From 135f91eb607999522bec914783e0139af4986046 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Wed, 4 Jun 2025 09:32:14 +0200 Subject: [PATCH] lib/dnssec: drop incorrect `requirement` and comment I don't think this can happen on correct records, due to the way that the root zone is. But we've seen this assertion happen in real life, and attackers might be able to misuse it to cause crashes. --- NEWS | 3 +++ lib/dnssec/nsec3.c | 3 +-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index a15a9844c..2804e0f30 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ Security - DoS: fix a rare segfault in `resolve` function (!1720) Someone controlling the DNS traffic might be able to trigger this crash intentionally and too often. +- DoS: drop a wrong assertion/crash (!1721) + Someone controlling the DNS traffic will most likely be able + to trigger this crash intentionally and too often. Knot Resolver 5.7.5 (2025-04-24) diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c index da1bf72d5..7db93dc58 100644 --- a/lib/dnssec/nsec3.c +++ b/lib/dnssec/nsec3.c @@ -339,7 +339,7 @@ fail: * * @param tgt Target buffer to write domain name into. * @param name Name to be added to the asterisk. - * @return Size of the resulting name or error code. + * @return error code or something positive */ static int prepend_asterisk(uint8_t *tgt, size_t maxlen, const knot_dname_t *name) { @@ -556,7 +556,6 @@ static int matches_closest_encloser_wildcard(const knot_pkt_t *pkt, knot_section int ret = prepend_asterisk(wildcard, sizeof(wildcard), encloser); if (ret < 0) return ret; - kr_require(ret >= 3); return nodata_find(pkt, section_id, wildcard, stype); } -- 2.47.2