From: Vladimír Čunát Date: Tue, 6 Oct 2020 07:15:43 +0000 (+0200) Subject: validator: avoid using RRSIG from a different packet X-Git-Tag: v5.2.0~23^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9432a4276e3a40260a2b1f3dcb0bfd129e3c6f54;p=thirdparty%2Fknot-resolver.git validator: avoid using RRSIG from a different packet Restrict tried RRSIGs by qry_uid equality. I see no use case against and it could be confusing. (Also rewrite the conditions around to positive form.) An assertion in cache noticed an NSEC with _SECURE rank but no RRSIG (in practice). It was a side-effect of still not keeping RRSIGs with their RRs in some places. It wasn't a security problem, as it doesn't really matter where the signatures came from. Theoretically it might've lead to incorrect caching (missing usable RRSIGs), as cache was restricting qry_uid to match, but that hasn't been noticed in practice. --- diff --git a/NEWS b/NEWS index 0b74d5026..52c0bdb61 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ Improvements - net: split the EDNS buffer size into upstream and downstream (!1026) - lua-http doh: answer to /dns-query endpoint as well as /doh (!1069) +Bugfixes +-------- +- avoid an assert() error in stash_rrset() (!1072) + Knot Resolver 5.1.3 (2020-09-08) ================================ diff --git a/lib/dnssec.c b/lib/dnssec.c index 50b53f2e0..7490a6758 100644 --- a/lib/dnssec.c +++ b/lib/dnssec.c @@ -193,14 +193,15 @@ static int kr_rrset_validate_with_key(kr_rrset_validation_ctx_t *vctx, } for (uint16_t i = 0; i < vctx->rrs->len; ++i) { - /* Consider every RRSIG that matches owner and covers the class/type. */ + /* Consider every RRSIG that matches and comes from the same query. */ const knot_rrset_t *rrsig = vctx->rrs->at[i]->rr; - if (rrsig->type != KNOT_RRTYPE_RRSIG) { + const bool ok = vctx->rrs->at[i]->qry_uid == vctx->qry_uid + && rrsig->type == KNOT_RRTYPE_RRSIG + && rrsig->rclass == covered->rclass + && knot_dname_is_equal(rrsig->owner, covered->owner); + if (!ok) continue; - } - if ((covered->rclass != rrsig->rclass) || !knot_dname_is_equal(covered->owner, rrsig->owner)) { - continue; - } + knot_rdata_t *rdata_j = rrsig->rrs.rdata; for (uint16_t j = 0; j < rrsig->rrs.count; ++j, rdata_j = knot_rdataset_next(rdata_j)) { int val_flgs = 0;