From: Mark Andrews <marka@isc.org>
Date: Wed, 7 Aug 2024 06:57:45 +0000 (+1000)
Subject: Check key tag range when matching dnssec keys to kasp keys
X-Git-Tag: v9.21.1~19^2~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=035289be713dba446db814845ec7f4a9d36be725;p=thirdparty%2Fbind9.git

Check key tag range when matching dnssec keys to kasp keys
---

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 03308b44b67..285ae0bb7f1 100644
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -544,6 +544,16 @@ dns_kasp_key_match(dns_kasp_key_t *key, dns_dnsseckey_t *dkey) {
 	if (ret != ISC_R_SUCCESS || role != dns_kasp_key_zsk(key)) {
 		return (false);
 	}
+	/* Valid key tag range? */
+	uint16_t id = dst_key_id(dkey->key);
+	uint16_t rid = dst_key_rid(dkey->key);
+	if (id < key->tag_min || id > key->tag_max) {
+		return (false);
+	}
+	if (rid < key->tag_min || rid > key->tag_max) {
+		return (false);
+	}
+
 	/* Found a match. */
 	return (true);
 }