- Fix that malloc failure for rpz_strip_nsdname is

  checked and handled, so that it does not crash later.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.

diff --git a/doc/Changelog b/doc/Changelog
index dd05d8928ce4738ade8414ba32e99a558bc7c5d3..bf6b52b1f139d18dbdb338d832aba03baff340e2 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -36,6 +36,9 @@
          connection usage is full, it waits for 50msec, to allow
          existing queries to be resolved. Thanks to Qifan Zhang,
          Palo Alto Networks, for the report.
+       - Fix that malloc failure for rpz_strip_nsdname is
+         checked and handled, so that it does not crash later.
+         Thanks to Qifan Zhang, Palo Alto Networks, for the report.
 
 16 June 2026: Wouter
        - Fix to disallow $INCLUDE for secondary zones. Start up

diff --git a/services/rpz.c b/services/rpz.c
index 70bbeda563187b15357a814f4178b5a10e3ccba7..d0895746d4f020530e0e26fc8badcacbeca8a74c 100644 (file)
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -814,8 +814,9 @@ rpz_insert_nsdname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
        uint8_t* dname_stripped = NULL;
        size_t dnamelen_stripped = 0;
 
-       rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
-               &dnamelen_stripped);
+       if(!rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
+               &dnamelen_stripped))
+               return;
        if(a == RPZ_INVALID_ACTION) {
                verbose(VERB_ALGO, "rpz: skipping invalid action");
                free(dname_stripped);