From: Vladimír Čunát Date: Mon, 12 Apr 2021 13:23:02 +0000 (+0200) Subject: validator: avoid assertion in an edge-case X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f99ef4baec73fc42aafbd35f0032f2ce0d5b918;p=thirdparty%2Fknot-resolver.git validator: avoid assertion in an edge-case Case: NSEC3 with too many iterations used for a positive wildcard proof. It certainly isn't a perfect fix yet; the whole validator would benefit from a general overhaul. --- diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index e9e536a3c..f944cfa64 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -596,6 +596,11 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_ if (rrset->type != KNOT_RRTYPE_NSEC3) { continue; } + /* Avoid hashing with too many iterations; + * on "normal packets" we shouldn't get to this point. */ + if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) { + continue; + } int ret = covers_name(&flags, rrset, sname); if (ret != 0) { return ret; diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h index 1e316f569..0fdbfcef0 100644 --- a/lib/dnssec/nsec3.h +++ b/lib/dnssec/nsec3.h @@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec * KNOT_ERANGE - NSEC3 RR that covers a wildcard * has been found, but has opt-out flag set; * otherwise - error. + * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT). */ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id, const knot_dname_t *sname, int trim_to_next);