From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 22 Jan 2018 12:30:29 +0000 (+0100)
Subject: Merge tag 'v1.5.2', bringing security fixes
X-Git-Tag: v2.0.0~24^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=503787ccf9eab19aa910d33f42f3c8e353ba1775;p=thirdparty%2Fknot-resolver.git

Merge tag 'v1.5.2', bringing security fixes
---

503787ccf9eab19aa910d33f42f3c8e353ba1775
diff --cc lib/dnssec/nsec3.c
index 1ebf3850e,898eaec8c..fd683cb61
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@@ -746,10 -692,8 +689,9 @@@ int kr_nsec3_ref_to_unsigned(const knot
  		if (ns->type != KNOT_RRTYPE_NS) {
  			continue;
  		}
 +
 +		int flags = 0;
  		bool nsec3_found = false;
- 
 -		flags = 0;
  		for (unsigned j = 0; j < sec->count; ++j) {
  			const knot_rrset_t *nsec3 = knot_pkt_rr(sec, j);
  			if (nsec3->type == KNOT_RRTYPE_DS) {
@@@ -759,22 -703,11 +701,14 @@@
  				continue;
  			}
  			nsec3_found = true;
- 			/* nsec3 found, check if owner name matches
- 			 * the delegation name
- 			 */
- 			int ret = matches_name(&flags, nsec3, ns->owner);
- 			if (ret != 0) {
- 				return kr_error(EINVAL);
- 			}
- 			if (!(flags & FLG_NAME_MATCHED)) {
- 				/* nsec3 owner name does not match
- 				 * the delegation name
- 				 */
+ 			/* nsec3 found, check if owner name matches the delegation name.
+ 			 * Just skip in case of *any* errors. */
+ 			if (matches_name(nsec3, ns->owner) != kr_ok()) {
  				continue;
  			}
 +
 +			uint8_t *bm = NULL;
 +			uint16_t bm_size = 0;
  			knot_nsec3_bitmap(&nsec3->rrs, 0, &bm, &bm_size);
  			if (!bm) {
  				return kr_error(EINVAL);