From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 14 Feb 2026 13:43:41 +0000 (+0100)
Subject: Invalid NSEC3 can cause OOB read of the isdelegation() stack
X-Git-Tag: v9.21.19~9^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=67b4fb56e40bf856e1fccd41e752d5f486b5b569;p=thirdparty%2Fbind9.git

Invalid NSEC3 can cause OOB read of the isdelegation() stack

When .next_length is longer than NSEC3_MAX_HASH_LENGTH, it causes a
harmless out-of-bound read of the isdelegation() stack.  This patch
fixes the issue by skipping NSEC3 records with an oversized hash length
during validation.
---

diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
index 600a90f9bd9..9f4d4e5a998 100644
--- a/lib/dns/rdata/generic/nsec3_50.c
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -313,6 +313,7 @@ tostruct_nsec3(ARGS_TOSTRUCT) {
 	nsec3->len = region.length;
 	nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
 	nsec3->mctx = mctx;
+
 	return ISC_R_SUCCESS;
 }
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index ed2931b7440..de0765b8c27 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -322,6 +322,9 @@ trynsec3:
 			if (nsec3.hash != 1) {
 				continue;
 			}
+			if (nsec3.next_length > NSEC3_MAX_HASH_LENGTH) {
+				continue;
+			}
 			length = isc_iterated_hash(
 				hash, nsec3.hash, nsec3.iterations, nsec3.salt,
 				nsec3.salt_length, name->ndata, name->length);