From: Willem Toorop <willem@nlnetlabs.nl>
Date: Wed, 27 Jan 2021 10:41:00 +0000 (+0100)
Subject: bugfix #117: drill -S . assert failues
X-Git-Tag: 1.8.0-rc.1~36^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42094e5d79bf5a2a9a2003998ba5a0f2c15efedd;p=thirdparty%2Fldns.git

bugfix #117: drill -S . assert failues

Assertion failure with DNSSEC validating of non existence of RR types at the root.
Thanks ZjYwMj
---

diff --git a/Changelog b/Changelog
index 4af6207a..5ade564a 100644
--- a/Changelog
+++ b/Changelog
@@ -17,7 +17,9 @@
 	  if they arrive within 100msec of each other.
 	* Fix so that ldns-testns does not leak sockets if the read fails.
 	* SVCB and HTTPS draft rrtypes.
-	  Enable with --enable-rrtype-svcb-https
+	  Enable with --enable-rrtype-svcb-https.
+	* bugfix #117: Assertion failure with DNSSEC validating of 
+	  non existence of RR types at the root.  Thanks ZjYwMj
 
 1.7.1	2019-07-26
 	* bugfix: Manage verification paths for OpenSSL >= 1.1.0
diff --git a/dnssec_verify.c b/dnssec_verify.c
index 99a7515d..6e7c0573 100644
--- a/dnssec_verify.c
+++ b/dnssec_verify.c
@@ -1503,7 +1503,7 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
                           ldns_rr_list *rrsigs)
 {
 	ldns_rdf *rr_name;
-	ldns_rdf *wildcard_name;
+	ldns_rdf *wildcard_name = NULL;
 	ldns_rdf *chopped_dname;
 	ldns_rr *cur_nsec;
 	size_t i;
@@ -1514,14 +1514,19 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
 	bool type_covered = false;
 	bool wildcard_covered = false;
 	bool wildcard_type_covered = false;
+	bool rr_name_is_root = false;
 
-	wildcard_name = ldns_dname_new_frm_str("*");
 	rr_name = ldns_rr_owner(rr);
-	chopped_dname = ldns_dname_left_chop(rr_name);
-	result = ldns_dname_cat(wildcard_name, chopped_dname);
-	ldns_rdf_deep_free(chopped_dname);
-	if (result != LDNS_STATUS_OK) {
-		return result;
+	rr_name_is_root =     ldns_rdf_size(rr_name) == 1
+	                  && *ldns_rdf_data(rr_name) == 0;
+	if (!rr_name_is_root) {
+		wildcard_name = ldns_dname_new_frm_str("*");
+		chopped_dname = ldns_dname_left_chop(rr_name);
+		result = ldns_dname_cat(wildcard_name, chopped_dname);
+		ldns_rdf_deep_free(chopped_dname);
+		if (result != LDNS_STATUS_OK) {
+			return result;
+		}
 	}
 	
 	for  (i = 0; i < ldns_rr_list_rr_count(nsecs); i++) {
@@ -1548,6 +1553,9 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
 			name_covered = true;
 		}
 		
+		if (rr_name_is_root)
+			continue;
+
 		if (ldns_dname_compare(wildcard_name,
 						   ldns_rr_owner(cur_nsec)) == 0) {
 			if (ldns_nsec_bitmap_covers_type(ldns_nsec_get_bitmap(cur_nsec),
@@ -1568,6 +1576,9 @@ ldns_dnssec_verify_denial(ldns_rr *rr,
 		return LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED;
 	}
 	
+	if (rr_name_is_root)
+		return LDNS_STATUS_OK;
+
 	if (wildcard_type_covered || !wildcard_covered) {
 		return LDNS_STATUS_DNSSEC_NSEC_WILDCARD_NOT_COVERED;
 	}