From: Mark Andrews <marka@isc.org>
Date: Fri, 10 Apr 2026 08:08:15 +0000 (+1000)
Subject: [9.20] fix: usr: Fix zone verification of NSEC3 signed zones
X-Git-Tag: v9.20.23~42
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=de4a9b4fa683b5b6531e4563139eee4e26fb72f9;p=thirdparty%2Fbind9.git

[9.20] fix: usr: Fix zone verification of NSEC3 signed zones

Previously, when computing the compressed bitmap during verification of an NSEC3-signed zone, an undersized buffer was used that resulted in an out-of-bounds write if there were too many active windows in the bitmap. This impacted mirror zones which are NSEC3-signed, `dnssec-signzone` and `dnssec-verifyzone`. This has been fixed.

Closes #5834

Backport of MR !11804

Merge branch 'backport-5834-fix-cbm-size-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11833
---

de4a9b4fa683b5b6531e4563139eee4e26fb72f9