Invalid NSEC3 can cause OOB read of the isdelegation() stack

When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack.  This patch
fixes the issue by skipping NSEC3 records with an oversized hash length
during validation.

diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index 600a90f9bd9341740a1ed72967414409ac2d8fad..9f4d4e5a998edfb4e6d116a4eb79a696ffc6040a 100644 (file)
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
        nsec3->len = region.length;
        nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
        nsec3->mctx = mctx;
+
        return ISC_R_SUCCESS;
 }
 

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index ed2931b744021f2a01ef9740bbccf7af719641ac..de0765b8c2738a59c746b801a61438c8a05044b5 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -322,6 +322,9 @@ trynsec3:
                        if (nsec3.hash != 1) {
                                continue;
                        }
+                       if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) {
+                               continue;
+                       }
                        length = isc_iterated_hash(
                                hash, nsec3.hash, nsec3.iterations, nsec3.salt,
                                nsec3.salt_length, name->ndata, name->length);