From: Willem Toorop Date: Tue, 18 Oct 2016 12:19:53 +0000 (-0500) Subject: Fix #661 dont sign NSEC3 when len(zone name) > 222 X-Git-Tag: release-1.7.0-rc1~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1403437c4719134fb405600c072f064c6bb32e66;p=thirdparty%2Fldns.git Fix #661 dont sign NSEC3 when len(zone name) > 222 Thanks Jan-Piet Mens. --- diff --git a/Changelog b/Changelog index ec7b45e3..cab9031b 100644 --- a/Changelog +++ b/Changelog @@ -86,6 +86,8 @@ TBD * bugfix #708: warnings and errors with xcode 6.1/7.0 * bugfix #754: Memory leak in ldns_str2rdf_ipseckey Thanks Xiali Yan + * bugfix #661: Fail NSEC3 signing when NSEC domainname length + would overflow. Thanks Jan-Piet Mens. 1.6.17 2014-01-10 * Fix ldns_dnssec_zone_new_frm_fp_l to allow the last parsed line of a diff --git a/dnssec_sign.c b/dnssec_sign.c index 940a7de1..cd77951a 100644 --- a/dnssec_sign.c +++ b/dnssec_sign.c @@ -887,6 +887,10 @@ ldns_dnssec_zone_create_nsec3s_mkmap(ldns_dnssec_zone *zone, nsec_ttl = LDNS_DEFAULT_TTL; } + if (ldns_rdf_size(zone->soa->name) > 222) { + return LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW; + } + if (zone->hashed_names) { ldns_traverse_postorder(zone->hashed_names, ldns_hashed_names_node_free, NULL); diff --git a/error.c b/error.c index fde9c265..30ffdc88 100644 --- a/error.c +++ b/error.c @@ -145,6 +145,8 @@ ldns_lookup_table ldns_error_str[] = { { LDNS_STATUS_RDATA_OVERFLOW, "Rdata size overflow" }, { LDNS_STATUS_SYNTAX_SUPERFLUOUS_TEXT_ERR, "Syntax error, superfluous text present" }, + { LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW, + "The NSEC3 domainname length overflow" }, { 0, NULL } }; diff --git a/ldns/error.h b/ldns/error.h index 7d7983e8..fc31737d 100644 --- a/ldns/error.h +++ b/ldns/error.h @@ -127,7 +127,8 @@ enum ldns_enum_status { LDNS_STATUS_TYPE_NOT_IN_BITMAP, LDNS_STATUS_INVALID_RDF_TYPE, LDNS_STATUS_RDATA_OVERFLOW, - LDNS_STATUS_SYNTAX_SUPERFLUOUS_TEXT_ERR + LDNS_STATUS_SYNTAX_SUPERFLUOUS_TEXT_ERR, + LDNS_STATUS_NSEC3_DOMAINNAME_OVERFLOW }; typedef enum ldns_enum_status ldns_status;