lib/dnssec: drop incorrect `requirement` and comment

I don't think this can happen on correct records,
due to the way that the root zone is.  But we've seen
this assertion happen in real life, and attackers
might be able to misuse it to cause crashes.

diff --git a/NEWS b/NEWS
index 4ed34f9a555bfea735501a7a2663272765e21f3b..4c50d2dc0d147da8ff055f118f6f5fc4abfe457a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ Security
 - DoS: fix a rare segfault in `resolve` function (!1717)
   Someone controlling the DNS traffic might be able
   to trigger this crash intentionally and too often.
+- DoS: drop a wrong assertion/crash (!1718)
+  Someone controlling the DNS traffic will most likely be able
+  to trigger this crash intentionally and too often.
 
 Bugfixes
 --------

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index da1bf72d50e75dfe75f75e521f05dd91e7bb3c83..7db93dc5872ab3cf819a28f09d23bd8c881f753f 100644 (file)
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -339,7 +339,7 @@ fail:
  *
  * @param tgt  Target buffer to write domain name into.
  * @param name Name to be added to the asterisk.
- * @return     Size of the resulting name or error code.
+ * @return     error code or something positive
  */
 static int prepend_asterisk(uint8_t *tgt, size_t maxlen, const knot_dname_t *name)
 {
@@ -556,7 +556,6 @@ static int matches_closest_encloser_wildcard(const knot_pkt_t *pkt, knot_section
        int ret = prepend_asterisk(wildcard, sizeof(wildcard), encloser);
        if (ret < 0)
                return ret;
-       kr_require(ret >= 3);
        return nodata_find(pkt, section_id, wildcard, stype);
 }