From: Vladimír Čunát Date: Wed, 4 Jun 2025 07:32:14 +0000 (+0200) Subject: lib/dnssec: drop incorrect `requirement` and comment X-Git-Tag: v6.0.15~1^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fenvironments%2Fdocs-require-fix-ecj1p3%2Fdeployments%2F7218;p=thirdparty%2Fknot-resolver.git lib/dnssec: drop incorrect `requirement` and comment I don't think this can happen on correct records, due to the way that the root zone is. But we've seen this assertion happen in real life, and attackers might be able to misuse it to cause crashes. --- diff --git a/NEWS b/NEWS index 4ed34f9a5..4c50d2dc0 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ Security - DoS: fix a rare segfault in `resolve` function (!1717) Someone controlling the DNS traffic might be able to trigger this crash intentionally and too often. +- DoS: drop a wrong assertion/crash (!1718) + Someone controlling the DNS traffic will most likely be able + to trigger this crash intentionally and too often. Bugfixes -------- diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index da1bf72d5..7db93dc58 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -339,7 +339,7 @@ fail: * * @param tgt Target buffer to write domain name into. * @param name Name to be added to the asterisk. - * @return Size of the resulting name or error code. + * @return error code or something positive */ static int prepend_asterisk(uint8_t *tgt, size_t maxlen, const knot_dname_t *name) { @@ -556,7 +556,6 @@ static int matches_closest_encloser_wildcard(const knot_pkt_t *pkt, knot_section int ret = prepend_asterisk(wildcard, sizeof(wildcard), encloser); if (ret < 0) return ret; - kr_require(ret >= 3); return nodata_find(pkt, section_id, wildcard, stype); }