From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Thu, 25 Mar 2021 18:04:25 +0000 (+0100)
Subject: treewide: add defensive checks for the NSEC3 limit
X-Git-Tag: v5.3.1~1^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=21e50fca15e1229d8d3b907deeab885c4f2b72ce;p=thirdparty%2Fknot-resolver.git

treewide: add defensive checks for the NSEC3 limit
---

diff --git a/lib/cache/nsec3.c b/lib/cache/nsec3.c
index 7aea35a2a..bebe01cf3 100644
--- a/lib/cache/nsec3.c
+++ b/lib/cache/nsec3.c
@@ -10,6 +10,7 @@
 
 #include "contrib/base32hex.h"
 #include "lib/dnssec/nsec.h"
+#include "lib/dnssec/nsec3.h"
 #include "lib/layer/iterate.h"
 
 #include <libknot/rrtype/nsec3.h>
@@ -88,6 +89,11 @@ static knot_db_val_t key_NSEC3_name(struct key *k, const knot_dname_t *name,
 		.data = (uint8_t *)/*const-cast*/name,
 	};
 
+	if (nsec_p->libknot.iterations > KR_NSEC3_MAX_ITERATIONS) {
+		/* This is mainly defensive; it shouldn't happen thanks to downgrades. */
+		assert(false);
+		return VAL_EMPTY;
+	}
 	#if 0 // LATER(optim.): this requires a patched libdnssec - tries to realloc()
 	dnssec_binary_t hash = {
 		.size = KR_CACHE_KEY_MAXLEN - val.len,
diff --git a/lib/dnssec/nsec3.c b/lib/dnssec/nsec3.c
index c5b93ddb8..e9e536a3c 100644
--- a/lib/dnssec/nsec3.c
+++ b/lib/dnssec/nsec3.c
@@ -69,6 +69,10 @@ static int hash_name(dnssec_binary_t *hash, const dnssec_nsec3_params_t *params,
 	assert(hash && params);
 	if (!name)
 		return kr_error(EINVAL);
+	if (params->iterations > KR_NSEC3_MAX_ITERATIONS) {
+		assert(false); // This if is mainly defensive; it shouldn't happen.
+		return kr_error(EINVAL);
+	}
 
 	dnssec_binary_t dname = {
 		.size = knot_dname_size(name),