sa)->sin_addr); 415 } 416 417 bool onlyNonSpecialUseIPv4Addresses(struct hostent* hp) { 418 // Null hostent pointer isn't checked because the caller doesn't pass null pointer. 419 420 if (hp->h_addrtype != AF_INET) return false; 421 422 for (int i = 0; hp->h_addr_list[i] != nullptr; i++) 423 if (isSpecialUseIPv4Address(*(struct in_addr*)hp->h_addr_list[i])) return false; 424 425 return true; 426 } 427 428 bool onlyNonSpecialUseIPv4Addresses(const addrinfo* res) { 429 // Null addrinfo pointer isn't checked because the caller doesn't pass null pointer. 430 431 for (const addrinfo* ai = res; ai; ai = ai->ai_next) { 432 if (ai->ai_family != AF_INET) return false; 433 if (isSpecialUseIPv4Address(ai->ai_addr)) return false; 434 } 435 436 return true; 437 } 438 439 void logDnsQueryResult(const struct hostent* hp) { 440 if (!WOULD_LOG(DEBUG)) return; 441 if (hp == nullptr) return; 442 443 LOG(DEBUG) << __func__ << ": DNS records:"; 444 for (int i = 0; hp->h_addr_list[i] != nullptr; i++) { 445 char ip_addr[INET6_ADDRSTRLEN]; 446 if (inet_ntop(hp->h_addrtype, hp->h_addr_list[i], ip_addr, sizeof(ip_addr)) != nullptr) { 447 LOG(DEBUG) << __func__ << ": [" << i << "] " << hp->h_addrtype; 448 } else { 449 PLOG(DEBUG) << __func__ << ": [" << i << "] numeric hostname translation fail"; 450 } 451 } 452 } 453 454 void logDnsQueryResult(const addrinfo* res) { 455 if (!WOULD_LOG(DEBUG)) return; 456 if (res == nullptr) return; 457 458 int i; 459 const addrinfo* ai; 460 LOG(DEBUG) << __func__ << ": DNS records:"; 461 for (ai = res, i = 0; ai; ai = ai->ai_next, i++) { 462 if ((ai->ai_family != AF_INET) && (ai->ai_family != AF_INET6)) continue; 463 char ip_addr[INET6_ADDRSTRLEN]; 464 int ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, ip_addr, sizeof(ip_addr), nullptr, 0, 465 NI_NUMERICHOST); 466 if (!ret) { 467 LOG(DEBUG) << __func__ << ": [" << i << "] " << ai->ai_flags << " " << ai->ai_family 468 << " " << ai->ai_socktype << " " << ai->ai_protocol; 469 } else { 470 LOG(DEBUG) << __func__ << ": [" << i << "] numeric hostname translation fail " << ret; 471 } 472 } 473 } 474 475 bool isValidNat64Prefix(const netdutils::IPPrefix prefix) { 476 if (prefix.family() != AF_INET6) { 477 LOG(ERROR) << __func__ << ": Only IPv6 NAT64 prefixes are supported " << prefix.family(); 478 return false; 479 } 480 if (prefix.length() != 96) { 481 LOG(ERROR) << __func__ << ": Only /96 NAT64 prefixes are supported " << prefix.length(); 482 return false; 483 } 484 return true; 485 } 486 487 bool synthesizeNat64PrefixWithARecord(const netdutils::IPPrefix& prefix, struct hostent* hp) { 488 if (hp == nullptr) return false; 489 if (!onlyNonSpecialUseIPv4Addresses(hp)) return false; 490 if (!isValidNat64Prefix(prefix)) return false; 491 492 struct sockaddr_storage ss = netdutils::IPSockAddr(prefix.ip()); 493 struct sockaddr_in6* v6prefix = (struct sockaddr_in6*)&ss; 494 for (int i = 0; hp->h_addr_list[i] != nullptr; i++) { 495 struct in_addr iaOriginal = *(struct in_addr*)hp->h_addr_list[i]; 496 struct in6_addr* ia6 = (struct in6_addr*)hp->h_addr_list[i]; 497 memset(ia6, 0, sizeof(struct in6_addr)); 498 499 // Synthesize /96 NAT64 prefix in place. The space has reserved by getanswer() and 500 // _hf_gethtbyname2() in system/netd/resolv/gethnamaddr.cpp and 501 // system/netd/resolv/sethostent.cpp. 502 *ia6 = v6prefix->sin6_addr; 503 ia6->s6_addr32[3] = iaOriginal.s_addr; 504 505 if (WOULD_LOG(VERBOSE)) { 506 char buf[INET6_ADDRSTRLEN]; // big enough for either IPv4 or IPv6 507 inet_ntop(AF_INET, &iaOriginal.s_addr, buf, sizeof(buf)); 508 LOG(VERBOSE) << __func__ << ": DNS A record: " << buf; 509 inet_ntop(AF_INET6, &v6prefix->sin6_addr, buf, sizeof(buf)); 510 LOG(VERBOSE) << __func__ << ": NAT64 prefix: " << buf; 511 inet_ntop(AF_INET6, ia6, buf, sizeof(buf)); 512 LOG(VERBOSE) << __func__ << ": DNS64 Synthesized AAAA record: " << buf; 513 } 514 } 515 hp->h_addrtype = AF_INET6; 516 hp->h_length = sizeof(in6_addr); 517 518 logDnsQueryResult(hp); 519 return true; 520 } 521 522 bool synthesizeNat64PrefixWithARecord(const netdutils::IPPrefix& prefix, addrinfo* result) { 523 if (result == nullptr) return false; 524 if (!onlyNonSpecialUseIPv4Addresses(result)) return false; 525 if (!isValidNat64Prefix(prefix)) return false; 526 527 struct sockaddr_storage ss = netdutils::IPSockAddr(prefix.ip()); 528 struct sockaddr_in6* v6prefix = (struct sockaddr_in6*)&ss; 529 for (addrinfo* ai = result; ai; ai = ai->ai_next) { 530 struct sockaddr_in sinOriginal = *(struct sockaddr_in*)ai->ai_addr; 531 struct sockaddr_in6* sin6 = (struct sockaddr_in6*)ai->ai_addr; 532 memset(sin6, 0, sizeof(sockaddr_in6)); 533 534 // Synthesize /96 NAT64 prefix in place. The space has reserved by get_ai() in 535 // system/netd/resolv/getaddrinfo.cpp. 536 sin6->sin6_addr = v6prefix->sin6_addr; 537 sin6->sin6_addr.s6_addr32[3] = sinOriginal.sin_addr.s_addr; 538 sin6->sin6_family = AF_INET6; 539 sin6->sin6_port = sinOriginal.sin_port; 540 ai->ai_addrlen = sizeof(struct sockaddr_in6); 541 ai->ai_family = AF_INET6; 542 543 if (WOULD_LOG(VERBOSE)) { 544 char buf[INET6_ADDRSTRLEN]; // big enough for either IPv4 or IPv6 545 inet_ntop(AF_INET, &sinOriginal.sin_addr.s_addr, buf, sizeof(buf)); 546 LOG(VERBOSE) << __func__ << ": DNS A record: " << buf; 547 inet_ntop(AF_INET6, &v6prefix->sin6_addr, buf, sizeof(buf)); 548 LOG(VERBOSE) << __func__ << ": NAT64 prefix: " << buf; 549 inet_ntop(AF_INET6, &sin6->sin6_addr, buf, sizeof(buf)); 550 LOG(VERBOSE) << __func__ << ": DNS64 Synthesized AAAA record: " << buf; 551 } 552 } 553 logDnsQueryResult(result); 554 return true; 555 } 556 557 bool getDns64Prefix(unsigned netId, netdutils::IPPrefix* prefix) { 558 return !gDnsResolv->resolverCtrl.getPrefix64(netId, prefix); 559 } 560 561 std::string makeThreadName(unsigned netId, uint32_t uid) { 562 // The maximum of netId and app_id are 5-digit numbers. 563 return android::base::StringPrintf("Dns_%u_%u", netId, multiuser_get_app_id(uid)); 564 } 565 566 } // namespace 567 568 DnsProxyListener::DnsProxyListener() : FrameworkListener(SOCKET_NAME) { 569 registerCmd(new GetAddrInfoCmd()); 570 registerCmd(new GetHostByAddrCmd()); 571 registerCmd(new GetHostByNameCmd()); 572 registerCmd(new ResNSendCommand()); 573 registerCmd(new GetDnsNetIdCommand()); 574 } 575 576 void DnsProxyListener::Handler::spawn() { 577 const int rval = netdutils::threadLaunch(this); 578 if (rval == 0) { 579 return; 580 } 581 582 char* msg = nullptr; 583 asprintf(&msg, "%s (%d)", strerror(-rval), -rval); 584 mClient->sendMsg(ResponseCode::OperationFailed, msg, false); 585 free(msg); 586 delete this; 587 } 588 589 DnsProxyListener::GetAddrInfoHandler::GetAddrInfoHandler(SocketClient* c, std::string host, 590 std::string service, 591 std::unique_ptr<addrinfo> hints, 592 const android_net_context& netcontext) 593 : Handler(c), 594 mHost(move(host)), 595 mService(move(service)), 596 mHints(move(hints)), 597 mNetContext(netcontext) {} 598 599 static bool evaluate_domain_name(const android_net_context& netcontext, const char* host) { 600 if (!gResNetdCallbacks.evaluate_domain_name) return true; 601 return gResNetdCallbacks.evaluate_domain_name(netcontext, host); 602 } 603 604 static bool sendBE32(SocketClient* c, uint32_t data) { 605 uint32_t be_data = htonl(data); 606 return c->sendData(&be_data, sizeof(be_data)) == 0; 607 } 608 609 // Sends 4 bytes of big-endian length, followed by the data. 610 // Returns true on success. 611 static bool sendLenAndData(SocketClient* c, const int len, const void* data) { 612 return sendBE32(c, len) && (len == 0 || c->sendData(data, len) == 0); 613 } 614 615 // Returns true on success 616 static bool sendhostent(SocketClient* c, hostent* hp) { 617 bool success = true; 618 int i; 619 if (hp->h_name != nullptr) { 620 success &= sendLenAndData(c, strlen(hp->h_name) + 1, hp->h_name); 621 } else { 622 success &= sendLenAndData(c, 0, "") == 0; 623 } 624 625 for (i = 0; hp->h_aliases[i] != nullptr; i++) { 626 success &= sendLenAndData(c, strlen(hp->h_aliases[i]) + 1, hp->h_aliases[i]); 627 } 628 success &= sendLenAndData(c, 0, ""); // null to indicate we're done 629 630 uint32_t buf = htonl(hp->h_addrtype); 631 success &= c->sendData(&buf, sizeof(buf)) == 0; 632 633 buf = htonl(hp->h_length); 634 success &= c->sendData(&buf, sizeof(buf)) == 0; 635 636 for (i = 0; hp->h_addr_list[i] != nullptr; i++) { 637 success &= sendLenAndData(c, 16, hp->h_addr_list[i]); 638 } 639 success &= sendLenAndData(c, 0, ""); // null to indicate we're done 640 return success; 641 } 642 643 static bool sendaddrinfo(SocketClient* c, addrinfo* ai) { 644 // struct addrinfo { 645 // int ai_flags; /* AI_PASSIVE, AI_CANONNAME, AI_NUMERICHOST */ 646 // int ai_family; /* PF_xxx */ 647 // int ai_socktype; /* SOCK_xxx */ 648 // int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */ 649 // socklen_t ai_addrlen; /* length of ai_addr */ 650 // char *ai_canonname; /* canonical name for hostname */ 651 // struct sockaddr *ai_addr; /* binary address */ 652 // struct addrinfo *ai_next; /* next structure in linked list */ 653 // }; 654 655 // Write the struct piece by piece because we might be a 64-bit netd 656 // talking to a 32-bit process. 657 bool success = sendBE32(c, ai->ai_flags) && sendBE32(c, ai->ai_family) && 658 sendBE32(c, ai->ai_socktype) && sendBE32(c, ai->ai_protocol); 659 if (!success) { 660 return false; 661 } 662 663 // ai_addrlen and ai_addr. 664 if (!sendLenAndData(c, ai->ai_addrlen, ai->ai_addr)) { 665 return false; 666 } 667 668 // strlen(ai_canonname) and ai_canonname. 669 if (!sendLenAndData(c, ai->ai_canonname ? strlen(ai->ai_canonname) + 1 : 0, ai->ai_canonname)) { 670 return false; 671 } 672 673 return true; 674 } 675 676 void DnsProxyListener::GetAddrInfoHandler::doDns64Synthesis(int32_t* rv, addrinfo** res, 677 NetworkDnsEventReported* event) { 678 const bool ipv6WantedButNoData = (mHints && mHints->ai_family == AF_INET6 && *rv == EAI_NODATA); 679 const bool unspecWantedButNoIPv6 = 680 ((!mHints || mHints->ai_family == AF_UNSPEC) && *rv == 0 && onlyIPv4Answers(*res)); 681 682 if (!ipv6WantedButNoData && !unspecWantedButNoIPv6) { 683 return; 684 } 685 686 netdutils::IPPrefix prefix{}; 687 if (!getDns64Prefix(mNetContext.dns_netid, &prefix)) { 688 return; 689 } 690 691 if (ipv6WantedButNoData) { 692 // If caller wants IPv6 answers but no data, try to query IPv4 answers for synthesis 693 const uid_t uid = mClient->getUid(); 694 if (queryLimiter.start(uid)) { 695 const char* host = mHost.starts_with('^') ? nullptr : mHost.c_str(); 696 const char* service = mService.starts_with('^') ? nullptr : mService.c_str(); 697 mHints->ai_family = AF_INET; 698 // Don't need to do freeaddrinfo(res) before starting new DNS lookup because previous 699 // DNS lookup is failed with error EAI_NODATA. 700 *rv = resolv_getaddrinfo(host, service, mHints.get(), &mNetContext, res, event); 701 queryLimiter.finish(uid); 702 if (*rv) { 703 *rv = EAI_NODATA; // return original error code 704 return; 705 } 706 } else { 707 LOG(ERROR) << __func__ << ": from UID " << uid << ", max concurrent queries reached"; 708 return; 709 } 710 } 711 712 if (!synthesizeNat64PrefixWithARecord(prefix, *res)) { 713 if (ipv6WantedButNoData) { 714 // If caller wants IPv6 answers but no data and failed to synthesize IPv6 answers, 715 // don't return the IPv4 answers. 716 *rv = EAI_NODATA; // return original error code 717 if (*res) { 718 freeaddrinfo(*res); 719 *res = nullptr; 720 } 721 } 722 } 723 } 724 725 void DnsProxyListener::GetAddrInfoHandler::run() { 726 LOG(DEBUG) << "GetAddrInfoHandler::run: {" << mNetContext.app_netid << " " 727 << mNetContext.app_mark << " " << mNetContext.dns_netid << " " 728 << mNetContext.dns_mark << " " << mNetContext.uid << " " << mNetContext.flags << "}"; 729 730 addrinfo* result = nullptr; 731 Stopwatch s; 732 maybeFixupNetContext(&mNetContext, mClient->getPid()); 733 const uid_t uid = mClient->getUid(); 734 int32_t rv = 0; 735 NetworkDnsEventReported event; 736 initDnsEvent(&event, mNetContext); 737 if (queryLimiter.start(uid)) { 738 const char* host = mHost.starts_with('^') ? nullptr : mHost.c_str(); 739 const char* service = mService.starts_with('^') ? nullptr : mService.c_str(); 740 if (evaluate_domain_name(mNetContext, host)) { 741 rv = resolv_getaddrinfo(host, service, mHints.get(), &mNetContext, &result, &event); 742 } else { 743 rv = EAI_SYSTEM; 744 } 745 queryLimiter.finish(uid); 746 } else { 747 // Note that this error code is currently not passed down to the client. 748 // android_getaddrinfo_proxy() returns EAI_NODATA on any error. 749 rv = EAI_MEMORY; 750 LOG(ERROR) << "GetAddrInfoHandler::run: from UID " << uid 751 << ", max concurrent queries reached"; 752 } 753 754 doDns64Synthesis(&rv, &result, &event); 755 const int32_t latencyUs = saturate_cast<int32_t>(s.timeTakenUs()); 756 event.set_latency_micros(latencyUs); 757 event.set_event_type(EVENT_GETADDRINFO); 758 event.set_hints_ai_flags((mHints ? mHints->ai_flags : 0)); 759 760 bool success = true; 761 if (rv) { 762 // getaddrinfo failed 763 success = !mClient->sendBinaryMsg(ResponseCode::DnsProxyOperationFailed, &rv, sizeof(rv)); 764 } else { 765 success = !mClient->sendCode(ResponseCode::DnsProxyQueryResult); 766 addrinfo* ai = result; 767 while (ai && success) { 768 success = sendBE32(mClient, 1) && sendaddrinfo(mClient, ai); 769 ai = ai->ai_next; 770 } 771 success = success && sendBE32(mClient, 0); 772 } 773 774 if (!success) { 775 PLOG(WARNING) << "GetAddrInfoHandler::run: Error writing DNS result to client uid " << uid 776 << " pid " << mClient->getPid(); 777 } 778 779 std::vector<std::string> ip_addrs; 780 const int total_ip_addr_count = extractGetAddrInfoAnswers(result, &ip_addrs); 781 reportDnsEvent(INetdEventListener::EVENT_GETADDRINFO, mNetContext, latencyUs, rv, event, mHost, 782 ip_addrs, total_ip_addr_count); 783 freeaddrinfo(result); 784 } 785 786 std::string DnsProxyListener::GetAddrInfoHandler::threadName() { 787 return makeThreadName(mNetContext.dns_netid, mClient->getUid()); 788 } 789 790 namespace { 791 792 void addIpAddrWithinLimit(std::vector<std::string>* ip_addrs, const sockaddr* addr, 793 socklen_t addrlen) { 794 // ipAddresses array is limited to first INetdEventListener::DNS_REPORTED_IP_ADDRESSES_LIMIT 795 // addresses for A and AAAA. Total count of addresses is provided, to be able to tell whether 796 // some addresses didn't get logged. 797 if (ip_addrs->size() < INetdEventListener::DNS_REPORTED_IP_ADDRESSES_LIMIT) { 798 char ip_addr[INET6_ADDRSTRLEN]; 799 if (getnameinfo(addr, addrlen, ip_addr, sizeof(ip_addr), nullptr, 0, NI_NUMERICHOST) == 0) { 800 ip_addrs->push_back(std::string(ip_addr)); 801 } 802 } 803 } 804 805 } // namespace 806 807 DnsProxyListener::GetAddrInfoCmd::GetAddrInfoCmd() : FrameworkCommand("getaddrinfo") {} 808 809 int DnsProxyListener::GetAddrInfoCmd::runCommand(SocketClient* cli, int argc, char** argv) { 810 logArguments(argc, argv); 811 812 if (argc != 8) { 813 char* msg = nullptr; 814 asprintf(&msg, "Invalid number of arguments to getaddrinfo: %i", argc); 815 LOG(WARNING) << "GetAddrInfoCmd::runCommand: " << (msg ? msg : "null"); 816 cli->sendMsg(ResponseCode::CommandParameterError, msg, false); 817 free(msg); 818 return -1; 819 } 820 821 const std::string name = argv[1]; 822 const std::string service = argv[2]; 823 int ai_flags = strtol(argv[3], nullptr, 10); 824 int ai_family = strtol(argv[4], nullptr, 10); 825 int ai_socktype = strtol(argv[5], nullptr, 10); 826 int ai_protocol = strtol(argv[6], nullptr, 10); 827 unsigned netId = strtoul(argv[7], nullptr, 10); 828 const bool useLocalNameservers = checkAndClearUseLocalNameserversFlag(&netId); 829 const uid_t uid = cli->getUid(); 830 831 android_net_context netcontext; 832 gResNetdCallbacks.get_network_context(netId, uid, &netcontext); 833 834 if (useLocalNameservers) { 835 netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; 836 } 837 838 std::unique_ptr<addrinfo> hints; 839 if (ai_flags != -1 || ai_family != -1 || ai_socktype != -1 || ai_protocol != -1) { 840 hints.reset((addrinfo*)calloc(1, sizeof(addrinfo))); 841 hints->ai_flags = ai_flags; 842 hints->ai_family = ai_family; 843 hints->ai_socktype = ai_socktype; 844 hints->ai_protocol = ai_protocol; 845 } 846 847 (new GetAddrInfoHandler(cli, name, service, move(hints), netcontext))->spawn(); 848 return 0; 849 } 850 851 /******************************************************* 852 * ResNSendCommand * 853 *******************************************************/ 854 DnsProxyListener::ResNSendCommand::ResNSendCommand() : FrameworkCommand("resnsend") {} 855 856 int DnsProxyListener::ResNSendCommand::runCommand(SocketClient* cli, int argc, char** argv) { 857 logArguments(argc, argv); 858 859 const uid_t uid = cli->getUid(); 860 if (argc != 4) { 861 LOG(WARNING) << "ResNSendCommand::runCommand: resnsend: from UID " << uid 862 << ", invalid number of arguments to resnsend: " << argc; 863 sendBE32(cli, -EINVAL); 864 return -1; 865 } 866 867 unsigned netId; 868 if (!simpleStrtoul(argv[1], &netId)) { 869 LOG(WARNING) << "ResNSendCommand::runCommand: resnsend: from UID " << uid 870 << ", invalid netId"; 871 sendBE32(cli, -EINVAL); 872 return -1; 873 } 874 875 uint32_t flags; 876 if (!simpleStrtoul(argv[2], &flags)) { 877 LOG(WARNING) << "ResNSendCommand::runCommand: resnsend: from UID " << uid 878 << ", invalid flags"; 879 sendBE32(cli, -EINVAL); 880 return -1; 881 } 882 883 const bool useLocalNameservers = checkAndClearUseLocalNameserversFlag(&netId); 884 885 android_net_context netcontext; 886 gResNetdCallbacks.get_network_context(netId, uid, &netcontext); 887 888 if (useLocalNameservers) { 889 netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; 890 } 891 892 (new ResNSendHandler(cli, argv[3], flags, netcontext))->spawn(); 893 return 0; 894 } 895 896 DnsProxyListener::ResNSendHandler::ResNSendHandler(SocketClient* c, std::string msg, uint32_t flags, 897 const android_net_context& netcontext) 898 : Handler(c), mMsg(std::move(msg)), mFlags(flags), mNetContext(netcontext) {} 899 900 void DnsProxyListener::ResNSendHandler::run() { 901 LOG(DEBUG) << "ResNSendHandler::run: " << mFlags << " / {" << mNetContext.app_netid << " " 902 << mNetContext.app_mark << " " << mNetContext.dns_netid << " " 903 << mNetContext.dns_mark << " " << mNetContext.uid << " " << mNetContext.flags << "}"; 904 905 Stopwatch s; 906 maybeFixupNetContext(&mNetContext, mClient->getPid()); 907 908 // Decode 909 std::vector<uint8_t> msg(MAXPACKET, 0); 910 911 // Max length of mMsg is less than 1024 since the CMD_BUF_SIZE in FrameworkListener is 1024 912 int msgLen = b64_pton(mMsg.c_str(), msg.data(), MAXPACKET); 913 if (msgLen == -1) { 914 // Decode fail 915 sendBE32(mClient, -EILSEQ); 916 return; 917 } 918 919 const uid_t uid = mClient->getUid(); 920 int rr_type = 0; 921 std::string rr_name; 922 uint16_t original_query_id = 0; 923 924 // TODO: Handle the case which is msg contains more than one query 925 if (!parseQuery(msg.data(), msgLen, &original_query_id, &rr_type, &rr_name) || 926 !setQueryId(msg.data(), msgLen, arc4random_uniform(65536))) { 927 // If the query couldn't be parsed, block the request. 928 LOG(WARNING) << "ResNSendHandler::run: resnsend: from UID " << uid << ", invalid query"; 929 sendBE32(mClient, -EINVAL); 930 return; 931 } 932 933 // Send DNS query 934 std::vector<uint8_t> ansBuf(MAXPACKET, 0); 935 int rcode = ns_r_noerror; 936 int nsendAns = -1; 937 NetworkDnsEventReported event; 938 initDnsEvent(&event, mNetContext); 939 if (queryLimiter.start(uid)) { 940 if (evaluate_domain_name(mNetContext, rr_name.c_str())) { 941 nsendAns = resolv_res_nsend(&mNetContext, msg.data(), msgLen, ansBuf.data(), MAXPACKET, 942 &rcode, static_cast<ResNsendFlags>(mFlags), &event); 943 } else { 944 nsendAns = -EAI_SYSTEM; 945 } 946 queryLimiter.finish(uid); 947 } else { 948 LOG(WARNING) << "ResNSendHandler::run: resnsend: from UID " << uid 949 << ", max concurrent queries reached"; 950 nsendAns = -EBUSY; 951 } 952 953 const int32_t latencyUs = saturate_cast<int32_t>(s.timeTakenUs()); 954 event.set_latency_micros(latencyUs); 955 event.set_event_type(EVENT_RES_NSEND); 956 event.set_res_nsend_flags(static_cast<ResNsendFlags>(mFlags)); 957 958 // Fail, send -errno 959 if (nsendAns < 0) { 960 if (!sendBE32(mClient, nsendAns)) { 961 PLOG(WARNING) << "ResNSendHandler::run: resnsend: failed to send errno to uid " << uid 962 << " pid " << mClient->getPid(); 963 } 964 if (rr_type == ns_t_a || rr_type == ns_t_aaaa) { 965 reportDnsEvent(INetdEventListener::EVENT_RES_NSEND, mNetContext, latencyUs, 966 resNSendToAiError(nsendAns, rcode), event, rr_name); 967 } 968 return; 969 } 970 971 // Send rcode 972 if (!sendBE32(mClient, rcode)) { 973 PLOG(WARNING) << "ResNSendHandler::run: resnsend: failed to send rcode to uid " << uid 974 << " pid " << mClient->getPid(); 975 return; 976 } 977 978 // Restore query id and send answer 979 if (!setQueryId(ansBuf.data(), nsendAns, original_query_id) || 980 !sendLenAndData(mClient, nsendAns, ansBuf.data())) { 981 PLOG(WARNING) << "ResNSendHandler::run: resnsend: failed to send answer to uid " << uid 982 << " pid " << mClient->getPid(); 983 return; 984 } 985 986 if (rr_type == ns_t_a || rr_type == ns_t_aaaa) { 987 std::vector<std::string> ip_addrs; 988 const int total_ip_addr_count = 989 extractResNsendAnswers((uint8_t*)ansBuf.data(), nsendAns, rr_type, &ip_addrs); 990 reportDnsEvent(INetdEventListener::EVENT_RES_NSEND, mNetContext, latencyUs, 991 resNSendToAiError(nsendAns, rcode), event, rr_name, ip_addrs, 992 total_ip_addr_count); 993 } 994 } 995 996 std::string DnsProxyListener::ResNSendHandler::threadName() { 997 return makeThreadName(mNetContext.dns_netid, mClient->getUid()); 998 } 999 1000 namespace { 1001 1002 bool sendCodeAndBe32(SocketClient* c, int code, int data) { 1003 return !c->sendCode(code) && sendBE32(c, data); 1004 } 1005 1006 } // namespace 1007 1008 /******************************************************* 1009 * GetDnsNetId * 1010 *******************************************************/ 1011 DnsProxyListener::GetDnsNetIdCommand::GetDnsNetIdCommand() : FrameworkCommand("getdnsnetid") {} 1012 1013 int DnsProxyListener::GetDnsNetIdCommand::runCommand(SocketClient* cli, int argc, char** argv) { 1014 logArguments(argc, argv); 1015 1016 const uid_t uid = cli->getUid(); 1017 if (argc != 2) { 1018 LOG(WARNING) << "GetDnsNetIdCommand::runCommand: getdnsnetid: from UID " << uid 1019 << ", invalid number of arguments to getdnsnetid: " << argc; 1020 sendCodeAndBe32(cli, ResponseCode::DnsProxyQueryResult, -EINVAL); 1021 return -1; 1022 } 1023 1024 unsigned netId; 1025 if (!simpleStrtoul(argv[1], &netId)) { 1026 LOG(WARNING) << "GetDnsNetIdCommand::runCommand: getdnsnetid: from UID " << uid 1027 << ", invalid netId"; 1028 sendCodeAndBe32(cli, ResponseCode::DnsProxyQueryResult, -EINVAL); 1029 return -1; 1030 } 1031 1032 const bool useLocalNameservers = checkAndClearUseLocalNameserversFlag(&netId); 1033 android_net_context netcontext; 1034 gResNetdCallbacks.get_network_context(netId, uid, &netcontext); 1035 1036 if (useLocalNameservers) { 1037 netcontext.app_netid |= NETID_USE_LOCAL_NAMESERVERS; 1038 } 1039 1040 const bool success = 1041 sendCodeAndBe32(cli, ResponseCode::DnsProxyQueryResult, netcontext.app_netid); 1042 if (!success) { 1043 PLOG(WARNING) 1044 << "GetDnsNetIdCommand::runCommand: getdnsnetid: failed to send result to uid " 1045 << uid << " pid " << cli->getPid(); 1046 } 1047 1048 return success ? 0 : -1; 1049 } 1050 1051 /******************************************************* 1052 * GetHostByName * 1053 *******************************************************/ 1054 DnsProxyListener::GetHostByNameCmd::GetHostByNameCmd() : FrameworkCommand("gethostbyname") {} 1055 1056 int DnsProxyListener::GetHostByNameCmd::runCommand(SocketClient* cli, int argc, char** argv) { 1057 logArguments(argc, argv); 1058 1059 if (argc != 4) { 1060 char* msg = nullptr; 1061 asprintf(&msg, "Invalid number of arguments to gethostbyname: %i", argc); 1062 LOG(WARNING) << "GetHostByNameCmd::runCommand: " << (msg ? msg : "null"); 1063 cli->sendMsg(ResponseCode::CommandParameterError, msg, false); 1064 free(msg); 1065 return -1; 1066 } 1067 1068 uid_t uid = cli->getUid(); 1069 unsigned netId = strtoul(argv[1], nullptr, 10); 1070 const bool useLocalNameservers = checkAndClearUseLocalNameserversFlag(&netId); 1071 std::string name = argv[2]; 1072 int af = strtol(argv[3], nullptr, 10); 1073 1074 android_net_context netcontext; 1075 gResNetdCallbacks.get_network_context(netId, uid, &netcontext); 1076 1077 if (useLocalNameservers) { 1078 netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; 1079 } 1080 1081 (new GetHostByNameHandler(cli, name, af, netcontext))->spawn(); 1082 return 0; 1083 } 1084 1085 DnsProxyListener::GetHostByNameHandler::GetHostByNameHandler(SocketClient* c, std::string name, 1086 int af, 1087 const android_net_context& netcontext) 1088 : Handler(c), mName(move(name)), mAf(af), mNetContext(netcontext) {} 1089 1090 void DnsProxyListener::GetHostByNameHandler::doDns64Synthesis(int32_t* rv, hostent* hbuf, char* buf, 1091 size_t buflen, struct hostent** hpp, 1092 NetworkDnsEventReported* event) { 1093 // Don't have to consider family AF_UNSPEC case because gethostbyname{, 2} only supports 1094 // family AF_INET or AF_INET6. 1095 const bool ipv6WantedButNoData = (mAf == AF_INET6 && *rv == EAI_NODATA); 1096 1097 if (!ipv6WantedButNoData) { 1098 return; 1099 } 1100 1101 netdutils::IPPrefix prefix{}; 1102 if (!getDns64Prefix(mNetContext.dns_netid, &prefix)) { 1103 return; 1104 } 1105 1106 // If caller wants IPv6 answers but no data, try to query IPv4 answers for synthesis 1107 const uid_t uid = mClient->getUid(); 1108 if (queryLimiter.start(uid)) { 1109 const char* name = mName.starts_with('^') ? nullptr : mName.c_str(); 1110 *rv = resolv_gethostbyname(name, AF_INET, hbuf, buf, buflen, &mNetContext, hpp, event); 1111 queryLimiter.finish(uid); 1112 if (*rv) { 1113 *rv = EAI_NODATA; // return original error code 1114 return; 1115 } 1116 } else { 1117 LOG(ERROR) << __func__ << ": from UID " << uid << ", max concurrent queries reached"; 1118 return; 1119 } 1120 1121 if (!synthesizeNat64PrefixWithARecord(prefix, *hpp)) { 1122 // If caller wants IPv6 answers but no data and failed to synthesize IPv4 answers, 1123 // don't return the IPv4 answers. 1124 *hpp = nullptr; 1125 } 1126 } 1127 1128 void DnsProxyListener::GetHostByNameHandler::run() { 1129 Stopwatch s; 1130 maybeFixupNetContext(&mNetContext, mClient->getPid()); 1131 const uid_t uid = mClient->getUid(); 1132 hostent* hp = nullptr; 1133 hostent hbuf; 1134 char tmpbuf[MAXPACKET]; 1135 int32_t rv = 0; 1136 NetworkDnsEventReported event; 1137 initDnsEvent(&event, mNetContext); 1138 if (queryLimiter.start(uid)) { 1139 const char* name = mName.starts_with('^') ? nullptr : mName.c_str(); 1140 if (evaluate_domain_name(mNetContext, name)) { 1141 rv = resolv_gethostbyname(name, mAf, &hbuf, tmpbuf, sizeof tmpbuf, &mNetContext, &hp, 1142 &event); 1143 } else { 1144 rv = EAI_SYSTEM; 1145 } 1146 queryLimiter.finish(uid); 1147 } else { 1148 rv = EAI_MEMORY; 1149 LOG(ERROR) << "GetHostByNameHandler::run: from UID " << uid 1150 << ", max concurrent queries reached"; 1151 } 1152 1153 doDns64Synthesis(&rv, &hbuf, tmpbuf, sizeof tmpbuf, &hp, &event); 1154 const int32_t latencyUs = saturate_cast<int32_t>(s.timeTakenUs()); 1155 event.set_latency_micros(latencyUs); 1156 event.set_event_type(EVENT_GETHOSTBYNAME); 1157 1158 LOG(DEBUG) << "GetHostByNameHandler::run: result: " << gai_strerror(rv); 1159 1160 bool success = true; 1161 if (hp) { 1162 // hp is not nullptr iff. rv is 0. 1163 success = mClient->sendCode(ResponseCode::DnsProxyQueryResult) == 0; 1164 success &= sendhostent(mClient, hp); 1165 } else { 1166 success = mClient->sendBinaryMsg(ResponseCode::DnsProxyOperationFailed, nullptr, 0) == 0; 1167 } 1168 1169 if (!success) { 1170 PLOG(WARNING) << "GetHostByNameHandler::run: Error writing DNS result to client uid " << uid 1171 << " pid " << mClient->getPid(); 1172 } 1173 1174 std::vector<std::string> ip_addrs; 1175 const int total_ip_addr_count = extractGetHostByNameAnswers(hp, &ip_addrs); 1176 reportDnsEvent(INetdEventListener::EVENT_GETHOSTBYNAME, mNetContext, latencyUs, rv, event, 1177 mName, ip_addrs, total_ip_addr_count); 1178 } 1179 1180 std::string DnsProxyListener::GetHostByNameHandler::threadName() { 1181 return makeThreadName(mNetContext.dns_netid, mClient->getUid()); 1182 } 1183 1184 /******************************************************* 1185 * GetHostByAddr * 1186 *******************************************************/ 1187 DnsProxyListener::GetHostByAddrCmd::GetHostByAddrCmd() : FrameworkCommand("gethostbyaddr") {} 1188 1189 int DnsProxyListener::GetHostByAddrCmd::runCommand(SocketClient* cli, int argc, char** argv) { 1190 logArguments(argc, argv); 1191 1192 if (argc != 5) { 1193 char* msg = nullptr; 1194 asprintf(&msg, "Invalid number of arguments to gethostbyaddr: %i", argc); 1195 LOG(WARNING) << "GetHostByAddrCmd::runCommand: " << (msg ? msg : "null"); 1196 cli->sendMsg(ResponseCode::CommandParameterError, msg, false); 1197 free(msg); 1198 return -1; 1199 } 1200 1201 char* addrStr = argv[1]; 1202 int addrLen = strtol(argv[2], nullptr, 10); 1203 int addrFamily = strtol(argv[3], nullptr, 10); 1204 uid_t uid = cli->getUid(); 1205 unsigned netId = strtoul(argv[4], nullptr, 10); 1206 const bool useLocalNameservers = checkAndClearUseLocalNameserversFlag(&netId); 1207 1208 in6_addr addr; 1209 errno = 0; 1210 int result = inet_pton(addrFamily, addrStr, &addr); 1211 if (result <= 0) { 1212 char* msg = nullptr; 1213 asprintf(&msg, "inet_pton(\"%s\") failed %s", addrStr, strerror(errno)); 1214 LOG(WARNING) << "GetHostByAddrCmd::runCommand: " << (msg ? msg : "null"); 1215 cli->sendMsg(ResponseCode::OperationFailed, msg, false); 1216 free(msg); 1217 return -1; 1218 } 1219 1220 android_net_context netcontext; 1221 gResNetdCallbacks.get_network_context(netId, uid, &netcontext); 1222 1223 if (useLocalNameservers) { 1224 netcontext.flags |= NET_CONTEXT_FLAG_USE_LOCAL_NAMESERVERS; 1225 } 1226 1227 (new GetHostByAddrHandler(cli, addr, addrLen, addrFamily, netcontext))->spawn(); 1228 return 0; 1229 } 1230 1231 DnsProxyListener::GetHostByAddrHandler::GetHostByAddrHandler(SocketClient* c, in6_addr address, 1232 int addressLen, int addressFamily, 1233 const android_net_context& netcontext) 1234 : Handler(c), 1235 mAddress(address), 1236 mAddressLen(addressLen), 1237 mAddressFamily(addressFamily), 1238 mNetContext(netcontext) {} 1239 1240 void DnsProxyListener::GetHostByAddrHandler::doDns64ReverseLookup(hostent* hbuf, char* buf, 1241 size_t buflen, 1242 struct hostent** hpp, 1243 NetworkDnsEventReported* event) { 1244 if (*hpp != nullptr || mAddressFamily != AF_INET6) { 1245 return; 1246 } 1247 1248 netdutils::IPPrefix prefix{}; 1249 if (!getDns64Prefix(mNetContext.dns_netid, &prefix)) { 1250 return; 1251 } 1252 1253 if (!isValidNat64Prefix(prefix)) { 1254 return; 1255 } 1256 1257 struct sockaddr_storage ss = netdutils::IPSockAddr(prefix.ip()); 1258 struct sockaddr_in6* v6prefix = (struct sockaddr_in6*)&ss; 1259 struct in6_addr v6addr = mAddress; 1260 // Check if address has NAT64 prefix. Only /96 IPv6 NAT64 prefixes are supported 1261 if ((v6addr.s6_addr32[0] != v6prefix->sin6_addr.s6_addr32[0]) || 1262 (v6addr.s6_addr32[1] != v6prefix->sin6_addr.s6_addr32[1]) || 1263 (v6addr.s6_addr32[2] != v6prefix->sin6_addr.s6_addr32[2])) { 1264 return; 1265 } 1266 1267 const uid_t uid = mClient->getUid(); 1268 if (queryLimiter.start(uid)) { 1269 // Remove NAT64 prefix and do reverse DNS query 1270 struct in_addr v4addr = {.s_addr = v6addr.s6_addr32[3]}; 1271 resolv_gethostbyaddr(&v4addr, sizeof(v4addr), AF_INET, hbuf, buf, buflen, &mNetContext, hpp, 1272 event); 1273 queryLimiter.finish(uid); 1274 if (*hpp) { 1275 // Replace IPv4 address with original queried IPv6 address in place. The space has 1276 // reserved by dns_gethtbyaddr() and netbsd_gethostent_r() in 1277 // system/netd/resolv/gethnamaddr.cpp. 1278 // Note that resolv_gethostbyaddr() returns only one entry in result. 1279 memcpy((*hpp)->h_addr_list[0], &v6addr, sizeof(v6addr)); 1280 (*hpp)->h_addrtype = AF_INET6; 1281 (*hpp)->h_length = sizeof(struct in6_addr); 1282 } 1283 } else { 1284 LOG(ERROR) << __func__ << ": from UID " << uid << ", max concurrent queries reached"; 1285 } 1286 } 1287 1288 void DnsProxyListener::GetHostByAddrHandler::run() { 1289 Stopwatch s; 1290 maybeFixupNetContext(&mNetContext, mClient->getPid()); 1291 const uid_t uid = mClient->getUid(); 1292 hostent* hp = nullptr; 1293 hostent hbuf; 1294 char tmpbuf[MAXPACKET]; 1295 int32_t rv = 0; 1296 NetworkDnsEventReported event; 1297 initDnsEvent(&event, mNetContext); 1298 if (queryLimiter.start(uid)) { 1299 rv = resolv_gethostbyaddr(&mAddress, mAddressLen, mAddressFamily, &hbuf, tmpbuf, 1300 sizeof tmpbuf, &mNetContext, &hp, &event); 1301 queryLimiter.finish(uid); 1302 } else { 1303 rv = EAI_MEMORY; 1304 LOG(ERROR) << "GetHostByAddrHandler::run: from UID " << uid 1305 << ", max concurrent queries reached"; 1306 } 1307 1308 doDns64ReverseLookup(&hbuf, tmpbuf, sizeof tmpbuf, &hp, &event); 1309 const int32_t latencyUs = saturate_cast<int32_t>(s.timeTakenUs()); 1310 event.set_latency_micros(latencyUs); 1311 event.set_event_type(EVENT_GETHOSTBYADDR); 1312 1313 LOG(DEBUG) << "GetHostByAddrHandler::run: result: " << gai_strerror(rv); 1314 1315 bool success = true; 1316 if (hp) { 1317 success = mClient->sendCode(ResponseCode::DnsProxyQueryResult) == 0; 1318 success &= sendhostent(mClient, hp); 1319 } else { 1320 success = mClient->sendBinaryMsg(ResponseCode::DnsProxyOperationFailed, nullptr, 0) == 0; 1321 } 1322 1323 if (!success) { 1324 PLOG(WARNING) << "GetHostByAddrHandler::run: Error writing DNS result to client uid " << uid 1325 << " pid " << mClient->getPid(); 1326 } 1327 1328 reportDnsEvent(INetdEventListener::EVENT_GETHOSTBYADDR, mNetContext, latencyUs, rv, event, 1329 (hp && hp->h_name) ? hp->h_name : "null", {}, 0); 1330 } 1331 1332 std::string DnsProxyListener::GetHostByAddrHandler::threadName() { 1333 return makeThreadName(mNetContext.dns_netid, mClient->getUid()); 1334 } 1335 1336 } // namespace net 1337 } // namespace android 1338