treewide: add defensive checks for the NSEC3 limit

diff --git a/lib/cache/nsec3.c b/lib/cache/nsec3.c
index 7aea35a2a548355f3e817d3926daaa7d4e8b4dbb..bebe01cf35bdf17a97de87f481b75f05fff989a6 100644 (file)
--- a/lib/cache/nsec3.c
+++ b/lib/cache/nsec3.c
@@ -10,6 +10,7 @@
 
 #include "contrib/base32hex.h"
 #include "lib/dnssec/nsec.h"
+#include "lib/dnssec/nsec3.h"
 #include "lib/layer/iterate.h"
 
 #include <libknot/rrtype/nsec3.h>
@@ -88,6 +89,11 @@ static knot_db_val_t key_NSEC3_name(struct key *k, const knot_dname_t *name,
                .data = (uint8_t *)/*const-cast*/name,
        };
 
+       if (nsec_p->libknot.iterations > KR_NSEC3_MAX_ITERATIONS) {
+               /* This is mainly defensive; it shouldn't happen thanks to downgrades. */
+               assert(false);
+               return VAL_EMPTY;
+       }
        #if 0 // LATER(optim.): this requires a patched libdnssec - tries to realloc()
        dnssec_binary_t hash = {
                .size = KR_CACHE_KEY_MAXLEN - val.len,

diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index c5b93ddb8ddd29c907656018d6523c55a8fc831c..e9e536a3c85c3267a841b6dd66179cc5fc316b6d 100644 (file)
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -69,6 +69,10 @@ static int hash_name(dnssec_binary_t *hash, const dnssec_nsec3_params_t *params,
        assert(hash && params);
        if (!name)
                return kr_error(EINVAL);
+       if (params->iterations > KR_NSEC3_MAX_ITERATIONS) {
+               assert(false); // This if is mainly defensive; it shouldn't happen.
+               return kr_error(EINVAL);
+       }
 
        dnssec_binary_t dname = {
                .size = knot_dname_size(name),