From 6f99ef4baec73fc42aafbd35f0032f2ce0d5b918 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 12 Apr 2021 15:23:02 +0200 Subject: [PATCH] validator: avoid assertion in an edge-case Case: NSEC3 with too many iterations used for a positive wildcard proof. It certainly isn't a perfect fix yet; the whole validator would benefit from a general overhaul. --- lib/dnssec/nsec3.c | 5 +++++ lib/dnssec/nsec3.h | 1 + 2 files changed, 6 insertions(+) diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index e9e536a3c..f944cfa64 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -596,6 +596,11 @@ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_ if (rrset->type != KNOT_RRTYPE_NSEC3) { continue; } + /* Avoid hashing with too many iterations; + * on "normal packets" we shouldn't get to this point. */ + if (knot_nsec3_iters(rrset->rrs.rdata) > KR_NSEC3_MAX_ITERATIONS) { + continue; + } int ret = covers_name(&flags, rrset, sname); if (ret != 0) { return ret; diff --git a/lib/dnssec/nsec3.h b/lib/dnssec/nsec3.h index 1e316f569..0fdbfcef0 100644 --- a/lib/dnssec/nsec3.h +++ b/lib/dnssec/nsec3.h @@ -39,6 +39,7 @@ int kr_nsec3_name_error_response_check(const knot_pkt_t *pkt, knot_section_t sec * KNOT_ERANGE - NSEC3 RR that covers a wildcard * has been found, but has opt-out flag set; * otherwise - error. + * Records over KR_NSEC3_MAX_ITERATIONS are skipped, so you probably get kr_error(ENOENT). */ int kr_nsec3_wildcard_answer_response_check(const knot_pkt_t *pkt, knot_section_t section_id, const knot_dname_t *sname, int trim_to_next); -- 2.47.2