]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
validate query and response time nanosecs when parsing dnstap 12224/head
authorAydın Mercan <aydin@isc.org>
Wed, 10 Jun 2026 14:40:00 +0000 (17:40 +0300)
committerAydın Mercan <aydin@isc.org>
Tue, 30 Jun 2026 09:08:29 +0000 (12:08 +0300)
An assertion is triggered inside `isc_time_set` when dnstap-read calls
`dns_dt_parse` on dnstap files with query/response time nanosecond
fields greater than a second.

Avoid the assertion by validating the nanosecond fields to be subsecond
when parsing.

lib/dns/dnstap.c

index 97b903d6058095435a9bf7ae292913b4dc183902..29a5882512c2ca7dcd4da4237d5d3c940c95cb26 100644 (file)
@@ -1114,11 +1114,19 @@ dns_dt_parse(isc_mem_t *mctx, isc_region_t *src, dns_dtdata_t **destp) {
        /* Timestamp */
        if (d->query) {
                if (m->has_query_time_sec && m->has_query_time_nsec) {
+                       if (m->query_time_nsec >= NS_PER_SEC) {
+                               CLEANUP(DNS_R_BADDNSTAP);
+                       }
+
                        isc_time_set(&d->qtime, m->query_time_sec,
                                     m->query_time_nsec);
                }
        } else {
                if (m->has_response_time_sec && m->has_response_time_nsec) {
+                       if (m->response_time_nsec >= NS_PER_SEC) {
+                               CLEANUP(DNS_R_BADDNSTAP);
+                       }
+
                        isc_time_set(&d->rtime, m->response_time_sec,
                                     m->response_time_nsec);
                }