resolve: limit the number NTAs to something sensible

author Frantisek Sumsal <frantisek@sumsal.cz>

Mon, 4 May 2026 20:07:46 +0000 (22:07 +0200)

committer Frantisek Sumsal <frantisek@sumsal.cz>

Mon, 4 May 2026 20:39:05 +0000 (22:39 +0200)
author Frantisek Sumsal <frantisek@sumsal.cz>
Mon, 4 May 2026 20:07:46 +0000 (22:07 +0200)
committer Frantisek Sumsal <frantisek@sumsal.cz>
Mon, 4 May 2026 20:39:05 +0000 (22:39 +0200)
diff --git a/src/resolve/resolved-link-bus.c b/src/resolve/resolved-link-bus.c

index f30ed5d22bac823de35b0e7a71c7fa84929e322a..ba5b00c239afb613fdf161db6fd639fb88ad494a 100644 (file)
--- a/src/resolve/resolved-link-bus.c
+++ b/src/resolve/resolved-link-bus.c
@@ -683,6 +683,9 @@ int bus_link_method_set_dnssec_negative_trust_anchors(sd_bus_message *message, v
          if (r < 0)
                  return r;
  
+        if (strv_length(ntas) > LINK_NEGATIVE_TRUST_ANCHORS_MAX)
+                return sd_bus_error_set(error, SD_BUS_ERROR_LIMITS_EXCEEDED, "Too many negative trust anchors per link");
+
          STRV_FOREACH(i, ntas) {
                  r = dns_name_is_valid(*i);
                  if (r < 0)
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h

index 44a6b511c1b67c84b1ba64ae6667bbfb22b46ca5..4c81bdbe66695e77d7bfe2b2aa5c982868c72ce8 100644 (file)
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -11,6 +11,7 @@
  
  #define LINK_SEARCH_DOMAINS_MAX 1024
  #define LINK_DNS_SERVERS_MAX 256
+#define LINK_NEGATIVE_TRUST_ANCHORS_MAX 2048
  
  typedef struct LinkAddress {
          Link *link;
author	Frantisek Sumsal <frantisek@sumsal.cz>
	Mon, 4 May 2026 20:07:46 +0000 (22:07 +0200)
committer	Frantisek Sumsal <frantisek@sumsal.cz>
	Mon, 4 May 2026 20:39:05 +0000 (22:39 +0200)
src/resolve/resolved-link-bus.c		patch \| blob \| blame \| history
src/resolve/resolved-link.h		patch \| blob \| blame \| history