From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 17 Jun 2026 13:53:28 +0000 (+0200)
Subject: - Fix that malloc failure for rpz_strip_nsdname is
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e2cc14681eaad45048f2e10fb8cf8fd829df8650;p=thirdparty%2Funbound.git

- Fix that malloc failure for rpz_strip_nsdname is
  checked and handled, so that it does not crash later.
  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index dd05d8928..bf6b52b1f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -36,6 +36,9 @@
 	  connection usage is full, it waits for 50msec, to allow
 	  existing queries to be resolved. Thanks to Qifan Zhang,
 	  Palo Alto Networks, for the report.
+	- Fix that malloc failure for rpz_strip_nsdname is
+	  checked and handled, so that it does not crash later.
+	  Thanks to Qifan Zhang, Palo Alto Networks, for the report.
 
 16 June 2026: Wouter
 	- Fix to disallow $INCLUDE for secondary zones. Start up
diff --git a/services/rpz.c b/services/rpz.c
index 70bbeda56..d0895746d 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -814,8 +814,9 @@ rpz_insert_nsdname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen,
 	uint8_t* dname_stripped = NULL;
 	size_t dnamelen_stripped = 0;
 
-	rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
-		&dnamelen_stripped);
+	if(!rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped,
+		&dnamelen_stripped))
+		return;
 	if(a == RPZ_INVALID_ACTION) {
 		verbose(VERB_ALGO, "rpz: skipping invalid action");
 		free(dname_stripped);