From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Fri, 3 Feb 2023 09:23:31 +0000 (+0100)
Subject: Take bound into account while computing common prefix
X-Git-Tag: dnsdist-1.8.0-rc1~37^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27df0673c7bf4a67e79e3caa2045986a44313759;p=thirdparty%2Fpdns.git

Take bound into account while computing common prefix
---

diff --git a/pdns/recursordist/aggressive_nsec.cc b/pdns/recursordist/aggressive_nsec.cc
index 63cda6fa1f..24f014edbb 100644
--- a/pdns/recursordist/aggressive_nsec.cc
+++ b/pdns/recursordist/aggressive_nsec.cc
@@ -228,17 +228,20 @@ static bool isMinimallyCoveringNSEC(const DNSName& owner, const std::shared_ptr<
   return true;
 }
 
-static size_t computeCommonPrefix(const string& one, const string& two)
+static bool commonPrefixIsLong(const string& one, const string& two, size_t bound)
 {
   size_t length = 0;
-  const auto bound = std::min(one.length(), two.length());
+  const auto minLength = std::min(one.length(), two.length());
 
-  for (size_t i = 0; i < bound; i++) {
+  for (size_t i = 0; i < minLength; i++) {
     const auto byte1 = one.at(i);
     const auto byte2 = two.at(i);
     // shortcut
     if (byte1 == byte2) {
       length += CHAR_BIT;
+      if (length > bound) {
+        return true;
+      }
       continue;
     }
     // bytes differ, lets look at the bits
@@ -246,12 +249,15 @@ static size_t computeCommonPrefix(const string& one, const string& two)
       const auto bit1 = byte1 & (1 << j);
       const auto bit2 = byte2 & (1 << j);
       if (bit1 != bit2) {
-        return length;
+        return length > bound;
       }
       length++;
+      if (length > bound) {
+        return true;
+      }
     }
   }
-  return length;
+  return length > bound;
 }
 
 // If the NSEC3 hashes have a long common prefix, they deny only a small subset of all possible hashes
@@ -259,8 +265,7 @@ static size_t computeCommonPrefix(const string& one, const string& two)
 bool AggressiveNSECCache::isSmallCoveringNSEC3(const DNSName& owner, const std::string& nextHash)
 {
   std::string ownerHash(fromBase32Hex(owner.getRawLabel(0)));
-  auto commonPrefix = computeCommonPrefix(ownerHash, nextHash);
-  return commonPrefix > AggressiveNSECCache::s_maxNSEC3CommonPrefix;
+  return commonPrefixIsLong(ownerHash, nextHash, AggressiveNSECCache::s_maxNSEC3CommonPrefix);
 }
 
 void AggressiveNSECCache::insertNSEC(const DNSName& zone, const DNSName& owner, const DNSRecord& record, const std::vector<std::shared_ptr<RRSIGRecordContent>>& signatures, bool nsec3)