validator: avoid assertion in an edge-case

Case: NSEC3 with too many iterations used for a positive wildcard proof.
It certainly isn't a perfect fix yet; the whole validator would benefit
from a general overhaul.

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index e9e536a3c85c3267a841b6dd66179cc5fc316b6d..f944cfa6482a5bc415fc2fdec02cd68ba2f9ac72 100644 (file)
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -596,6 +596,11 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_
                if (rrset->type != KNOT_RRTYPE_NSEC3) {
                        continue;
                }
+               /* Avoid hashing with too many iterations;
+                * on "normal packets" we shouldn't get to this point. */
+               if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) {
+                       continue;
+               }
                int ret = covers_name(&flags, rrset, sname);
                if (ret != 0) {
                        return ret;

diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h
index 1e316f56922d2a98d424308df9e67699627e896e..0fdbfcef0541ae0a1745d75a2ec3d5c62a7b1433 100644 (file)
--- a/lib/dnssec/nsec3.h
+++ b/lib/dnssec/nsec3.h
@@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec
  *                     KNOT_ERANGE - NSEC3 RR that covers a wildcard
  *                     has been found, but has opt-out flag set;
  *                     otherwise - error.
+ * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT).
  */
 int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id,
                                             const knot_dname_t *sname, int trim_to_next);