From a35ac5d82e31a13a5d1ba89e02f2cdbadb6432b9 Mon Sep 17 00:00:00 2001
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Tue, 13 May 2025 11:00:23 +0200
Subject: [PATCH] - Fix #1284: NULL pointer deref in az_find_nsec_cover()
 (latent bug)   by adding a log_assert() to safeguard future development.

---
 doc/Changelog       |  4 ++++
 services/authzone.c | 19 ++++++++-----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/doc/Changelog b/doc/Changelog
index 8d4a93ff6..3b169e793 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+13 May 2025: Yorgos
+	- Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug)
+	  by adding a log_assert() to safeguard future development.
+
 12 May 2025: Yorgos
 	- Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on
 	  broken auth zones that include unsigned out of zone (above apex)
diff --git a/services/authzone.c b/services/authzone.c
index 7d1df032e..40530d3a5 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -2767,21 +2767,18 @@ az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
 	}
 }
 
-/** find NSEC record covering the query */
+/** find NSEC record covering the query, with the given node in the zone */
 static struct auth_rrset*
 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
 {
-	uint8_t* nm = (*node)->name;
-	size_t nmlen = (*node)->namelen;
+	uint8_t* nm;
+	size_t nmlen;
 	struct auth_rrset* rrset;
+	log_assert(*node); /* we already have a node when calling this */
+	nm = (*node)->name;
+	nmlen = (*node)->namelen;
 	/* find the NSEC for the smallest-or-equal node */
-	/* if node == NULL, we did not find a smaller name.  But the zone
-	 * name is the smallest name and should have an NSEC. So there is
-	 * no NSEC to return (for a properly signed zone) */
-	/* for empty nonterminals, the auth-data node should not exist,
-	 * and thus we don't need to go rbtree_previous here to find
-	 * a domain with an NSEC record */
-	/* but there could be glue, and if this is node, then it has no NSEC.
+	/* But there could be glue, and then it has no NSEC.
 	 * Go up to find nonglue (previous) NSEC-holding nodes */
 	while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
 		if(nmlen == z->namelen) return NULL;
@@ -3393,7 +3390,7 @@ az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
 }
 
 /** Generate answer without an existing-node that we can use.
- * So it'll be a referral, DNAME or nxdomain */
+ * So it'll be a referral, DNAME, notype, wildcard or nxdomain */
 static int
 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
 	struct regional* region, struct dns_msg* msg, struct auth_data* ce,
-- 
2.47.3