From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 12 Feb 2024 10:16:47 +0000 (+0100)
Subject: validator: refuse to validate answers with more than 8 NSEC3 records
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4146cd018ce59a561228a97ba25c3f4c24d14b0b;p=thirdparty%2Fknot-resolver.git

validator: refuse to validate answers with more than 8 NSEC3 records

(cherry picked from commit a05cf1d379d1af0958587bd111f791b72f404364)
This partially mitigates CVE-2023-50868 (release 5.7.1 is better)
---

diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index 93f1d4fc6..b645a029f 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -1119,6 +1119,24 @@ static int validate(kr_layer_t *ctx, knot_pkt_t *pkt)
 		}
 	}
 
+	/* Check for too many NSEC3 records.  That's an issue, as some parts of validation
+	 * are quadratic in their count, doing nontrivial computations inside.
+	 * Also there seems to be no use in sending many NSEC3 records. */
+	if (!qry->flags.CACHED) {
+		const knot_pktsection_t *sec = knot_pkt_section(pkt, KNOT_AUTHORITY);
+		int count = 0;
+		for (int i = 0; i < sec->count; ++i)
+			count += (knot_pkt_rr(sec, i)->type == KNOT_RRTYPE_NSEC3);
+		if (count > 8) {
+			VERBOSE_MSG(qry, "<= too many NSEC3 records in AUTHORITY (%d)\n", count);
+			kr_request_set_extended_error(req, KNOT_EDNS_EDE_NSEC3_ITERS,
+				/* It's not about iteration values per se, but close enough. */
+				"DYRH: too many NSEC3 records");
+			qry->flags.DNSSEC_BOGUS = true;
+			return KR_STATE_FAIL;
+		}
+	}
+
 	if (knot_wire_get_aa(pkt->wire) && qtype == KNOT_RRTYPE_DNSKEY) {
 		const knot_rrset_t *ds = qry->zone_cut.trust_anchor;
 		if (ds && !kr_ds_algo_support(ds)) {