resolved: packet - refuse empty type bitmaps

The NSEC type itself must at least be in the bitmap, so NSEC records with empty
bitmaps must be bogus.

diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 88a3089a72888007868db6b97678dd06575d04f9..39951a362c83e5fa2d3dc80a91fb8b5982e75764 100644 (file)
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -1666,8 +1666,12 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
                 if (r < 0)
                         goto fail;
 
-                /* NSEC RRs with empty bitmpas makes no sense, but the RFC does not explicitly forbid them
-                   so we allow it */
+                /* The types bitmap must contain at least the NSEC record itself, so an empty bitmap means
+                   something went wrong */
+                if (bitmap_isclear(rr->nsec.types)) {
+                        r = -EBADMSG;
+                        goto fail;
+                }
 
                 break;