From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Tue, 12 Mar 2019 14:31:42 +0000 (+0100)
Subject: daemon/lua/trust_anchors: don't crash when dealing with unknown algorhitm
X-Git-Tag: v4.0.0~15^2~34
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=088aad9e326795d78f16c94bfca0f1b909abe109;p=thirdparty%2Fknot-resolver.git

daemon/lua/trust_anchors: don't crash when dealing with unknown algorhitm
---

diff --git a/daemon/lua/trust_anchors.lua.in b/daemon/lua/trust_anchors.lua.in
index 2497fbcb8..ca4d221a6 100644
--- a/daemon/lua/trust_anchors.lua.in
+++ b/daemon/lua/trust_anchors.lua.in
@@ -201,12 +201,16 @@ local function ta_present(keyset, rr, hold_down_time, force_valid)
 	if rr.type == kres.type.DNSKEY and not C.kr_dnssec_key_ksk(rr.rdata) then
 		return false -- Ignore
 	end
+    -- Attempt to extract key_tag
+	local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
+    if key_tag < 0 or key_tag > 65535 then
+        warn(string.format('[ ta ] ignoring invalid or unsupported RR: %s: %s',
+            kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
+        return false
+    end
 	-- Find the key in current key set and check its status
 	local now = os.time()
 	local key_revoked = (rr.type == kres.type.DNSKEY) and C.kr_dnssec_key_revoked(rr.rdata)
-	local key_tag = C.kr_dnssec_key_tag(rr.type, rr.rdata, #rr.rdata)
-	assert(key_tag >= 0 and key_tag <= 65535, string.format('invalid RR: %s: %s',
-	       kres.rr2str(rr), ffi.string(C.knot_strerror(key_tag))))
 	local ta = ta_find(keyset, rr)
 	if ta then
 		-- Key reappears (KeyPres)