The fix removes the replacement of se_key from relay_dns_request. se_key

is assigned a random value for and id in relay_udp_server before where
the SPLAY_INSERT is performed, se_outkey is set to the return id rather
than the rl_dskkey. The relay_dns_request which occurs after the
SPLAY_INSERT no longer updates se_outkey, or se_key. The request is sent
using the random value already placed into the se_key when the session
is created.

From Nigel Taylor

ok pyr@ deraadt@

1 files changed, 6 insertions, 8 deletions

diff --git a/usr.sbin/relayd/relay_udp.c b/usr.sbin/relayd/relay_udp.c
index 5936c3b861d..a9f22f017de 100644
--- a/usr.sbin/relayd/relay_udp.c
+++ b/usr.sbin/relayd/relay_udp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: relay_udp.c,v 1.9 2008/02/13 11:32:59 reyk Exp $	*/
+/*	$OpenBSD: relay_udp.c,v 1.10 2008/03/03 16:43:42 reyk Exp $	*/
 
 /*
  * Copyright (c) 2007, 2008 Reyk Floeter <reyk@openbsd.org>
@@ -194,7 +194,10 @@ relay_udp_server(int fd, short sig, void *arg)
 	    calloc(1, sizeof(struct session))) == NULL)
 		return;
 
-	con->se_key = key;
+	/*
+	 * Replace the DNS request Id with a random Id.
+	 */
+	con->se_key = arc4random() & 0xffff;
 	con->se_in.s = -1;
 	con->se_out.s = -1;
 	con->se_in.dst = &con->se_out;
@@ -203,7 +206,7 @@ relay_udp_server(int fd, short sig, void *arg)
 	con->se_out.con = con;
 	con->se_relay = rlay;
 	con->se_id = ++relay_conid;
-	con->se_outkey = rlay->rl_dstkey;
+	con->se_outkey = key;
 	con->se_in.tree = &proto->request_tree;
 	con->se_out.tree = &proto->response_tree;
 	con->se_in.dir = RELAY_DIR_REQUEST;
@@ -400,12 +403,7 @@ relay_dns_request(struct session *con)
 		return (-1);
 	slen = con->se_out.ss.ss_len;
 
-	/*
-	 * Replace the DNS request Id with a random Id.
-	 */
 	hdr = (struct relay_dnshdr *)buf;
-	con->se_outkey = con->se_key;
-	con->se_key = arc4random() & 0xffff;
 	hdr->dns_id = htons(con->se_key);
 
  retry: