From: Vladimír Čunát Date: Tue, 6 Feb 2024 08:41:04 +0000 (+0100) Subject: lib/dnssec: allow validating some RRsets around 64 KiB size X-Git-Tag: v6.0.6~1^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0b8012c2d68b7d59a55a0dca1d3f0c3042016ae9;p=thirdparty%2Fknot-resolver.git lib/dnssec: allow validating some RRsets around 64 KiB size - only with libknot >= 3.4 though (which is not released yet) - use stack instead of static buffer (saves RAM; see code comment) --- diff --git a/NEWS b/NEWS index f4d640322..43dee12f5 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,10 @@ Improvements ------------ - tweak the default run_dir on non-Linux (!1481) +Bugfixes +-------- +- fix validation of RRsets around 64 KiB size; needs libknot >= 3.4 (!1497) + Knot Resolver 6.0.5 (2024-01-09) ================================ diff --git a/lib/dnssec/signature.c b/lib/dnssec/signature.c index aadb5cb9f..f80337fe0 100644 --- a/lib/dnssec/signature.c +++ b/lib/dnssec/signature.c @@ -179,11 +179,27 @@ static int sign_ctx_add_records(dnssec_sign_ctx_t *ctx, const knot_rrset_t *cove if (!ctx || !covered || trim_labels < 0) return kr_error(EINVAL); - // huge block of rrsets can be optionally created - static uint8_t wire_buffer[KNOT_WIRE_MAX_PKTSIZE]; + /* Buffer allocation notes: + - We should be able to afford a larger stack allocation, + as we don't use (this function in) threads. + - The format that's signed has decompressed names, + so it can be significantly more than 64 KiB, + even if it originally did fit into a 64 KiB packet. + Let's tolerate a double of that. + - Older libknot only allowed passing 16-bit size limit. + */ + uint8_t wire_buffer[ + #if KNOT_VERSION_HEX < 0x030400 + KNOT_WIRE_MAX_PKTSIZE + #else + knot_rrset_size_estimate(covered) + #endif + ]; int written = knot_rrset_to_wire(covered, wire_buffer, sizeof(wire_buffer), NULL); - if (written < 0) + if (written < 0) { + kr_assert(KNOT_VERSION_HEX < 0x030400 || written != KNOT_ESPACE); return written; + } /* Set original ttl. */ int ret = adjust_wire_ttl(wire_buffer, written, orig_ttl);