From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Mon, 4 May 2026 20:07:46 +0000 (+0200)
Subject: resolve: limit the number NTAs to something sensible
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17e6a3e2a88e822b730f298ebb9fdb526a04a2e2;p=thirdparty%2Fsystemd.git

resolve: limit the number NTAs to something sensible
---

diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c
index f30ed5d22ba..ba5b00c239a 100644
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -683,6 +683,9 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
         if (r < 0)
                 return r;
 
+        if (strv_length(ntas) > LINK_NEGATIVE_TRUST_ANCHORS_MAX)
+                return sd_bus_error_set(error, SD_BUS_ERROR_LIMITS_EXCEEDED, "Too many negative trust anchors per link");
+
         STRV_FOREACH(i, ntas) {
                 r = dns_name_is_valid(*i);
                 if (r < 0)
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h
index 44a6b511c1b..4c81bdbe666 100644
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -11,6 +11,7 @@
 
 #define LINK_SEARCH_DOMAINS_MAX 1024
 #define LINK_DNS_SERVERS_MAX 256
+#define LINK_NEGATIVE_TRUST_ANCHORS_MAX 2048
 
 typedef struct LinkAddress {
         Link *link;