Check additional section; allow only OPT and RRSIG

Signed-off-by: Karel Bilek <kb@karelbilek.com>

Author: karelbilek

pdns/dnsparser.cc

@@ -1052,6 +1052,29 @@ void shuffleDNSPacket(char* packet, size_t length, const dnsheader_aligned& alig
 
     indexes.push_back(dpm.getOffset());
 
+    // also check additional section
+    const uint16_t arcount = ntohs(dhp->arcount);
+    for(size_t iter = 0; iter < arcount; ++iter) {
+      const std::optional<size_t> domain_pointer = dpm.skipDomainName();
+      const bool pointer_before_as = domain_pointer.value_or(0) < indexes[0];
+      if (!pointer_before_as) {
+        // pointers could break by shuffling - bailing out
+        return;
+      }
+      const uint16_t dnstype = dpm.get16BitInt();
+      if (!(dnstype == QType::OPT || dnstype == QType::RRSIG)){
+        // anything else than OPT - might potentionally have pointers in rdata
+        return;
+      }
+
+      /* type and class */
+      dpm.skipBytes(2);
+
+      /* ttl */
+      dpm.skipBytes(4);
+      dpm.skipRData();
+    }
+
     if (indexes.size() > 2) {
       using uid = std::uniform_int_distribution<std::vector<uint32_t>::size_type>;
       uid dist;